Base SSL v Ports SSL

[kevinwincott]

Having searched the forums I've not come up for a solution for this, basically one of my servers needs to pass PCI. The base install of openssl is OpenSSL 0.9.8q 2 Dec 2010 but the ports version is also installed OpenSSL 1.0.1c 10 May 2012, the PCI scans pick up the base version. Is there a way of forcing the ports version to be used? This server is fully up to date:

9.1-RELEASE FreeBSD 9.1-RELEASE #0 r243826: Tue Dec 4 06:55:39 UTC 20

 

[arp242]

the PCI scans pick up the base version

The base version lives in /usr/, the ports version lives in /usr/local/.

Note that installing the ports version as such means little. Ports will usually pick it up (or can be made to pick it up) when you compile them, but libraries/binaries from the base system and packages installed with pkg_add will still link against the base version of OpenSSL (as can be seen with the output of ldd). Using the port version of OpenSSL for the base system may be possible, but difficult.

I don't know what PCI is, what the requirements are, or how the tool works, but if it's a hard requirement that OpenSSL version so-and-so must used for everything (and this is properly checked), then passing it will be difficult.

Be aware there are *NO* known security problems in the version FreeBSD uses, and that newer is not always more secure.

 

[kpa]

Security patches are backported to the base SSL when necessary, if the auditers know what they are doing they should not reject your systems based on the version number.