OpenSSL upgrade breaks OpenSSH

bluboy · May 23, 2012

I have updated OpenSSL from ports and it appears to have worked successfully.

Code:

$ openssl version
OpenSSL 0.9.8q 2 Dec 2010
$ /usr/local/bin/openssl version
OpenSSL 1.0.1c 10 May 2012

Reading these forums, I was aware that a rebuild of world was required to ensure the newer libraries were used. I added

Code:

WITH_OPENSSL_PORT=YES

to /etc/make.conf and did a full world rebuild.

On reboot, I am greeted with OpenSSH errors on startup and no SSHD running. When I attempt to start it manually, I get the same error (with new PIDs)

Code:

$ sudo service sshd start
Starting sshd.
Auto configuration failed
1706: error:0608A093:digital envelope routines:ALG_MODULE_INIT: fips mode not
 supported:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/evp/evp_cnf.c:106:
1706: error:0E07606D:configuration file routine:MODULE_RUN:module initiliazation
 error:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/conf/conf_mod.c:235:module=alg_section,
 value=algs, retcode=-1
/etc/rc.d/sshd: WARNING: failed to start sshd

Likely related, and equally annoying... World's OpenSSL is still the old version

Code:

$ openssl version
OpenSSL 0.9.8q 2 Dec 2010
$ /usr/local/bin/openssl version
OpenSSL 1.0.1c 10 May 2012

I then attempted to replace old OpenSSL with new OpenSSL

Code:

$ mv /usr/bin/openssl /usr/bin/openssl.098q
ln -s /usr/local/bin/openssl /usr/bin/openssl

Still no joy. So I tried it with libcrypto.so.

Code:

mv /usr/lib/libcrypto.so /usr/libcrypto.so.back
ln -s /usr/local/lib/libcrypto.so.8 /usr/lib/libcrypto.so

Again, no joy. So I rebuilt world again with this hybrid OpenSSL solution. Still no joy.

Am I missing something here?

SirDice · May 23, 2012

Why are you using OpenSSL from ports?

bluboy · May 23, 2012

Where should I be updating it from and if it shouldn't be updated from ports, why is it there?

inky · May 23, 2012

Hello, OpenSSL comes with FreeBSD base install, when you install it from ports - there is an option OWERWRITE BASE - it will install the new version to the path of the old.

Hope it helps you.

SirDice · May 23, 2012

It's part of the base OS. Keep that updated and OpenSSL will be too.

You really only should install the OpenSSL port when you have specific requirements that aren't in the version from the base.

bluboy · May 23, 2012

inky said:
Hello, openssl is coming with FreeBSD main install, when you install it from ports - there is an option OWERWRITE BASE - it will install new version to the path of old.

hope it help you.

Hi inky, the OVERWRITE BASE option has been depreciated for years (apparently)... Although this gets me thinking... What is the effect if I just change the install dir? Can this be done?

SirDice said:
It's part of the base OS. Keep that updated and OpenSSL will be too.

You really only should install the OpenSSL port when you have specific requirements that aren't in the version from the base.

The version installed by base is two years old, missing significant functions and has a number of security vulnerabilities... Anyone running anything reliant on TLS should be looking to update! See: http://www.openssl.org/news/

DutchDaemon · May 23, 2012

OpenSSL in base has been patched for all vulnerabilities, even though it is an older version.

SirDice · May 23, 2012

Yep, it even got patched quite recently.

http://security.freebsd.org/advisories/FreeBSD-SA-12:01.openssl.asc

bluboy · May 23, 2012

DutchDaemon said:
OpenSSL in base has been patched for all vulnerabilities, even though it is an older version.

Thanks DD. It still seems weird that there is a port available, yet it is impossible to install. Also, it may not be possible for all users to be able to rebuild world, nor should it be made that hard for people to keep one of the core packages up to date. Also shouldn't the version number increase to reflect the update?

Is it possible to install the ports OpenSSL in anyway on a FreeBSD system?

SirDice said:
Yep, it even got patched quite recently.

http://security.freebsd.org/advisories/FreeBSD-SA-12:01.openssl.asc

... And the ports openssl has been patched to include the latest security vulnerability (which the base version doesn't yet cover). http://www.openssl.org/news/secadv_20120510.txt

I don't mean to sound rude to either of you, you both do a great job on here... I am just trying to discover why there is such a push to block OpenSSL upgrades from ports. In its current state, I could not push this system out to production while it is reporting outdated and flawed software. I understand that there have been _some_ patches applied, but based on the version number being reported, this box could not be let live on our production network.

baot · May 27, 2012

DutchDaemon said:
OpenSSL in base has been patched for all vulnerabilities, even though it is an older version.

I don't see a fix for CVE-2012-2333. It came out a week after FreeBSD-SA-12:01.openssl.

I believe the OpenSSL in base is still vulnerable. I wonder how many weeks we'll have to wait for it to be updated this time.

SirDice · May 30, 2012

baot said:
I don't see a fix for CVE-2012-2333.

It doesn't need a fix if it's not vulnerable. Is it vulnerable to this?

OpenSSL upgrade breaks OpenSSH

bluboy

SirDice

Administrator

bluboy

inky

SirDice

Administrator

bluboy

DutchDaemon

Administrator

SirDice

Administrator

bluboy

baot

SirDice

Administrator