update openssl?

stevejones · May 10, 2010

Hello,

Hope I'm posting this in the right section.

The current version of OpenSSL 0.9.8n I have installed on my system has a few security issues so I'm wondering what the best solution is to fix it.

From what I've been reading is that all base systems come installed with OpenSSL and updating the port and adding WITH_OPENSSL_PORT=yes to make.conf will probably break a lot of stuff.

So what's the best way to fix OpenSSL, patch it?

I'm using FreeBSD 8.0.

Thanks.

crsd · May 10, 2010

What kind of security issues are you talking about? All known security issues are already patched in all supported FreeBSD versions. http://security.freebsd.org/advisories/FreeBSD-SA-09:15.ssl.asc, for example. You should just keep your system up to date, using freebsd-update(8), for example.

stevejones · May 10, 2010

I got 2 security warnings:

http://www.openssl.org/news/secadv_20100324.txt

http://rt.openssl.org/Ticket/Display.html?id=2111&user=guest&pass=guest

Every week or so I run freebsd-update so maybe I'm ok.

crsd · May 10, 2010

First one affects openssl 0.9.8f through 0.9.8m, 0.9.8n is unaffected.
Second one doesn't look like a security issue to me, but I'm no expert.

Terry_Kennedy · May 10, 2010

stevejones said:
Hello,
The current version of OpenSSL 0.9.8n I have installed on my system has a few security issues so I'm wondering what the best solution is to fix it.

I'm using FreeBSD 8.0.

How did you end up with 0.9.8n in base FreeBSD 8? The version in base seems to be 0.9.8k for both 8-STABLE and HEAD.

Code:

(0:27) host:/tmp# which openssl
/usr/bin/openssl
(0:28) host:/tmp# openssl version
OpenSSL 0.9.8k 25 Mar 2009

From what I've been reading is that all base systems come installed with OpenSSL and updating the port and adding WITH_OPENSSL_PORT=yes to make.conf will probably break a lot of stuff.

I've not encountered that problem. Unlike (for example) the BIND ports which have a REPLACE_BASE config option, it seems that the OPENSSL port installs a completely independent copy in /usr/local/... This means that the base system isn't using the port, but that other ports that use OpenSSL will pick up the version in ports. If you update the version in ports, you'll probably need to rebuild the dependent ports to have them pick up the new version.

Code:

(0:29) host:/tmp# /usr/local/bin/openssl version
OpenSSL 1.0.0 29 Mar 2010

DutchDaemon · May 10, 2010

I've had OpenSSL from ports (1.0) as a replacement for the base version (symlinked /usr/bin/openssl -> /usr/local/bin/openssl) for quite a while now, and I haven't seen any breakage associated with it.

ghostcorps · Apr 11, 2012

DutchDaemon said:
I've had OpenSSL from ports (1.0) as a replacement for the base version (symlinked /usr/bin/openssl -> /usr/local/bin/openssl) for quite a while now, and I haven't seen any breakage associated with it.

Hi DD,

Can I confirm that you have simply installed OpenSSL 1.0 from ports and symlinked the binary file as above without modifying make.conf and rebuilding the dependents?

Also, after doing this will OpenSSL 1.0 pick up on the ssl configs in httpd-ssl.conf or will I need to create an openssl.conf?

[Edit] I have successfully moved to OpenSSL 1.0 as described above. I have included the steps I performed for anyone else who needs it.

1.
Insert this into /etc/make.conf

Code:

WITH_OPENSSL_PORT=yes

2.
Ensure your ports are current and update/install OpenSSL, however you prefer.
[CMD=""]#portsnap fetch extract[/CMD]
[CMD=""]#portmaster security/openssl[/CMD]

3.
Backup native binary & link the OpenSSL binary from the port to /usr/bin
[CMD=""]#mv /usr/bin/openssl /usr/bin/openssl.0.9.8q[/CMD]
[CMD=""]#ln -s /usr/local/bin/openssl /usr/bin/[/CMD]

4.
Uninstall, configure & re-install apache22
[CMD=""]#cd /usr/ports/www/apache22[/CMD]
[CMD=""]#make deinstall clean[/CMD]
[CMD=""]#make config[/CMD] nb. Make sure mod_ssl is ticked, it should be already.
[CMD=""]#portmaster www/apache22[/CMD]

You can test this with an info.php page and confirm Apache is using the correct OpenSSL version.

donduq · Apr 11, 2012

Best to ask my question here I suppose. I was just trying to update OpenSSL from ports in the way DutchDaemon suggested. But I notice that the ports version requires devel/makedepend, which requires xproto, which requires ports/x11. But this is a server and I don't really want to have X11 related stuff on there.

Am I misunderstanding anything? How can I install OpenSSL 1.0 on this box without having to download and xproto/compile various x11 ports?

I suppose if all else fails I could add the xproto package (pkg_add -r xproto) but I have often read the suggestion that one should not mix packages and ports.

EasyTarget · Apr 20, 2012

@donduq
Do you have:

Code:

WITHOUT_X11=yes

in /etc/make.conf?

On a headless server this is really important, it will tell many ports to build with no core X dependencies. I use this, have OpenSSL installed from ports, and it does not cause X to get pulled in as a dependency.

[I was suffering from the same sort of 'WTF??' moments when simple, apparently unrelated ports installs were trying to pull in X11.. Setting this, then rebuilding my ports tree

, stopped all that nonsense. :e]

donduq · May 4, 2012

Yes, I have

Code:

WITHOUT_X11=yes

in /etc/make.conf. Just now I was just trying to upgrade openssl with help from the command # portmaster -wr openssl This seems to want xproto.

I can't explain the behaviour though maybe something else has already been installed which does rely on X and openssl. But really, xproto is not required and I don't pull the x11 related ports when I cvsup the ports tree.

So I'll try to rebuild the installed ports again after updating openssl. Gee. I should have been a bit more careful before updating the ports tree.

update openssl?

Administrator