Open SSL version

okan · December 6, 2019, 3:30pm

We are using iOS SDK for zoom calls in our app.
Recently, one of the security scan indicated that framework is using openssl version 1.0.2r.

Version: [v4.4.56624.1028]

Is there any openssl library is used in framework? If so, would you please supply change logs for each build version’s openssl version number?

Also, what is the TLS version iOS SDK using? Based on Wireshark capture it starts as TLSv1.

Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 512
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 508
Version: TLS 1.2 (0x0303)
Random: 019ed8f201ad2de260906634b62ed921b53e7f552bc1ffe6…
Session ID Length: 0
Cipher Suites Length: 228
Cipher Suites (114 suites)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
Cipher Suite: TLS_DH_DSS_WITH_AES_256_GCM_SHA384 (0x00a5)
Cipher Suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (0x00a3)
Cipher Suite: TLS_DH_RSA_WITH_AES_256_GCM_SHA384 (0x00a1)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)
Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (0x006a)
Cipher Suite: TLS_DH_RSA_WITH_AES_256_CBC_SHA256 (0x0069)
Cipher Suite: TLS_DH_DSS_WITH_AES_256_CBC_SHA256 (0x0068)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
Cipher Suite: TLS_DH_RSA_WITH_AES_256_CBC_SHA (0x0037)
Cipher Suite: TLS_DH_DSS_WITH_AES_256_CBC_SHA (0x0036)
Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088)
Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0087)
Cipher Suite: TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0086)
Cipher Suite: TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0085)
Cipher Suite: TLS_ECDH_anon_WITH_AES_256_CBC_SHA (0xc019)
Cipher Suite: TLS_DH_anon_WITH_AES_256_GCM_SHA384 (0x00a7)
Cipher Suite: TLS_DH_anon_WITH_AES_256_CBC_SHA256 (0x006d)
Cipher Suite: TLS_DH_anon_WITH_AES_256_CBC_SHA (0x003a)
Cipher Suite: TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA (0x0089)
Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 (0xc032)
Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02e)
Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 (0xc02a)
Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 (0xc026)
Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f)
Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005)
Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
Cipher Suite: TLS_DH_DSS_WITH_AES_128_GCM_SHA256 (0x00a4)
Cipher Suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (0x00a2)
Cipher Suite: TLS_DH_RSA_WITH_AES_128_GCM_SHA256 (0x00a0)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040)
Cipher Suite: TLS_DH_RSA_WITH_AES_128_CBC_SHA256 (0x003f)
Cipher Suite: TLS_DH_DSS_WITH_AES_128_CBC_SHA256 (0x003e)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
Cipher Suite: TLS_DH_RSA_WITH_AES_128_CBC_SHA (0x0031)
Cipher Suite: TLS_DH_DSS_WITH_AES_128_CBC_SHA (0x0030)
Cipher Suite: TLS_DHE_RSA_WITH_SEED_CBC_SHA (0x009a)
Cipher Suite: TLS_DHE_DSS_WITH_SEED_CBC_SHA (0x0099)
Cipher Suite: TLS_DH_RSA_WITH_SEED_CBC_SHA (0x0098)
Cipher Suite: TLS_DH_DSS_WITH_SEED_CBC_SHA (0x0097)
Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045)
Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0044)
Cipher Suite: TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0043)
Cipher Suite: TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0042)
Cipher Suite: TLS_ECDH_anon_WITH_AES_128_CBC_SHA (0xc018)
Cipher Suite: TLS_DH_anon_WITH_AES_128_GCM_SHA256 (0x00a6)
Cipher Suite: TLS_DH_anon_WITH_AES_128_CBC_SHA256 (0x006c)
Cipher Suite: TLS_DH_anon_WITH_AES_128_CBC_SHA (0x0034)
Cipher Suite: TLS_DH_anon_WITH_SEED_CBC_SHA (0x009b)
Cipher Suite: TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA (0x0046)
Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 (0xc031)
Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02d)
Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 (0xc029)
Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 (0xc025)
Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e)
Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004)
Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_RSA_WITH_SEED_CBC_SHA (0x0096)
Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041)
Cipher Suite: TLS_RSA_WITH_IDEA_CBC_SHA (0x0007)
Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007)
Cipher Suite: TLS_ECDH_anon_WITH_RC4_128_SHA (0xc016)
Cipher Suite: TLS_DH_anon_WITH_RC4_128_MD5 (0x0018)
Cipher Suite: TLS_ECDH_RSA_WITH_RC4_128_SHA (0xc00c)
Cipher Suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA (0xc002)
Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008)
Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
Cipher Suite: TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA (0x0010)
Cipher Suite: TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA (0x000d)
Cipher Suite: TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA (0xc017)
Cipher Suite: TLS_DH_anon_WITH_3DES_EDE_CBC_SHA (0x001b)
Cipher Suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (0xc00d)
Cipher Suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc003)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x0015)
Cipher Suite: TLS_DHE_DSS_WITH_DES_CBC_SHA (0x0012)
Cipher Suite: TLS_DH_RSA_WITH_DES_CBC_SHA (0x000f)
Cipher Suite: TLS_DH_DSS_WITH_DES_CBC_SHA (0x000c)
Cipher Suite: TLS_DH_anon_WITH_DES_CBC_SHA (0x001a)
Cipher Suite: TLS_RSA_WITH_DES_CBC_SHA (0x0009)
Cipher Suite: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0014)
Cipher Suite: TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA (0x0011)
Cipher Suite: TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA (0x0019)
Cipher Suite: TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0008)
Cipher Suite: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x0006)
Cipher Suite: TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 (0x0017)
Cipher Suite: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003)
Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
Compression Methods Length: 1
Compression Methods (1 method)
Compression Method: null (0)
Extensions Length: 239
Extension: server_name (len=25)
Type: server_name (0)
Length: 25
Server Name Indication extension
Server Name list length: 23
Server Name Type: host_name (0)
Server Name length: 20
Server Name: zoomsc237mmr.zoom.us
Extension: ec_point_formats (len=4)
Type: ec_point_formats (11)
Length: 4
EC point formats Length: 3
Elliptic curves point formats (3)
Extension: supported_groups (len=28)
Type: supported_groups (10)
Length: 28
Supported Groups List Length: 26
Supported Groups (13 groups)
Extension: SessionTicket TLS (len=0)
Type: SessionTicket TLS (35)
Length: 0
Data (0 bytes)
Extension: signature_algorithms (len=32)
Type: signature_algorithms (13)
Length: 32
Signature Hash Algorithms Length: 30
Signature Hash Algorithms (15 algorithms)
Extension: heartbeat (len=1)
Type: heartbeat (15)
Length: 1
Mode: Peer allowed to send requests (1)
Extension: padding (len=121)
Type: padding (21)
Length: 121
Padding Data: 000000000000000000000000000000000000000000000000…

carson.zoom · December 6, 2019, 7:54pm

Hi okan,

Thanks for the post and the info. I will pass this to our engineering team and get back to you shortly.

Thanks!

okan · December 12, 2019, 3:13pm

Is there any update? Just checking…

carson.zoom · December 13, 2019, 2:57am

Hi okan,

Thanks for the reply. Unfortunately, I do not have any updates yet. May I inquire are you facing any issues with OpenSSL and our SDK?

Thanks!

okan · December 13, 2019, 1:12pm

Hi,

It is iOS SDK. All we want to know is “OpenSSL version used in latest zoom iOS SDK”. Security scan requires certain OpenSSL versions…

okan · December 13, 2019, 6:12pm

Another finding is that the security scan indicated that framework is using openssl version 1.0.2d.

carson.zoom · December 18, 2019, 11:27pm

Hi okan,

Thanks for the reply. After consulting with the team, unfortunately we are not able to publicly reveal this information. Pardon the inconvenience. If you are facing any particular issues caused by this, please let me know and I will work with the engineering team to fix them. Thank you for your understanding.

Thanks!

carson.zoom · December 19, 2019, 9:24pm

Hi okan,

Thanks for the reply. I will contact you directly regarding this.

Thanks!

Engineering · February 19, 2020, 8:30pm

Hi, Carson,
This is Bin - Okan’s co-worker.
Thanks for your email to Okan that ZOOM SDK has update with Open SSL Rev 1.0.2u. However since we initially contacted ZOOM in December 2019, there are quite changes. Version 1.0.2u is already out of support since January 2020 and is no longer receiving updates. From our last submission of our iOS app, FirstNet stated that version 1.1.1d is the new requirement. Please advice.
Thanks!

carson.zoom · February 19, 2020, 9:19pm

Hi Bin,

Thanks for the reply. Based on the information shown on OpenSSL’s website, 1.0.2u is newer than 1.1.1d(Updated date) , and it has addressed the known vulnerabilities found in the 1.0.2 versions.

If you could provide the links or the news articles saying that the 1.0.2u would be out of support and no longer receiving updates, it would be very helpful for us to re-evaluate this upgrade. (I found this article: https://www.openssl.org/blog/blog/2019/11/07/3.0-update/, please verify)

Thanks!

Engineering · February 21, 2020, 8:48pm

Hi Carson:
Thanks for your info. Here is the original reply from FirstNet Security team in quota:
"FYI, version 1.0.2u is already out of support since January 2020 and is no longer receiving updates. Support is only for those that are premium support customers. See here… https://www.openssl.org/news/vulnerabilities-1.0.2.html "
Please advise.

Bin

carson.zoom · February 21, 2020, 9:57pm

Hi Bin,

Thank you very much for your reply. I will forward this to the engineering team and I will escalate this. Will keep you updated.

Thanks!

asharma · April 16, 2020, 6:48pm

Hello Carson:

Is there any update on the availability of Zoom iOS SDK with latest OpenSSL version. This is stopping us to get approval of our app from FirstNet security review.

The FirstNet requires to have OpenSSL version of at least 1.1.1e or later.

Thanks

carson.zoom · April 16, 2020, 9:25pm

Hi asharma,

Thanks for the reply. The upgrade process is still ongoing. It is a major version upgrade from 1.0.2 to 1.1.1 so it takes sometime. I will try to escalate this and keep you updated.

Thanks!

Topic		Replies	Views
Upgrade OpenSSL to 1.1.1l from 1.1.1k iOS	6	797	December 2, 2021
iOS encryption export compliance information iOS	2	1171	December 31, 2022
Client SDKs Release - April 2020 New Releases meeting-sdk	1	1545	April 28, 2020
How to update to Zoom 5.0 iOS SDK iOS	4	545	August 21, 2020
How to get the encryption status? iOS	11	867	August 21, 2020

Open SSL version

Related Topics