Re: openssl version - how to verify
2010/11/15 Jerry freebsd.u...@seibercom.net: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 16 Nov 2010 00:41:32 +1030 Indexer inde...@internode.on.net articulated: It breaks alot, and causes you to need to rebuild some parts of the base system. The most notable, is SSHD, which whenever I install the openssl from ports, will not work unless i rebuild SSHD or, remove the ports version. There were (maybe still are) a few ports that don't work correctly with openssl via ports; however, I have filed PRs on them and for the most part they have been fixed. However, I would not let that fact deter you from using a newer, safer version of the application. When building a new system, I start with the newer version from the start. If updating later, I have found that first installing the new openssl version via ports, and then using portmanager with the -p option rebuilds virtually any port still dependent on the deprecated version. In any case, I believe it is a prerequisite to have the previously noted notation in the /etc/make.conf file prior to building any port(s) or kernel/world. In jedem Falle jedoch zu seinem eigenen. - -- Jerry ✌ freebsd.u...@seibercom.net Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __ No man's ambition has a right to stand in the way of performing a simple act of justice. John Altgeld -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.16 (FreeBSD) iQEcBAEBAgAGBQJM4UW8AAoJEHdwsA8xwKhFwS8H/jbjsVMwXKyLbKv5ns8yNCjy xYiYJLyn/mZdSNi+mWTtNVUQsEulxw+sEKC4RewsBeZtwhKHeP+1TifOEF6sMFQ5 WuTXlCS8t/JlDuz3k1cINo1nfaUkhgzbDgE6CQXVA4bqMz5A2G4bAu0+s5jJripa KlHU526K0DlSIyaoYcSNoNlAfCXn3+sTfvxK0rpN3hiG0ZxCGKh1WK1p+dTsGkKm ZgXxAhE0hrk/tqeBvZKBNDplLMJHgrDdjTIBa52jUPxlBSkju+1JPakzJ325A8no 1mI8EGlxkiVAOEmoxrDOaKVlUcjGm1bpqXveGAZAsg6OZi5th1xN8zP5VcuQh18= =nffO -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org Filled one pr. http://www.freebsd.org/cgi/query-pr.cgi?pr=152483 Hope this would be resolved someday :) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: openssl version - how to verify
On Sat, 20 Nov 2010 00:08:35 -0500 Eitan Adler li...@eitanadler.com wrote: On Fri, Nov 19, 2010 at 4:36 PM, Jerry freebsd.u...@seibercom.net wrote: On Fri, 19 Nov 2010 15:08:26 -0600 Adam Vande More amvandem...@gmail.com articulated: While I agree with your point in this context, the statement The number of _UNDISCOVERED_ bugs, on the other hand, is an infinite one. is false. http://www.unsw.edu.au/news/pad/articles/2009/sep/microkernel_breakthrough.html It was later discovered that the software used to certify the kernel 100% bug-free was not itself bug-free thereby nullifying results. The paper Diverse Double-Compiling by David A Wheeler is relevant although not strictly the same topic. It could be used to avoid this type of issue. Even if it works it's only proving that at some level of abstraction the implementation matches a formal specification, there's still scope for higher and lower level bugs. But just because something is unknown doesn't mean it's infinite. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: openssl version - how to verify
On 19 November 2010 22:22, Jerry freebsd.u...@seibercom.net wrote: On Fri, 19 Nov 2010 15:53:11 -0600 Adam Vande More amvandem...@gmail.com articulated: On Fri, Nov 19, 2010 at 3:36 PM, Jerry freebsd.u...@seibercom.net wrote: On Fri, 19 Nov 2010 15:08:26 -0600 Adam Vande More amvandem...@gmail.com articulated: While I agree with your point in this context, the statement The number of _UNDISCOVERED_ bugs, on the other hand, is an infinite one. is false. http://www.unsw.edu.au/news/pad/articles/2009/sep/microkernel_breakthrough.html It was later discovered that the software used to certify the kernel 100% bug-free was not itself bug-free thereby nullifying results. Link or another Jerry Fact I would have thought that was obvious. Although, it does remind me of the old myth that the bumblebee should not be able to fly http://en.wikipedia.org/wiki/Bumblebee. There's a sucker born every minute is a phrase often credited to P. T. Barnum, and quite often true. No, it's not 'obvious', just like many other things. People believed Aristotle's assurances about the rate of things falling for nearly 2000 years until Galileo and Newton pointed out 'obvious' flaws in his method. Again, link? Chris ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: openssl version - how to verify
On Sat, 20 Nov 2010 16:56:05 + Chris Rees utis...@gmail.com articulated: While I agree with your point in this context, the statement The number of _UNDISCOVERED_ bugs, on the other hand, is an infinite one. is false. http://www.unsw.edu.au/news/pad/articles/2009/sep/microkernel_breakthrough.html People believed Aristotle's assurances about the rate of things falling for nearly 2000 years until Galileo and Newton pointed out 'obvious' flaws in his method. Which is precisely my point in regards to the link shown above. -- Jerry ✌ freebsd.u...@seibercom.net Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: openssl version - how to verify
On 20 November 2010 17:34, Jerry freebsd.u...@seibercom.net wrote: On Sat, 20 Nov 2010 16:56:05 + Chris Rees utis...@gmail.com articulated: While I agree with your point in this context, the statement The number of _UNDISCOVERED_ bugs, on the other hand, is an infinite one. is false. http://www.unsw.edu.au/news/pad/articles/2009/sep/microkernel_breakthrough.html People believed Aristotle's assurances about the rate of things falling for nearly 2000 years until Galileo and Newton pointed out 'obvious' flaws in his method. Which is precisely my point in regards to the link shown above. Er, no. YOU have the burden of proof in your assertion, 'obvious' is not good enough. The link above refers to a study; if you think there's been a bug then show us. Chris ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: openssl version - how to verify
From owner-freebsd-questi...@freebsd.org Mon Nov 15 09:38:53 2010 Date: Mon, 15 Nov 2010 18:40:27 +0300 From: c0re nr1c...@gmail.com To: FreeBSD freebsd-questions@freebsd.org Subject: Re: openssl version - how to verify 2010/11/15 Jerry freebsd.u...@seibercom.net: There are still too many broken ports with openssl from ports, I do not like debug it and really like to use base openssl, almost no difference. But I just want to have some proves that base system openssl has security patches because 7.3-RELEASE base openssl is 0.9.8e, but 0.9.8e has got security vulnerabilities. But how can I be sure that freebsd base system with 0.9.8e version does not have any vulnerabilities? _authoritative_ answer: You _cannot_. Statement rationale: The number of discovered bugs in any system is a finite number. The number of _UNDISCOVERED_ bugs, on the other hand, is an infinite one. By definition. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: openssl version - how to verify
On Fri, Nov 19, 2010 at 2:54 PM, Robert Bonomi bon...@mail.r-bonomi.comwrote: _authoritative_ answer: You _cannot_. Statement rationale: The number of discovered bugs in any system is a finite number. The number of _UNDISCOVERED_ bugs, on the other hand, is an infinite one. By definition. While I agree with your point in this context, the statement The number of _UNDISCOVERED_ bugs, on the other hand, is an infinite one. is false. http://www.unsw.edu.au/news/pad/articles/2009/sep/microkernel_breakthrough.html -- Adam Vande More ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: openssl version - how to verify
On Fri, 19 Nov 2010 15:08:26 -0600 Adam Vande More amvandem...@gmail.com articulated: While I agree with your point in this context, the statement The number of _UNDISCOVERED_ bugs, on the other hand, is an infinite one. is false. http://www.unsw.edu.au/news/pad/articles/2009/sep/microkernel_breakthrough.html It was later discovered that the software used to certify the kernel 100% bug-free was not itself bug-free thereby nullifying results. -- Jerry ✌ freebsd.u...@seibercom.net Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __ My sister opened a computer store in Hawaii. She sells C shells by the seashore. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: openssl version - how to verify
On Fri, Nov 19, 2010 at 3:36 PM, Jerry freebsd.u...@seibercom.net wrote: On Fri, 19 Nov 2010 15:08:26 -0600 Adam Vande More amvandem...@gmail.com articulated: While I agree with your point in this context, the statement The number of _UNDISCOVERED_ bugs, on the other hand, is an infinite one. is false. http://www.unsw.edu.au/news/pad/articles/2009/sep/microkernel_breakthrough.html It was later discovered that the software used to certify the kernel 100% bug-free was not itself bug-free thereby nullifying results. Link or another Jerry Fact -- Adam Vande More ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: openssl version - how to verify
On Fri, 19 Nov 2010 15:53:11 -0600 Adam Vande More amvandem...@gmail.com articulated: On Fri, Nov 19, 2010 at 3:36 PM, Jerry freebsd.u...@seibercom.net wrote: On Fri, 19 Nov 2010 15:08:26 -0600 Adam Vande More amvandem...@gmail.com articulated: While I agree with your point in this context, the statement The number of _UNDISCOVERED_ bugs, on the other hand, is an infinite one. is false. http://www.unsw.edu.au/news/pad/articles/2009/sep/microkernel_breakthrough.html It was later discovered that the software used to certify the kernel 100% bug-free was not itself bug-free thereby nullifying results. Link or another Jerry Fact I would have thought that was obvious. Although, it does remind me of the old myth that the bumblebee should not be able to fly http://en.wikipedia.org/wiki/Bumblebee. There's a sucker born every minute is a phrase often credited to P. T. Barnum, and quite often true. -- Jerry ✌ freebsd.u...@seibercom.net Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __ signature.asc Description: PGP signature
Re: openssl version - how to verify
On Fri, Nov 19, 2010 at 4:36 PM, Jerry freebsd.u...@seibercom.net wrote: On Fri, 19 Nov 2010 15:08:26 -0600 Adam Vande More amvandem...@gmail.com articulated: While I agree with your point in this context, the statement The number of _UNDISCOVERED_ bugs, on the other hand, is an infinite one. is false. http://www.unsw.edu.au/news/pad/articles/2009/sep/microkernel_breakthrough.html It was later discovered that the software used to certify the kernel 100% bug-free was not itself bug-free thereby nullifying results. The paper Diverse Double-Compiling by David A Wheeler is relevant although not strictly the same topic. It could be used to avoid this type of issue. -- Eitan Adler ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: openssl version - how to verify
2010/11/16 Dennis Glatting d...@penx.com: On Tue, 2010-11-16 at 10:28 +0300, c0re wrote: Jerry, I'm not about that :) base openssl are OK. But I need proves that it has got no security problems - it's external IT auditors request. And I'm interested how I can know what patchlevel there on base openssl version and prove them (auditors) that freebsd base openssl are not vulnerable. Most operating systems have a variant of OpenSSL they patch from the security bug set without bumping the OpenSSL version identifier (they usually tack on an OS-specific identifier but the OpenSSL identifier becomes meaningless). For example Debian is a patched g,which you would conclude as old (in many respects it is old) and therefore security hole riddled. Debian 5.0.6: Tasha:# openssl version OpenSSL 0.9.8g 19 Oct 2007 FreeBSD 8.1: btw openssl version OpenSSL 0.9.8n 24 Mar 2010 That /does not/ mean those versions of OpenSSL have security holes. The fallacy with auditors is they look at version identifies to make conclusions. This is in error. You need to figure out what they are looking for. Do they have a specific issue? Bug? Test suite they want run? You /could/ install the most recent version of OpenSSL but there is no guarantee it will replace the running version and it /could/ break applications, if only introducing holes that previously didn't exist (data structure sizing, library binding, function argument sets, etc.) 2010/11/15 Jerry freebsd.u...@seibercom.net: On Mon, 15 Nov 2010 18:40:27 +0300 c0re nr1c...@gmail.com articulated: There are still too many broken ports with openssl from ports, I do not like debug it and really like to use base openssl, almost no difference. Might I suggest that if you are aware of ports that don't work correctly with the port's version of openssl that you file a PR against it. I have done so and succeeded in getting several patches issued to correct the problem. This problem will not go away by itself. -- Jerry freebsd.u...@seibercom.net Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org I understood you. They just look at openssl version and that's all. I just install openssl from ports, hide /usr/bin/openssl temporary, they get all they needs (there is openssl in /usr/local/bin/) and then I deinstall openssl from ports and restore /usr/bin/openssl. That's absurdity, but that's auditors... :) Thanks all. It's hard to prove to auditors that base openssl are OK. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: openssl version - how to verify
On Tue, Nov 16, 2010 at 1:28 AM, c0re nr1c...@gmail.com wrote: Jerry, I'm not about that :) base openssl are OK. But I need proves that it has got no security problems - it's external IT auditors request. And I'm interested how I can know what patchlevel there on base openssl version and prove them (auditors) that freebsd base openssl are not vulnerable. Please don't top-post, thanks. http://security.freebsd.org/advisories/ The files say which version it's corrected in. -- Adam Vande More ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: openssl version - how to verify
2010/11/16 Adam Vande More amvandem...@gmail.com: On Tue, Nov 16, 2010 at 1:28 AM, c0re nr1c...@gmail.com wrote: Jerry, I'm not about that :) base openssl are OK. But I need proves that it has got no security problems - it's external IT auditors request. And I'm interested how I can know what patchlevel there on base openssl version and prove them (auditors) that freebsd base openssl are not vulnerable. Please don't top-post, thanks. Sorry. Wont will in future. But why? http://security.freebsd.org/advisories/ The files say which version it's corrected in. -- Adam Vande More Thanks, it's better then nothing :) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: openssl version - how to verify
On Tue, Nov 16, 2010 at 9:49 AM, c0re nr1c...@gmail.com wrote: 2010/11/16 Adam Vande More amvandem...@gmail.com: Please don't top-post, thanks. Sorry. Wont will in future. But why? Because it messes up the flow of reading. I prefer to bottom-post. How come? What do you do instead? No. Do you like top-posting? -- chs, ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
openssl version - how to verify
Hey all! If I look at base openssl in 7.3-RELEASE-p3 sys# openssl version -a OpenSSL 0.9.8e 23 Feb 2007 built on: Mon Sep 27 11:54:36 MSD 2010 platform: FreeBSD-i386 options: bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) blowfish(idx) compiler: cc OPENSSLDIR: /etc/ssl but at www.openssl.org I see that it's not recent version 01-Jun-2010: OpenSSL 0.9.8o is now available, including important bug and security fixes I know that freebsd security team make patches for base openssl, but how can I know what patchlevel of openssl in base version? Like -p5 in OpenSSL 0.9.8e-p5 23 Feb 2007. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: openssl version - how to verify
On Mon, 15 Nov 2010 16:17:10 +0300 c0re nr1c...@gmail.com articulated: If I look at base openssl in 7.3-RELEASE-p3 sys# openssl version -a OpenSSL 0.9.8e 23 Feb 2007 built on: Mon Sep 27 11:54:36 MSD 2010 platform: FreeBSD-i386 options: bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) blowfish(idx) compiler: cc OPENSSLDIR: /etc/ssl but at www.openssl.org I see that it's not recent version 01-Jun-2010: OpenSSL 0.9.8o is now available, including important bug and security fixes I know that freebsd security team make patches for base openssl, but how can I know what patchlevel of openssl in base version? Like -p5 in OpenSSL 0.9.8e-p5 23 Feb 2007. Why not just install the ports version: openssl version -a OpenSSL 1.0.0a 1 Jun 2010 built on: Sun Jun 6 12:19:12 EDT 2010 platform: BSD-x86_64 options: bn(64,64) rc4(8x,int) des(idx,cisc,16,int) idea(int) blowfish(idx) compiler: cc -fPIC -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIOS -O3 -DMD32_REG_T=int -Wall -O2 -pipe -march=athlon64 -fno-strict-aliasing -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DWHIRLPOOL_ASM OPENSSLDIR: /usr/local/openssl You would need to add this to the /etc/make.conf file first I believe: WITH_OPENSSL_PORT=yes -- Jerry ✌ freebsd.u...@seibercom.net Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __ Fat Liberation: because a waist is a terrible thing to mind. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: openssl version - how to verify
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 16/11/2010, at 00:38, Jerry wrote: On Mon, 15 Nov 2010 16:17:10 +0300 c0re nr1c...@gmail.com articulated: If I look at base openssl in 7.3-RELEASE-p3 sys# openssl version -a OpenSSL 0.9.8e 23 Feb 2007 built on: Mon Sep 27 11:54:36 MSD 2010 platform: FreeBSD-i386 options: bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) blowfish(idx) compiler: cc OPENSSLDIR: /etc/ssl but at www.openssl.org I see that it's not recent version 01-Jun-2010:OpenSSL 0.9.8o is now available, including important bug and security fixes I know that freebsd security team make patches for base openssl, but how can I know what patchlevel of openssl in base version? Like -p5 in OpenSSL 0.9.8e-p5 23 Feb 2007. Why not just install the ports version: It breaks alot, and causes you to need to rebuild some parts of the base system. The most notable, is SSHD, which whenever I install the openssl from ports, will not work unless i rebuild SSHD or, remove the ports version. openssl version -a OpenSSL 1.0.0a 1 Jun 2010 built on: Sun Jun 6 12:19:12 EDT 2010 platform: BSD-x86_64 options: bn(64,64) rc4(8x,int) des(idx,cisc,16,int) idea(int) blowfish(idx) compiler: cc -fPIC -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIOS -O3 -DMD32_REG_T=int -Wall -O2 -pipe -march=athlon64 -fno-strict-aliasing -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DWHIRLPOOL_ASM OPENSSLDIR: /usr/local/openssl You would need to add this to the /etc/make.conf file first I believe: WITH_OPENSSL_PORT=yes -- Jerry ✌ freebsd.u...@seibercom.net Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __ Fat Liberation: because a waist is a terrible thing to mind. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org William Brown pgp.mit.edu -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) iQIcBAEBAgAGBQJM4T+aAAoJEHF16AnLoz6JNjsP/iK5wpZqSnQzkPpnjusBDUTG emCG8MJw7191ovvLjREbwzQjdjRFm8iGnkXcFgQabatI24Ks5WP8bR88PzYShDG7 h2kFBcmfqftnEfeWmvdjTxpE6hSxzN6291Zew4O36RMraEY/RHAUZjblB5Bu1IgS XSrOJ1ETQNXS54eMTctf6erpX1ASgGq2kGRcXGCBbqTN8smUoGtz06GiNsYzS9Qk 7iytF8kpUMpqmKoV/Os07ETcmoRTwbAgv6J7IL0nS7kTN+8BYgUY5vxL/+pRHN+Y YiXWKHgK4VCz3fW5NXQddDR1I/6clDK0ZfSDnZdHOHjkMrjTMdlzIz2OTMtkF9Z+ saQm1m78/or1FXBNXfzUhvKd3UnAoJC0PpndZTzrwiB7huJiAvvD0AJdvNyzPtM2 V7DuDY9zrBRmB5DDr1HQEEqgTRI1ZzdXo5uPwUM+RctOsxYDFvF8MFqs/eC3z9Vz PFxHX/uIbEAC6IdrkwhyVOQR1vup8U/bwgLiXDK9y82oQdksNBYbU1EWh2nanaPH CJj9WJNn2suNrYouTRhTDnCVxl0hbAgYT7w5CEfRAx8s3g82sZ+/evJutr2U7tHW /LzwoY9qyWn19t6dqMw+kENsGDKPzXkFIQ9txi5XIH8bgUKeOhJQE610uMSPvmB8 zDwJ4bEaIUzjhasCKjNS =c5mr -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: openssl version - how to verify
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 16 Nov 2010 00:41:32 +1030 Indexer inde...@internode.on.net articulated: It breaks alot, and causes you to need to rebuild some parts of the base system. The most notable, is SSHD, which whenever I install the openssl from ports, will not work unless i rebuild SSHD or, remove the ports version. There were (maybe still are) a few ports that don't work correctly with openssl via ports; however, I have filed PRs on them and for the most part they have been fixed. However, I would not let that fact deter you from using a newer, safer version of the application. When building a new system, I start with the newer version from the start. If updating later, I have found that first installing the new openssl version via ports, and then using portmanager with the -p option rebuilds virtually any port still dependent on the deprecated version. In any case, I believe it is a prerequisite to have the previously noted notation in the /etc/make.conf file prior to building any port(s) or kernel/world. In jedem Falle jedoch zu seinem eigenen. - -- Jerry ✌ freebsd.u...@seibercom.net Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __ No man's ambition has a right to stand in the way of performing a simple act of justice. John Altgeld -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.16 (FreeBSD) iQEcBAEBAgAGBQJM4UW8AAoJEHdwsA8xwKhFwS8H/jbjsVMwXKyLbKv5ns8yNCjy xYiYJLyn/mZdSNi+mWTtNVUQsEulxw+sEKC4RewsBeZtwhKHeP+1TifOEF6sMFQ5 WuTXlCS8t/JlDuz3k1cINo1nfaUkhgzbDgE6CQXVA4bqMz5A2G4bAu0+s5jJripa KlHU526K0DlSIyaoYcSNoNlAfCXn3+sTfvxK0rpN3hiG0ZxCGKh1WK1p+dTsGkKm ZgXxAhE0hrk/tqeBvZKBNDplLMJHgrDdjTIBa52jUPxlBSkju+1JPakzJ325A8no 1mI8EGlxkiVAOEmoxrDOaKVlUcjGm1bpqXveGAZAsg6OZi5th1xN8zP5VcuQh18= =nffO -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: openssl version - how to verify
2010/11/15 Jerry freebsd.u...@seibercom.net: On Mon, 15 Nov 2010 16:17:10 +0300 c0re nr1c...@gmail.com articulated: If I look at base openssl in 7.3-RELEASE-p3 sys# openssl version -a OpenSSL 0.9.8e 23 Feb 2007 built on: Mon Sep 27 11:54:36 MSD 2010 platform: FreeBSD-i386 options: bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) blowfish(idx) compiler: cc OPENSSLDIR: /etc/ssl but at www.openssl.org I see that it's not recent version 01-Jun-2010: OpenSSL 0.9.8o is now available, including important bug and security fixes I know that freebsd security team make patches for base openssl, but how can I know what patchlevel of openssl in base version? Like -p5 in OpenSSL 0.9.8e-p5 23 Feb 2007. Why not just install the ports version: openssl version -a OpenSSL 1.0.0a 1 Jun 2010 built on: Sun Jun 6 12:19:12 EDT 2010 platform: BSD-x86_64 options: bn(64,64) rc4(8x,int) des(idx,cisc,16,int) idea(int) blowfish(idx) compiler: cc -fPIC -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIOS -O3 -DMD32_REG_T=int -Wall -O2 -pipe -march=athlon64 -fno-strict-aliasing -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DWHIRLPOOL_ASM OPENSSLDIR: /usr/local/openssl You would need to add this to the /etc/make.conf file first I believe: WITH_OPENSSL_PORT=yes There are still too many broken ports with openssl from ports, I do not like debug it and really like to use base openssl, almost no difference. But I just want to have some proves that base system openssl has security patches because 7.3-RELEASE base openssl is 0.9.8e, but 0.9.8e has got security vulnerabilities. But how can I be sure that freebsd base system with 0.9.8e version does not have any vulnerabilities? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: openssl version - how to verify
On Mon, 15 Nov 2010 18:40:27 +0300 c0re nr1c...@gmail.com articulated: There are still too many broken ports with openssl from ports, I do not like debug it and really like to use base openssl, almost no difference. Might I suggest that if you are aware of ports that don't work correctly with the port's version of openssl that you file a PR against it. I have done so and succeeded in getting several patches issued to correct the problem. This problem will not go away by itself. -- Jerry ✌ freebsd.u...@seibercom.net Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: openssl version - how to verify
Jerry, I'm not about that :) base openssl are OK. But I need proves that it has got no security problems - it's external IT auditors request. And I'm interested how I can know what patchlevel there on base openssl version and prove them (auditors) that freebsd base openssl are not vulnerable. 2010/11/15 Jerry freebsd.u...@seibercom.net: On Mon, 15 Nov 2010 18:40:27 +0300 c0re nr1c...@gmail.com articulated: There are still too many broken ports with openssl from ports, I do not like debug it and really like to use base openssl, almost no difference. Might I suggest that if you are aware of ports that don't work correctly with the port's version of openssl that you file a PR against it. I have done so and succeeded in getting several patches issued to correct the problem. This problem will not go away by itself. -- Jerry ✌ freebsd.u...@seibercom.net Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org