Sqlcipher:4.5.4v contains which version of openssl?

I am using the below package verion in my project.

implementation ‘net.zetetic:android-database-sqlcipher:4.5.4@aar’
implementation ‘androidx.sqlite:sqlite:2.2.0’

before I used the sqlcipher:4.0.1@aar` but our security team reported an issue of the package being outdated.

issues: openssl version `1.1.1

Could you please confirm to us which version of OpenSSL version is used in SqlChiper:4.5.4v?

From the release announcement:

non-FIPS packages using OpenSSL now include 1.1.1t, except Windows UAP which uses OpenSSL 1.1.1s

we got feedback from the security team,

Android: Vuln 9. Partially Fixed, Dependency openssl version 1.1.1t was detected at lib/armeabi-v7a/libsqlcipher.so and lib/arm64-v8a/libsqlcipher.so

Is any way to update the OpenSSL version? @sjlombardo. Because the security team reported as it is outdated.

Hello @Abu_Basith - you could build SQLCipher yourself from source and use a different OpenSSL version. Otherwise, you’d need to wait for the next release when we would update the version used.

Thanks @sjlombardo - Could you please give any guidance for the OpenSSL version update in SQLChiper?

I can’t provide a concrete timeline right now, but there will likely be a release sometime this month.

Hey @sjlombardo, I saw the new version 4.5.5v is officially released so is there an OpenSSL version increased?

Hello @Abu_Basith - SQLCipher non-FIPS packages that use the OpenSSL Cryptographic Provider are now using OpenSSL 3.0.10 LTS. Note that android-database-sqlcipher has been deprecated, so you should migrate to use the new sqlcipher-android package.

@sjlombardo - What is the meaning of non-FIPS packages? and sqlcipher-android is comes under on-FIPS?

Hello @Abu_Basith - It basically means any standard distributions of community, commercial, or enterprise packages which use OpenSSL. SQLCipher Enterprise FIPS is a special set of packages that use a FIPS 140-2 validated cryptographic module. Such packages are clearly marked and only distributed through our Enterprise program under a special license. If you do not have a specific FIPS package license from Zetetic then your sqlcipher-android packages are non-FIPS.