Upgrade OpenSSL Library Version (BASE)

[niktaal]

Hi

I update my freebsdFreeBSD by this command:

# freebsd-update fetch
# freebsd-update install

OpenSSL Library Version (BASE) updated from older version 2014 to Jan 2015
Now this is status:

OS: FreeBSD 9.3-RELEASE-p20
OpenSSL Library Version  OpenSSL 0.9.8zd-freebsd 8 Jan 2015
OpenSSL Header Version  OpenSSL 1.0.2d 9 Jul 2015
cURL Information  7.38.0
cURL SSL Version  OpenSSL/0.9.8zd

# /usr/bin/openssl version
OpenSSL 0.9.8zd-freebsd 8 Jan 2015

# /usr/local/bin/openssl version
OpenSSL 1.0.2d 9 Jul 2015

Now how can I upgrade OpenSSL Library Version (BASE) to newer version?

 

[pkubaj]

You can only do it by upgrading to a newer FreeBSD branch. 10-STABLE and newer have OpenSSL 1.0.1. 1.0.2 is still only in ports.

 

[kpa]

On FreeBSD 9.3 the base system OpenSSL will never be updated from 0.9.8* to anything newer because that would severely break the ABI compatibility on FreeBSD 9.

The other thing to note is that for many mundane technical reasons the version reported by openssl version is not updated when the base system OpenSSL is patched (the fixes are backported manually) with the latest security fixes. This means that the command will report an out of date and vulnerable version numbers but in fact the security fixes are in place. The situation is not ideal because there's no way to verify if the base system OpenSSL is vulnerable or not to a particular attack.

 

[pkubaj]

On FreeBSD 9.3 the base system OpenSSL will never be updated from 0.9.8* to anything newer because that would severely break the ABI compatibility on FreeBSD 9.

The other thing to note is that for many mundane technical reasons the version reported by openssl version is not updated when the base system OpenSSL is patched (the fixes are backported manually) with the latest security fixes. This means that the command will report an out of date and vulnerable version numbers but in fact the security fixes are in place. The situation is not ideal because there's no way to verify if the base system OpenSSL is vulnerable or not to a particular attack.

One can use freebsd-version(1) and compare with recent SA's.

 

[niktaal]

Is there any way I download latest version OpenSSL from here:

https://www.openssl.org/source/

and install in my FreeBSD 9.3-RELEASE-p20 ?

I have many data in my server and I can't save backup, for this reason, this is great risk for me to upgrade FreeBSD 9.3 to 10-STABLE.

 

[kpa]

You will break your system badly if you install it over the base system, there are numerous system binaries and libraries that depend on the particular version OpenSSL and that can't be changed.

 

[junovitch@]

Is there any way I download latest version OpenSSL from here:

https://www.openssl.org/source/

and install in my FreeBSD 9.3-RELEASE-p20 ?

I have many data in my server and I can't save backup, for this reason, this is great risk for me to upgrade FreeBSD 9.3 to 10-STABLE.

Why? If you install any ports that need the newest OpenSSL they will automatically install security/openssl by default. If you are doing something outside of ports and need the newest you can use the same security/openssl port. However, it would be easier to help knowing what you are trying to accomplish that needs the latest version.

 

[SirDice]

Although the version of OpenSSL in the base doesn't show any "new" version, you can be sure the security issues have been fixed. If you keep your base OS up to date the base OpenSSL will always be up to date too.

 

[niktaal]

Why? If you install any ports that need the newest OpenSSL they will automatically install security/openssl by default. If you are doing something outside of ports and need the newest you can use the same security/openssl port. However, it would be easier to help knowing what you are trying to accomplish that needs the latest version.

I wanted upgrade my ftp/php5-curl & OpenSSL.

I upgrade security/openssl port with no problem but for upgrading ftp/curl port, I get an error that Curl with GSSAPI support cannot upgrade with:

WITH_OPENSSL_PORT=yes

Then I change this to:

WITH_OPENSSL_BASE=yes

Then I get an error that my server OPENSSL BASE version is less than OPENSSL PORT version that previous curl is build by OPENSSL PORT.

At the end I turn off GSSAPI support in Curl config, and then upgraded Curl port by:

WITH_OPENSSL_PORT=yes

And followed with rebuilding PHP and my problem solved without OpenSSL base upgrade.

Thank You.

 

[TheDreamer]

Which GSSAPI option are you using for ftp/curl ? I would suspect one of the versions from ports would be needed, and that version would need to have been built using openssl from ports.

It's on my todo list to go through all the options for my installed ports to straighten out some of the inconsistent choices I've made over the years, and to see about finally getting ports to work (and not break others) by using openssl from ports.

The Dreamer.

 

[kpa]

I have these in my /usr/local/etc/poudriere.d/make.conf for ports-mgmt/poudriere to avoid linking to base system OpenSSL. I'm using WITH_OPENSSL_PORT=yes. No saved options for ftp/curl:

# ftp/curl
curl_SET= GSSAPI_NONE
curl_UNSET= GSSAPI_BASE

You have to do the options that way because setting GSSAPI_NONE does not turn off the other GSSAPI_* options. They don't act like radio button as you would expect.

 

[TheDreamer]

With my ports-mgmt/poudriere, I currently have WITH_OPENSSL_BASE=YES in all my make.conf's. I made a hack so that it will abort if any port tries to depend on security/openssl.

Just as I used to block if any port tried to depend on security/gnutls3, because it had a dependency for security/openssl....while the older 2.x didn't. But, when I heard that they planned to make 3.x the default soon, I had dig in and figure out why it was depending on port OpenSSL and submit a patch to make it stop.... so now that's good.

OTOH, haven't been successful on why dns/bind99 needs OpenSSL from ports even if GOST is not selected. It builds fine for me use base OpenSSL, and I when I update our Solaris based DNS servers, I build the latest openssl-0.9.8z? with the latest bind '-p' release.

Though it probably explains why the GOST (optional) or ECDSA (recommend) ciphers aren't that widely usable in DNSSEC...suspect it will continue for a long after it EOLs on December 31st. Though I really hope that I get the two production servers still running FreeBSD 9.1 upgraded by then Though the push has halted as the Poudriere server that fed them has died (it was doing daily bulk runs for both 9.1 and 9.3, plus a bigger one that feeds its host )....its been two weeks, maybe I'll be able to finally get a new power supply this week....

I'm sure it's not Poudriere, but a just one of the many things in common (though it does push my machine harder than I want it too -- have put in a PR or two about tools that don't honor make jobs being disabled. IIRC, with mozilla ports if no limit was set, the default is #cpus+2, while chromium's default is #cpus. This would get a little weird when there's 6 parallel builds running and the build of mail/thunderbird comes along...now there's 16?, And, there's nothing to stop www/firefox start building too....other than the system rebooting.

I guess I wouldn't have know about the way the GSSAPI options work, because I nullfs mount my /var/db/ports as /usr/local/etc/poudriere.d/fbsd9-options. For some reason I named my current jail at home as fbsd9, and have fbsd91 and fbsd92, along with fbsd9i, jails. While at work the current is named fbsd9X.... it has/had 91 and 92 jails as well, not sure why it doesn't have an fbsd9i? (the i is for i386 -- the only thing its used for now is the hack to make NetBackup with ZFS, though I used to build emulators/wine and nx ports with...)

Which reminds me, finding an alternative to nx is still on my to do list. (as is find out what extra ports I have in my repository of things I forgot that I wanted to try. Otherwise my pkglist could probably benefit from a clean up....

The Dreamer.