OpenSSL

by Shining Light Productionsv4.0.1

Last updated Jun 10, 2026

Install OpenSSL - a robust, commercial-grade, full-featured toolkit for general-purpose cryptography and secure communication.

Visit homepage

Install with winget

$ winget install --id ShiningLight.OpenSSL.Dev --exact --version 4.0.1

Run in Command Prompt, PowerShell, or Windows Terminal. Prompts for any agreements.

Silent install command for OpenSSL

OpenSSL uses EXE (Inno Setup). The silent install switches are /VERYSILENT /SUPPRESSMSGBOXES /NORESTART.

One-line silent install (x64, machine scope)

Win64OpenSSL-4_0_1.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART

See the full silent install reference for OpenSSL →

Built by Pckgr

For Intune admins

Stop chasing app updates. Pckgr patches them for you.

Automated application patching for Microsoft Intune. Pckgr keeps a curated library of 1,000+ apps continuously up-to-date in your tenant via Microsoft Graph - no manual repackaging, no chasing vendor sites.

Start free 30-day trial

No credit card required.

Installers · v4.0.1

Architecture	Type	Scope	Download
x86	EXE Inno Setup	machine	Direct
x86	MSI WiX	machine	Direct
x64	EXE Inno Setup	machine	Direct
x64	MSI WiX	machine	Direct
arm64	EXE Inno Setup	machine	Direct
arm64	MSI WiX	machine	Direct

Copy a command tailored to that specific architecture, type, and scope - useful when winget would otherwise pick a different default.

Security

25 known CVEs via NVD

high7.5Patched in wingetCVE-2026-31790affects before 3.0.20, 3.3.7, 3.4.5, +2 moreApr 7, 2026
Issue summary: Applications using RSASVE key encapsulation to establish a secret encryption key can send contents of an uninitialized memory buffer to a malicious peer. Impact summary: The uninitialized buffer might contain sensitive data from the previous execution of the appl...
Patch Vendor advisory
critical9.8Patched in wingetCVE-2026-31789affects before 3.0.20, 3.3.7, 3.4.5, +2 moreApr 7, 2026
Issue summary: Converting an excessively large OCTET STRING value to a hexadecimal string leads to a heap buffer overflow on 32 bit platforms. Impact summary: A heap buffer overflow may lead to a crash or possibly an attacker controlled code execution or other undefined behavio...
Patch Vendor advisory
high7.5Patched in wingetCVE-2026-28390affects before 1.0.2zp, 1.1.1zg, 3.0.20, +4 moreApr 7, 2026
Issue summary: During processing of a crafted CMS EnvelopedData message with KeyTransportRecipientInfo a NULL pointer dereference can happen. Impact summary: Applications that process attacker-controlled CMS data may crash before authentication or cryptographic operations occur...
Patch Vendor advisory
high7.5Patched in wingetCVE-2026-28389affects before 1.0.2zp, 1.1.1zg, 3.0.20, +4 moreApr 7, 2026
Issue summary: During processing of a crafted CMS EnvelopedData message with KeyAgreeRecipientInfo a NULL pointer dereference can happen. Impact summary: Applications that process attacker-controlled CMS data may crash before authentication or cryptographic operations occur res...
Patch Vendor advisory
high7.5Patched in wingetCVE-2026-28388affects before 1.0.2zp, 1.1.1zg, 3.0.20, +4 moreApr 7, 2026
Issue summary: When a delta CRL that contains a Delta CRL Indicator extension is processed a NULL pointer dereference might happen if the required CRL Number extension is missing. Impact summary: A NULL pointer dereference can trigger a crash which leads to a Denial of Service...
Patch Vendor advisory
high8.1Patched in wingetCVE-2026-28387affects before 1.1.1zg, 3.0.20, 3.3.7, +3 moreApr 7, 2026
Issue summary: An uncommon configuration of clients performing DANE TLSA-based server authentication, when paired with uncommon server DANE TLSA records, may result in a use-after-free and/or double-free on the client side. Impact summary: A use after free can have a range of p...
Patch Vendor advisory
high7.5Patched in wingetCVE-2026-28386affects before 3.6.2Apr 7, 2026
Issue summary: Applications using AES-CFB128 encryption or decryption on systems with AVX-512 and VAES support can trigger an out-of-bounds read of up to 15 bytes when processing partial cipher blocks. Impact summary: This out-of-bounds read may trigger a crash which leads to D...
Patch Vendor advisory
medium5.3Patched in wingetCVE-2026-22796affects before 1.0.2zn, 1.1.1ze, 3.0.19, +4 moreJan 27, 2026
Issue summary: A type confusion vulnerability exists in the signature verification of signed PKCS#7 data where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing malformed PKCS#7 data. Impact s...
Patch Vendor advisory

Showing 8 of 25. Source: NVD, updated 2h ago. Patch status is best-effort: NVD's fix version is compared against the latest version in winget, but the two version formats don't always align. Confirm with the vendor advisory before treating any specific build as safe.

See a CVE that affects your fleet? Push the patched version to Intune in one click with Pckgr - automated patching is the only way to keep up.

Related apps

OpenSSL LightShining Light Productions
ShiningLight.OpenSSL.Lightv4.0.1
Install the most commonly used essentials of OpenSSL - a robust, commercial-grade, full-featured toolkit for general-purpose cryptography and secure communication.
OpenSSL Light LTSShining Light Productions
ShiningLight.OpenSSL.LTS.Lightv3.5.6
Install the most commonly used essentials of OpenSSL - a robust, commercial-grade, full-featured toolkit for general-purpose cryptography and secure communication.

Frequently asked questions

How do I install OpenSSL on Windows?

Open Windows Terminal, PowerShell, or Command Prompt and run: winget install --id ShiningLight.OpenSSL.Dev --exact --version 4.0.1. winget downloads the installer from Shining Light Productions and runs it. Requires Windows 10 (1809+) or Windows 11.

How do I install OpenSSL silently for unattended deployment?

Add --silent and accept the agreements upfront: winget install --id ShiningLight.OpenSSL.Dev --exact 4.0.1 --silent --accept-package-agreements --accept-source-agreements. This is the variant Intune, Configuration Manager, and other deployment tools should use.

What are the silent install switches for OpenSSL?

OpenSSL uses EXE (Inno Setup). Run the downloaded installer with: Win64OpenSSL-4_0_1.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART. The silent switches are /VERYSILENT /SUPPRESSMSGBOXES /NORESTART.

How do I uninstall OpenSSL via winget?

Run: winget uninstall --id ShiningLight.OpenSSL.Dev --exact. Add --silent for unattended uninstalls. winget will use the registered uninstaller from OpenSSL's Apps & Features entry.

Is OpenSSL free?

OpenSSL is distributed under Freeware. Refer to the publisher (https://slproweb.com/products/Win32OpenSSL.html) for the full license terms - Wingetly itself does not charge for installation.

Does OpenSSL work on Windows 10?

Yes, as long as your Windows 10 build supports winget (1809 or newer). winget ships with App Installer on Windows 10/11 and pulls OpenSSL directly from the publisher.

How do I keep OpenSSL up to date?

Run winget upgrade --id ShiningLight.OpenSSL.Dev --exact, or winget upgrade --all to update everything winget tracks. We index 6 versions of OpenSSL from microsoft/winget-pkgs.

Recent versions

4.0.1latest
4.0.0
3.6.2
3.6.1
3.6.0
3.5.4