Updating OpenSSL

MissileSilo · Dec 10, 2010

I just installed a fresh copy of FreeBSD 8.1 (amd64) onto a new server. I noticed that the OpenSSL version was 0.9.8n, and that the current version of OpenSSL is 1.0.0c.

What is the proper way to upgrade to 1.0.0c? I tried installing the security/openssl port, but that simply installed another version of OpenSSL under /usr/local/bin/openssl. Now I have two versions of OpenSSL:

/usr/bin/openssl
/usr/local/bin/openssl

Is there a way to update /usr/bin/openssl with the latest version? Or is there a way to only have one version installed?

After I installed the OpenSSL port and after I recompiled PHP and Apache, I noticed that it didn't look like it fully upgraded. This is from my phpinfo.php file:

OpenSSL Library Version OpenSSL 1.0.0c 2 Dec 2010
OpenSSL Header Version OpenSSL 0.9.8n 24 Mar 2010

I would like to have only 1 version of OpenSSL installed on my new system, preferably the most recent version.

Thanks!

DutchDaemon · Dec 10, 2010

The port is openssl-1.0.0_4. You can symlink /usr/bin/openssl to /usr/local/bin/openssl, though ports will use /usr/local/bin/openssl anyway if they have a dependency on it.

wblock@ · Dec 11, 2010

MissileSilo said:
I just installed a fresh copy of FreeBSD 8.1 (amd64) onto a new server. I noticed that the OpenSSL version was 0.9.8n, and that the current version of OpenSSL is 1.0.0c.

What is the proper way to upgrade to 1.0.0c? I tried installing the security/openssl port, but that simply installed another version of OpenSSL under /usr/local/bin/openssl.

When you installed 8.1-RELEASE, you got a copy of the ports as they existed at the date of release (July 23, 2010). To get newer ports, you'll have to update your ports tree and probably your already-installed software to get them. The Handbook describes this a bit, and my Upgrading FreeBSD Ports tries to be more concise.

fronclynne · Dec 11, 2010

warning! vorsicht! ãƒãƒ ã®ã‚µãƒ³ãƒ‰ã‚¤ãƒƒãƒ!
Don't just blindly try to do this: test in a jail or chroot or something. Please! And if something breaks, be angry at yourself, not me.

There is a WITHOUT_OPENSSL= option for src.conf(5) which you may want to look into. You'll probably have to set something elsewhere to have SSL support in base programs (I can't see ssh(1) working very well without it, honestly, for starters) provided from security/openssl and you'll probably have to run a full makeworld/buildworld (& maybe -kernel) cycle to get the effect you're trying for.

I don't know what all openssl ties into, but keep in mind:
If you accidentally b0rk ssh(1), you won't be able to log in remotely (without enabling telnet).
If you accidentally b0rk pam(3) you might lock yourself out of the machine entirely (excepting single-user mode, hopefully).

danbi · Dec 11, 2010

Why worry so much about this issue? The 'base' OpenSSL works perfectly for what it is used.

If a port needs newer version for some exotic new and very likely experimental feature, it would require securyty/openssl to be installed anyway.

rghq · Dec 11, 2010

danbi said:
Why worry so much about this issue? The 'base' OpenSSL works perfectly for what it is used.

The original concern was maybe:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2939

Though for the "base" OpenSSL there's a patch available already, still some software (e.g. rkhunter) will still detect the version and report it as "old & outdated"

michael23 · Jan 15, 2011

rghq said:
The original concern was maybe:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2939

Though for the "base" OpenSSL there's a patch available already, still some software (e.g. rkhunter) will still detect the version and report it as "old & outdated"

I have the same concern. Why is freebsd-update fetch install not updating OpenSSL?
openssl version
OpenSSL 0.9.8n 24 Mar 2010

michael23 · Jan 15, 2011

I really hope I don't have to update to an unstable release (8.2 RC1) just to get a non vulnerable version of the base openssl. I also don't really want to install it from ports. The base openssl of the lastest stable version of FreeBSD should be not vulnerable, cmon FreeBSD.

hedgehog · Jan 15, 2011

michael23 said:
I really hope I don't have to update to an unstable release (8.2 RC1) just to get a non vulnerable version of the base openssl. I also don't really want to install it from ports. The base openssl of the lastest stable version of FreeBSD should be not vulnerable, cmon FreeBSD.

http://security.freebsd.org/advisories/FreeBSD-SA-10:10.openssl.asc
If you're using 8.1-release, just perform an ordinary binary update. The base ssl was patched against this vulnerability in 29th November.

michael23 · Jan 15, 2011

hedgehog said:
http://security.freebsd.org/advisories/FreeBSD-SA-10:10.openssl.asc
If you're using 8.1-release, just perform an ordinary binary update. The base ssl was patched against this vulnerability in 29th November.

yep, did that. didn't work.

Code:

[root@localhost ~]# freebsd-update fetch install
Looking up update.FreeBSD.org mirrors... 4 mirrors found.
Fetching metadata signature for 8.1-RELEASE from update4.FreeBSD.org... done.
Fetching metadata index... done.
Inspecting system... done.
Preparing to download files... done.

No updates needed to update system to 8.1-RELEASE-p2.
No updates are available to install.
Run '/usr/sbin/freebsd-update fetch' first.

Code:

[root@localhost ~]# openssl version
OpenSSL 0.9.8n 24 Mar 2010

hedgehog · Jan 16, 2011

michael23 said:
yep, did that. didn't work.

Excuse me, my English is too bad. Or you just don't want to read the whole message, including link. If you really think that base openssl contains vulnerability, get one from ports and rebuild everything that depends on libssl.so with option:

Code:

WITH_OPENSSL_PORT=yes

But it's not the best idea, unless you're sure what you are doing.

Updating OpenSSL

Administrator