Is Xojo affected by Open SSL Bug?

Just reading about the new Open SSL Bug which seems to be a severe one. Are Xojo Crypto or Sockel Functions affected?

SSLSocket may be, not sure.

The Crypto module is based on Crypto++, not OpenSSL, so no. However, the SSLSocket does use OpenSSL, so I’m betting that it is affected.

Don’t take my response as official, wait for a current Xojo employee to confirm, but to the best of my recollection I am correct.

Alright, then I’ll wait. I am afraid we will get a huge amount of Devices, Servers, Routers and Software Updates soon…

everyone will have lots to upgrade. too many “items” use the broken OpenSSL.

Maybe that helps to get rid of all the older OpenSSL versions which also have a lot of bugs fixed in newer versions…

we can only hope. we can only hope.

The Xojo framework and sockets are not vulnerable to the Heartbleed SSL/TLS exploit.

But still vulnerable against a man in the middle attack…

Christian, the MBS Encryption plugin isn’t affected is it?

Well, I updated it yesterday, but I think Xojo is only affected if you use SSLSockets with Serversocket in TLS mode.

Feedback case 2820 (Certificates with sslsocket, httpsecuresocket) issue raised 4 June 2008. Still not fixed. So any clients that use the SSLSocket or HTTPSecureSocket is still vulnerable

Yes, we have currently three big problems with SSLSocket.
it’s slow (32231), doesn’t check certificates (2820) and leaks memory with Serversocket (31706).

Good read about the bug:

There may well be other issues but not THIS specific issue

Nice link to test your site:

Make sure you check the box: “Do not show the results on the boards”

“Also consider before you check any of your customer sites” Could be they don’t want to have any vulnerable informations public.