We are interested to know if GPG4win uses SSL and if it’s affected by heartbleed vulnerability (for any versions)
GPG4Win utilizes “end to end” encryption. That is, files are encrypted before they leave the sender’s device using the recipient’s public key. Only the person who has the matching private key can decrypt the message. The private key does not need to be shared with anyone and indeed should be kept absolutely safe in a secure location on the recipient’s end. GPG4Win does not rely on SSL.
See here for more info:
Sean is correct in that OpenPGP or CMS(S/MIME) is about files or emails, but not for stream connections. Note that some helper applications of the crypto backend may be able to do ssl connections, e.g. for accessing keyservers.
But Gpg4win uses gnutls for these helper functions, see the source packages
list and search for tls or ssl:
So no use of OpenSSL’s SSL functions as far as I know.
(Note that OpenSSL’s license is incompatible with GnuPG’s and Gpg4win’s license,
so it ought not to be used anyway.)