Discussion about keeping OpenSSL up to date

indyJones

indyJones

I read in many places that it is a good idea to keep openSSL up to date to the latest version. I can easily find the latest version on the openssl.org website with the notes about features and fixes. But, nowhere do I find any advice about how to do it.

I am running my brand new FreeBSD 9.0 webserver, and I have everything working perfectly with no errors anywhere. However, I see that the base installation of openSSL is at 0.9.8q 2 Dec 2010. That's several updates behind already, and I see that 1.0.1 has now been released just a few days ago.

Of course, I would like to take all the advice and keep my openSSL up to date, but as I search the web for info about doing that, even on the openSSL website itself, I find almost nothing! The most recent post about it on this forum that I can find is dated three years ago! What I DO find are some "horror stories" about users having tried it with terrible results, breaking what already works resulting in the usual week-long struggle to get everything working correctly again.

So, I am terrifed to even give it a go. I do not want to spend the next several days fighting if things go wrong.

What do you think about this? Does anyone here on the forum have any comments about upgrading openSSL and keeping it up to date? Have any of you tried it? Did it work? Does it work?

Does anyone have some good instructions or advice about how to do it without grief? I would like very much to hear your comments before I try it.

Thank you.
 
The version that's part of the base OS may lag a little behind but is not vulnerable. Security patches are made against it. If you want the latest OpenSSL just install security/openssl. Do make sure your ports tree is up to date.
 
Hello, SirDice.
Thank you for your response.

Would you be so kind to clarify a point?
You said above:
...just install security/openssl
Click to expand...

I now have the question about just that. In one of your earlier posts when asked if one should use [CMD="make install clean"][/CMD] you recommend using 'portsupgrade' instead. I just used 'portsupgrade' now after being sure my ports tree is up to date with portsnap. The only thing that was updated was my "webmin" installation, then back to my prompt.

Now, [CMD=]openssl version[/CMD] shows no change. I still have the old version. So now, I 'assume' to use [CMD=]make install clean[/CMD]
'Assuming' has ALWAYS been wrong before.

Am I understanding this correctly?
 
indyJones said:
I am running my brand new FreeBSD 9.0 webserver, and I have everything working perfectly with no errors anywhere. However, I see that the base installation of openSSL is at 0.9.8q 2 Dec 2010. That's several updates behind already, and I see that 1.0.1 has now been released just a few days ago.
Click to expand...

Just to clarify, OpenSSL 0.9.8 is not the same as 1.0.1. As long as you upgrade OpenSSL from version 0.9.8x where x is any letter in the alphabet, current version is 0.9.8u, you should be fine and not break things. If you install 1.0.1, then you will most likely need to recompile software that uses those libraries.

Also, like SirDice said, even though FreeBSD 9.0 is using version 0.9.8q, it does have the latest patches to fix any security vulnerabilities, just not new features that might have been added between version r - u.
 
Aha. Thanks, again. I'm understanding better now. It is the security vulnerabilities that I am concerned with. Reading some of the posts that I see online, I get the impression that my server is seriously "vulnerable to attack" if I don't get the latest version. That kind of language is very disconcerting for a newcomer.
 
You can force ports to use the OpenSSL port.

Code: 
/usr/ports/Mk/bsd.openssl.mk :

# makefile for use of:  OpenSSH
# Date created:         31 May 2002
# Whom:                 dinoex
#
# $FreeBSD: ports/Mk/bsd.openssl.mk,v 1.46 2011/09/23 22:20:46 amdmi3 Exp $
#
# Use of 'USE_OPENSSL=yes' includes this Makefile after bsd.ports.pre.mk
#
# the user/port can now set this options in the makefiles.
#
# WITH_OPENSSL_BASE=yes - Use the version in the base system.
# WITH_OPENSSL_PORT=yes - Use the port, even if base is up to date

You can define these in /etc/make.conf for global use on all port builds.
 
indyJones said:
Reading some of the posts that I see online, I get the impression that my server is seriously "vulnerable to attack" if I don't get the latest version. That kind of language is very disconcerting for a newcomer.
Click to expand...

To some extent, this is not 100% acurate. You are vulnerable, if you have a service that is exposed to the internet, and uses the OpenSSL library. For example, some of the most exposed services using libssl are HTTP(S), IMAP(S), POP(S), and SSH to name a few. However, at that point, you should also be concerned with the version and vulnerability of those applications too.
 
redw0lfx said:
To some extent, this is not 100% acurate. You are vulnerable, if you have a service that is exposed to the internet, and uses the OpenSSL library.
Click to expand...
More specifically, if it uses a vulnerable OpenSSL library. Since the version that comes with FreeBSD isn't vulnerable it's safe to use.

You don't really need to run the latest and greatest versions of anything. As long as the version you are using is still supported, i.e. receives regular security updates. Things will start to get messy when you use unsupported versions or don't apply security updates.
 
OK. I am leaving my current openssl alone. No "forcing", no make installs. But openssl gets more confusing to me by the minute. Here's the latest: I want to create a Certificate Authority on my server. I will sign my own certificates for my virtual host websites. (I have 7 of them.)

So, I enter this to create my CA:
[CMD=]openssl req -nodes -new -days 3650 -x509 -keyout private/cakey.pem -out cacert.pem[/CMD]

I get this error:
Code: 
Unable to load config info from /etc/ssl/openssl.cnf

I see from other posts on this forum, the error shows me that the command cannot find the openssl.cnf file. But, it IS exactly where it says it cannot find it; that is, in /etc/ssl, right where it's "supposed "to be. The other posts point out that the file cannot be found, but they offer no solution as to where it should be put so that it can be found.

So, I do a little thinking. Maybe it will be found if I put it in /usr/local/sbin. Nope! Doesn't work. Same error. I try putting it all over the place. I try using soft links to it from other directies. Nope! I even put it into the exact same directory where I will keep my certs. The same directory where I issue the command. Nope! Nope! That does not work either. The file is never found, no matter where I put it.

Did I write the command wrong? If I try it in the style of other 'nixes, it does not work either. So far, no matter what, it never works. Any ideas? What do you think is the solution? All I want to do, remember, is make the CA.

Thanks...
 
A new thread might be a good idea... but for now, did you check that the file is not empty or that your user can read it? You can try copying in the original file from /usr/src/crypto/openssl/apps/openssl.cnf to /etc/ssl/.
 
redw0lfx said:
A new thread might be a good idea... but for now, did you check that the file is not empty or that your user can read it? You can try copying in the original file from /usr/src/crypto/openssl/apps/openssl.cnf to /etc/ssl/.
Click to expand...

The file is there. I have looked at it many times, ee'd into it to be sure everything is correct. It is readable by everyone. That's the first thing I made sure of.

I have seen this advice to copy it from the other directory before.

I have no /usr/src/crypto directory at all! Is that a clue about my system not being quite right?

Is there something I must do to create this other directory?
 
As many of you probably can see, I did not have the source for my FreeBSD installation on my box. "kpa" replied to my new thread showing me what to do.

I used the subversion method to get the stable source.
Holy Mackerel!!! No wonder it was not included with my new vps.
It's HUGE!!! ...and mostly stuff that everybody will never use.

While I can understand why the source was not on my system, I am surprised that the files are not just available online somewhere for individual download as they may be needed for fixes like this one. It would be nice, I think, if users did not have to clone the entire source tree just to get one file. Am I off-base on this somehow?

I think I'm now going to spend a whole day removing all of the directories that I definitely do not need. A lot of work ahead of me, but a real learning experience.

However, now that I have the entire source on my server anyway, I am considering doing what I just said, and make it available for download to all from one of my websites. Is that "in the proper spirit" of our Open Source FreeBSD community, or is it perhaps 'not allowed' for some reason? Am I opening myself up for trouble, or is it a good idea?

I would like to hear your feedback about it.
 
You must log in or register to reply here.
Back
Top