My own system is I think fully "up to date" as far as Apple security updates through the App Store, but the version of OpenSSL installed on my system is 0.9.8zg, a version that was current during the past year, but lost all security support as of Dec 31, 2015.
https://www.openssl.org/news/secadv/20160128.txt
I read elsewhere that, when one uses a VPN, and that VPN client comes bundled with a different, later version of OpenSSL (say, version 1.0.1r), that VPN client's version will supersede–that is, the more up-to-date version will mediate the negotiation with a network connection in a browser.
My two, related questions are:
(1) is this accurate? If so, it would seem that running a VPN with a current version of OpenSSL would nominally 'protect' the user better than a deprecated version installed on the OS, correct?
(2) If a user has no VPN, is the user then relying on the vulnerable version of OpenSSL in the OS alone for that layer of security? Or are later versions of OpenSSL somehow 'bundled' within specific applications–the browser, Skype, iTunes, etc.–just as it is 'bundled' with a VPN client?
Best Answer
Having done further research, I see the following appears to answer my questions:
https://security.stackexchange.com/questions/27891/how-do-a-vpns-route-ssl-traffic-and-do-they-compromise-security