OpenSSL 3.0.7 update (2022-11-01) FAQ

What is this post about?

Tomorrow (2022-11-01) the OpenSSL team will release a critical security update to their 3.0 tree. See the official announcement.

What does critical mean?

Critical means, that the upcoming vulnerability is likely exploitable in a common configuration scenario. See /policies/general/security-policy.html for the full explanation.

CVE-2022-3602 has meanwhile been downgraded to HIGH severity, as it is probably not exploitable

How do I know if I am affected?

  • The NixOS 22.05 release still defaults to OpenSSL 1.1 and is mostly unafffected with the exception of the nginx HTTP server, which has been overriden to use OpenSSL 3.0.

  • NixOS unstable on the other hand uses OpenSSL 3.0 by default and will therefore be widely affected.

How will this issue be handled within nixpkgs?

  • For the stable release we plan to push the upgrade directly into release-22.05, given the minimal rebuild amount involved.

  • For the unstable release we plan to merge the update into the running staging-next cycle, that is in an overall good state, and then shortly thereafter into master.

  • Once the upgrades reach the master and release-22.05 branches, we will immediately trigger an update to the respective -small channels, since they are more likely to be used by infrastructure. They also provide the basis for the nixos-unstable and nixos-22.05 channels, which will follow shortly thereafter.

When do the updates arrive on the channels?

We will add links to the PR tracker here once the relevant pull requests are up.

What can I do to mitigate the issue right now?

  • On NixOS 22.05 you can downgrade the OpenSSL version used by nginx, unless you explicitly enabled and are relying on kTLS:

    nixpkgs.overlays = [
      (final: prev: {
        nginxStable = prev.nginxStable.override { openssl = pkgs.openssl_1_1; };

    via How to make NixOS compile nginx with OpenSSL 1.x - Xe

  • An overlay for NixOS unstable, that downgrades the openssl attribute is not recommended, given that it is very expensive to build and entirely untested.

  • Consider disabling or restricting exposed services for the time being, where possible.

What can I do to mitigate the issue, once the update is available?

  • If you’re not in a hurry, wait for the channels to catch up and rebuild.

  • If you’re in a hurry you can replace the OpenSSL runtime dependency without doing a full rebuild:

    system.replaceRuntimeDependencies =
        nixpkgsfixed = builtins.fetchTarball "";
        inherit (pkgs.callPackage (nixpkgsfixed + "/pkgs/development/libraries/openssl") {}) openssl_3;
        (output: {
          original = pkgs.openssl_3.${output};
          replacement =openssl_3.${output};
        # Needs to be toposorted so that the original package is not reintroduced into the closure.
        [ "out" "doc" "debug" "man" "bin" "dev"];

    via yuka & Jan Tojnar

Who authored this?

This FAQ was prepared by multiple people in the room on Matrix.


nix-store -qR /run/current-system | grep openssl

followed by a

nix why-depends --all /run/current-system /nix/store/<some-openssl-3>

can also give a quick run-down of what packages you have installed that currently depend on openssl 3.x, and is a bit more generic than relying on having only 22.05 packages installed.

Edit: @ElvishJerricco is right, without --all only the first hit will be listed


I would recommend adding --all to that why-depends command.


OpenSSL 3.0.7 is out, the pull request for staging-next is up and labeled for backport. Was just merged.


The NixOS community have been greatly responsive to this security issue announcement, thank you very much for all the clear explanations :pray:t3:


Random updates:


The release-22.05 backport PR has also just been merged:

PR tracker: Nixpkgs PR #199001 ("[Backport release-22.05] openssl: 3.0.5 -> 3.0.7") progress

I have patched my systems with the replaceRuntimeDependencies option:

  system.replaceRuntimeDependencies = [
      original = pkgs.openssl.out;
      replacement = let
        nixpkgsfixed = builtins.fetchTarball "";
        inherit (pkgs.callPackage (nixpkgsfixed + "/pkgs/development/libraries/openssl") {}) openssl_3;
      in openssl_3.out;

Had to add --impure because replaceRuntimeDependencies runs into errors with pure eval mode otherwise.

EDIT: previous version was broken, because it replaced only the occurrences of the .bin output

Hosted by Flying Circus.