Although Kullo uses the crypto library Botan for all it’s encryption jobs it needs OpenSSL. That is because The Open Kullo Protocol is an HTTP-based API that enforces TLS. Since we don’t want to reinvent the wheel and implement HTTPs on our own, we use a library for that. On the desktop platforms that is Qt Network at the moment. An alternative would be cURL and I am sure there are others. These libraries have in common that they depend on OpenSSL to implement the TLS. If there’s an Botan TLS based HTTP(s)-library for C++ out there, I’d appreciate a hint in the comments.
So OpenSSL is mandatory. But where do we get it from and in which version? That question has to be answered differently for every operating system.
Windows does not ship OpenSSL. Thus we get it from the OpenSSL download page in the latest version that includes all security fixes. Kullo 0.20.15 for Windows will come with OpenSSL 1.0.1m.
Apple still ships OpenSSL version 0.9.8x (including security fixes) from the year 2005. This version is not officially supported by Qt anymore and it does not come with TLS 1.1 and TLS 1.2 support. Thus we’re shipping our own copy on OpenSSL on OS X as well, which we take from the homebrew project. Kullo 0.20.15 for OS X will come with OpenSSL 1.0.1m.
All our supported Linux distributions have OpenSSL version >= 1.0 available out of the box. Thus we don’t need to ship it and you get updates directly from your Linux maintainer.
In some distributions, the OpenSSL version might appear a bit outdated, which confused our users in the past. On Debian based systems, such as Ubuntu and it’s derivatives you might find version 1.0.1f from January 2014. This is because the package maintainer decided to freeze one OpenSSL version and apply security patches in that version. Thus on a current Ubuntu 14.10 you get 1.0.1f-1ubuntu9.4 (see
$ dpkg -s openssl). This basically means: OpenSSL 1.0.1f from early 2014 plus all security fixes since than.
Which OpenSSL version is your Linux providing? Check
$ openssl version!