OpenSSL Light LTS

by Shining Light Productionsv3.5.6

Last updated Jun 8, 2026

Install the most commonly used essentials of OpenSSL - a robust, commercial-grade, full-featured toolkit for general-purpose cryptography and secure communication.

Visit homepage

Install with winget

$ winget install --id ShiningLight.OpenSSL.LTS.Light --exact --version 3.5.6

Run in Command Prompt, PowerShell, or Windows Terminal. Prompts for any agreements.

Silent install command for OpenSSL Light LTS

OpenSSL Light LTS uses EXE (Inno Setup). The silent install switches are /VERYSILENT /SUPPRESSMSGBOXES /NORESTART.

One-line silent install (x64, machine scope)

Win64OpenSSL_Light-3_5_6.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART

See the full silent install reference for OpenSSL Light LTS →

Built by Pckgr

For Intune admins

Stop chasing app updates. Pckgr patches them for you.

Automated application patching for Microsoft Intune. Pckgr keeps a curated library of 1,000+ apps continuously up-to-date in your tenant via Microsoft Graph - no manual repackaging, no chasing vendor sites.

Start free 30-day trial

No credit card required.

Installers · v3.5.6

Architecture	Type	Scope	Download
x86	EXE Inno Setup	machine	Direct
x86	MSI WiX	machine	Direct
x64	EXE Inno Setup	machine	Direct
x64	MSI WiX	machine	Direct
arm64	EXE Inno Setup	machine	Direct
arm64	MSI WiX	machine	Direct

Copy a command tailored to that specific architecture, type, and scope - useful when winget would otherwise pick a different default.

Security

25 known CVEs via NVD

high7.5Fix in v3.5.7CVE-2026-9076affects before 1.0.2zq, 1.1.1zh, 3.0.21, +3 moreJun 9, 2026
Issue summary: When CMS password-based decryption (RFC 3211 / PWRI key unwrap) processes attacker-supplied CMS data, an attacker-chosen stream-mode KEK cipher can trigger a heap out-of-bounds read in kek_unwrap_key(). Impact summary: A heap buffer over-read may trigger a crash...
Patch Vendor advisory
high8.1Fix in v3.5.7CVE-2026-7383affects before 1.0.2zq, 1.1.1zh, 3.0.21, +3 moreJun 9, 2026
Issue summary: A signed integer overflow when sizing the destination buffer for Unicode output in ASN1_mbstring_ncopy() can lead to a heap buffer overflow. Impact summary: A heap buffer overflow may lead to a crash or possibly attacker controlled code execution or other undefin...
Patch Vendor advisory
high8.8Fix in v3.5.7CVE-2026-45447affects before 1.0.2zq, 1.1.1zh, 3.0.21, +3 moreJun 9, 2026
Issue summary: A specially crafted PKCS#7 or S/MIME signed message could trigger a use-after-free during PKCS#7 signature verification. Impact summary: A use-after-free may result in process crashes, heap corruption, or potentially remote code execution. When processing a PKCS...
Patch Vendor advisory
medium4.8Fix in v3.5.7CVE-2026-45446affects before 3.0.21, 3.4.6, 3.5.7, 3.6.3Jun 9, 2026
Issue summary: The implementations of AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) mishandle the authentication of AAD (Additional Authenticated Data) with an empty ciphertext allowing a forgery of such messages. Impact summary: An attacker can forge empty messages with arbitr...
Patch Vendor advisory
high7.5Fix in v3.5.7CVE-2026-45445affects before 3.0.21, 3.4.6, 3.5.7, 3.6.3Jun 9, 2026
Issue summary: When an application drives an AES-OCB context through the public EVP_Cipher() one-shot interface, the application-supplied initialisation vector (IV) is silently discarded. Impact summary: Every message encrypted under the same key uses the same effective nonce r...
Patch Vendor advisory
medium6.2Patched in wingetCVE-2026-42771affects v4.0.0Jun 9, 2026
Issue summary: When the X509_VERIFY_PARAM_set1_email is called by an application to validate a crafted e-mail address, such as during S/MIME message validation, an out of bounds read can happen. Impact summary: This out of bounds read will not directly exfiltrate the data read...
Patch Vendor advisory
low3.7Fix in v3.5.7CVE-2026-42770affects before 3.0.21, 3.4.6, 3.5.7, 3.6.3Jun 9, 2026
Issue summary: When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the peer key is not properly checked for the subgroup membership. Impact summary: A malicious peer which presents an X9.42 key carrying the victim's p and g parameters, a forged q = r (a small...
Patch Vendor advisory
medium5.3Fix in v3.5.7CVE-2026-42769affects before 3.4.6, 3.5.7, 3.6.3Jun 9, 2026
Issue Summary: An error in the callback used to verify the certificate provided in a Root CA key update Certificate Management Protocol (CMP) message response rendered the certificate validation ineffectual, which could lead to escalation of credentials from the Registration Aut...
Patch Vendor advisory

Showing 8 of 25. Source: NVD, updated 4h ago. Patch status is best-effort: NVD's fix version is compared against the latest version in winget, but the two version formats don't always align. Confirm with the vendor advisory before treating any specific build as safe.

See a CVE that affects your fleet? Push the patched version to Intune in one click with Pckgr - automated patching is the only way to keep up.

Related apps

OpenSSLShining Light Productions
ShiningLight.OpenSSL.Devv4.0.1
Install OpenSSL - a robust, commercial-grade, full-featured toolkit for general-purpose cryptography and secure communication.
OpenSSL LightShining Light Productions
ShiningLight.OpenSSL.Lightv4.0.1
Install the most commonly used essentials of OpenSSL - a robust, commercial-grade, full-featured toolkit for general-purpose cryptography and secure communication.

Frequently asked questions

How do I install OpenSSL Light LTS on Windows?

Open Windows Terminal, PowerShell, or Command Prompt and run: winget install --id ShiningLight.OpenSSL.LTS.Light --exact --version 3.5.6. winget downloads the installer from Shining Light Productions and runs it. Requires Windows 10 (1809+) or Windows 11.

How do I install OpenSSL Light LTS silently for unattended deployment?

Add --silent and accept the agreements upfront: winget install --id ShiningLight.OpenSSL.LTS.Light --exact 3.5.6 --silent --accept-package-agreements --accept-source-agreements. This is the variant Intune, Configuration Manager, and other deployment tools should use.

What are the silent install switches for OpenSSL Light LTS?

OpenSSL Light LTS uses EXE (Inno Setup). Run the downloaded installer with: Win64OpenSSL_Light-3_5_6.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART. The silent switches are /VERYSILENT /SUPPRESSMSGBOXES /NORESTART.

How do I uninstall OpenSSL Light LTS via winget?

Run: winget uninstall --id ShiningLight.OpenSSL.LTS.Light --exact. Add --silent for unattended uninstalls. winget will use the registered uninstaller from OpenSSL Light LTS's Apps & Features entry.

Is OpenSSL Light LTS free?

OpenSSL Light LTS is distributed under Freeware. Refer to the publisher (https://slproweb.com/products/Win32OpenSSL.html) for the full license terms - Wingetly itself does not charge for installation.

Does OpenSSL Light LTS work on Windows 10?

Yes, as long as your Windows 10 build supports winget (1809 or newer). winget ships with App Installer on Windows 10/11 and pulls OpenSSL Light LTS directly from the publisher.

How do I keep OpenSSL Light LTS up to date?

Run winget upgrade --id ShiningLight.OpenSSL.LTS.Light --exact, or winget upgrade --all to update everything winget tracks. We index 1 version of OpenSSL Light LTS from microsoft/winget-pkgs.