From owner-freebsd-stable@freebsd.org Mon Jul 13 22:58:12 2015 Return-Path: Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B63889955CC for ; Mon, 13 Jul 2015 22:58:12 +0000 (UTC) (envelope-from kob6558@gmail.com) Received: from mail-oi0-x236.google.com (mail-oi0-x236.google.com [IPv6:2607:f8b0:4003:c06::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 7107D1443 for ; Mon, 13 Jul 2015 22:58:12 +0000 (UTC) (envelope-from kob6558@gmail.com) Received: by oiab3 with SMTP id b3so146156840oia.1 for ; Mon, 13 Jul 2015 15:58:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=iuJlqQwQET5mU0j7X7p9Zj44189Yfe5X75oonRhxmLc=; b=KmbG4AMDzoYEzCtHlw3ZdQ4vO1MOsJqi4oxDyi1PviHDHbavhKRpiLHBQYSqyAvdBV Uj/LYzJd3BuSBzut3b/8HJ68l3EPxcVn7NMLtHtbujMQD2DpBrEvhEsTBPpgNfOvcU8C 7WkqTO482mY2MyFbB0MMvJSrnreURUSqjD8PfA5H8637ZF2UW4+FyAiE81zEq/SuOAMx I0DyNCuZq4w1DMsi9Bxpa4oEqJBg/QJ0fAB2b9GNcqaULyM45Z+Xk14gxL7SVkC3jNOW OkvET7bf2SHA8yKbq6zLckWNNLyln3K0JVUA8ugN0rIvkmP0RKyRCPYWIeyNPbfC/fdg b2ig== MIME-Version: 1.0 X-Received: by 10.60.177.195 with SMTP id cs3mr25337257oec.37.1436828291317; Mon, 13 Jul 2015 15:58:11 -0700 (PDT) Sender: kob6558@gmail.com Received: by 10.202.221.69 with HTTP; Mon, 13 Jul 2015 15:58:11 -0700 (PDT) In-Reply-To: References: <20150713140352.GB1284@xtaz.uk> <20150713191414.GC1284@xtaz.uk> Date: Mon, 13 Jul 2015 15:58:11 -0700 X-Google-Sender-Auth: 31CTO-KavFy3OAwGn6VrbPlZ30Y Message-ID: Subject: Re: WITHOUT_OPENSSL and make delete-old From: Kevin Oberman To: Brandon Allbery Cc: Matt Smith , FreeBSD-STABLE Mailing List Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jul 2015 22:58:12 -0000 On Mon, Jul 13, 2015 at 12:18 PM, Brandon Allbery wrote: > On Mon, Jul 13, 2015 at 3:14 PM, Matt Smith wrote: > >> See now I assumed that the only things in the base that used it were >> Kerberos, GSSAPI, and OpenSSH. If you read the man page for src.conf it >> says that setting WITHOUT_OPENSSL also sets WITHOUT_KERBEROS, >> WITHOUT_GSSAPI, and WITHOUT_OPENSSH. This makes me think these are the only >> things in the base that do actually use OpenSSL? > > > OpenSSL has two components, one of which is a general crypto library. I'd > imagine that a lot of stuff could make use of that part of OpenSSL. > > -- > brandon s allbery kf8nh sine nomine > associates > allbery.b@gmail.com > ballbery@sinenomine.net > unix, openafs, kerberos, infrastructure, xmonad > http://sinenomine.net > Annoying! ssh has explicitly never used of OpenSSL. I just confirmed that it still does not. It does use gssapi and kerberos, so even though it makes no use of OpenSSL, it does use those two things which are not actually part of OpenSSL. If you check /usr/src/crypto/openssl, there is no gssapi or kerberos there. Both of these are in the heimdal sources. Looks to me like WITHOUT_OPENSSL is really without a few other things but NOT OpenSSL. Very weird. Can anyone explain this? Or is it a bug (and a bad one as it misleads people about an important security issue). I am aware of at least one time when base ssh was newer and better than the ports version, though that is not the norm. Now that the HPC patches are in base and PKCS11 is supported, I can see little reason to use the ports version. -- Kevin Oberman, Network Engineer, Retired E-mail: rkoberman@gmail.com PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683