Dear LyX community,
I am contacting you because i am evaluating the use of LyX in a corporate environment, and i have encountered a security compliance issue regarding the OpenSSL libraries distributed with the Windows version of LyX.
Specifically, the LyX installation includes the following DLLs:
libcrypto-3.dll
libssl-3.dll
The internal security tools have flagged these files as containing known OpenSSL 3.x vulnerabilities (based on current CVE reports).
Updating LyX to a newer version did not resolve the issue, and replacing the DLLs manually is difficult without knowing which OpenSSL 3.x build is officially supported and compatible with the LyX Windows binaries.
I would appreciate guidance on the following questions:
Does LyX actively use OpenSSL on Windows, or are these DLLs only present because of Qt’s network module?
In other words, is OpenSSL actually required by LyX, or only loaded when optional network features are used (e.g., update checks)?
Is it safe and officially supported to replace the included libcrypto-3.dll and libssl-3.dll with patched OpenSSL 3.x DLLs from trusted sources (e.g., the Win64 OpenSSL builds)?
If yes, are there specific version requirements, ABI constraints, or known compatibility issues?
Is there a way to disable SSL/HTTPS functionality in LyX entirely, for environments where outbound network connections are blocked anyway?
Are there any plans to update or decouple the bundled OpenSSL libraries in future LyX releases?
This is an important question for corporate-wide deployment, because we need a clear and supportable mitigation that does not rely on sandboxing or user-level workarounds.
Any information or recommendations from the LyX developers or experienced users would be very helpful.
Thank you very much for your assistance,
LyX ⇒ Security Question: OpenSSL 3 DLLs (libcrypto-3.dll / libssl-3.dll) in Windows LyX
-
lyx_user1221
- Posts: 1
- Joined: Wed Nov 19, 2025 11:25 am
Learn LaTeX easily with newest books:
The LaTeX Beginner's Guide: 2nd edition and perfect for students writing a thesis
The LaTeX Cookbook: 2nd edition full of practical examples for mathematics, physics, chemistry, and more
LaTeX Graphics with TikZ: the first book about TikZ for perfect drawings in your LaTeX thesis
-
Stefan Kottwitz
- Site Admin
- Posts: 10397
- Joined: Mon Mar 10, 2008 9:44 pm
Re: Security Question: OpenSSL 3 DLLs (libcrypto-3.dll / libssl-3.dll) in Windows LyX
Welcome to the forum!
Those SSL libraries belong to Qt, right, LyX just uses Qt. LyX can use it to download from external repositories or sources such as remote BibTeX/biblatex sources, or via URL-inserted stuff. I don't work with LyX myself, but I can imagine it works when used locally without Internet access, just using the local TeX installation. So, an option may be removing the DLLs and telling users that LyX can be used without external parts (and ignoring Qt TLS warnings like “No functional TLS backend” / “incompatible OpenSSL” etc.
Replacing with updated DLLs can be better, but it may require some testing (or research). Use the same kind of DLLs (64-bit) with the same major and minor versions, just patched. Test a bit, like inserting something from an external URL. If it survives a small test, then SSL/TLS should work in general.
You could also ask on more official channels, such as the mailing lists, or give this a try.
Stefan
Those SSL libraries belong to Qt, right, LyX just uses Qt. LyX can use it to download from external repositories or sources such as remote BibTeX/biblatex sources, or via URL-inserted stuff. I don't work with LyX myself, but I can imagine it works when used locally without Internet access, just using the local TeX installation. So, an option may be removing the DLLs and telling users that LyX can be used without external parts (and ignoring Qt TLS warnings like “No functional TLS backend” / “incompatible OpenSSL” etc.
Replacing with updated DLLs can be better, but it may require some testing (or research). Use the same kind of DLLs (64-bit) with the same major and minor versions, just patched. Test a bit, like inserting something from an external URL. If it survives a small test, then SSL/TLS should work in general.
You could also ask on more official channels, such as the mailing lists, or give this a try.
Stefan
LaTeX.org admin