[16.18][linux] OpenSSL 1.0.1 is outdated
Posted: Tue Jan 23, 2018 2:34 pm
The Linux version of Factorio ships with OpenSSL 1.0.1f compiled into it (56934), which is now over four years old, outdated and insecure. 1.0.1 is EOL and unmaintained since December 2016.
Please update to OpenSSL 1.0.2, which is an LTS version with support until at least December 2019.
If possible, use the up-to-date OpenSSL 1.0.2 library available on the system instead of shipping your own. 1.0.2 is included in Ubuntu since 16.04, Debian Stable (and Oldstable via backports) and pretty much all other non-ancient Linux distributions.
If you’re worried about anyone really not having OpenSSL 1.0.2, you could include a precompiled library that only gets used as a fallback if no compatible version is found on the system. If you’re extra worried about incompatibilites, add a --prefer-included-libs option too. Actually, I would prefer dynamically linked libraries (with precompiled fallbacks) for all the other currently statically included libraries as well (libpng, libcurl, etc), so that up-to-date libraries get used whenever possible.
Please update to OpenSSL 1.0.2, which is an LTS version with support until at least December 2019.
If possible, use the up-to-date OpenSSL 1.0.2 library available on the system instead of shipping your own. 1.0.2 is included in Ubuntu since 16.04, Debian Stable (and Oldstable via backports) and pretty much all other non-ancient Linux distributions.
If you’re worried about anyone really not having OpenSSL 1.0.2, you could include a precompiled library that only gets used as a fallback if no compatible version is found on the system. If you’re extra worried about incompatibilites, add a --prefer-included-libs option too. Actually, I would prefer dynamically linked libraries (with precompiled fallbacks) for all the other currently statically included libraries as well (libpng, libcurl, etc), so that up-to-date libraries get used whenever possible.
