Date: Tue, 22 Dec 2015 13:47:08 -0600 From: Mark Felder <feld@FreeBSD.org> To: Roger Marquis <marquis@roble.com>, freebsd-security@freebsd.org Subject: Re: [OpenSSL] /etc/ssl/cert.pem not honoured by default Message-ID: <1450813628.928199.474310569.10D06284@webmail.messagingengine.com> In-Reply-To: <cmu-lmtpd-36306-1450477592-1@sloti37d1t13> References: <loom.20151218T123930-865@post.gmane.org> <5673FB3B.2010201@freebsd.org> <loom.20151218T164148-505@post.gmane.org> <5674364A.7090600@infracaninophile.co.uk> <cmu-lmtpd-36306-1450477592-1@sloti37d1t13>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Dec 18, 2015, at 16:21, Roger Marquis wrote: > rhi wrote: > >> Until now, I have avoided installing the OpenSSL port because the base > >> OpenSSL gets security updates via freebsd-update and so it's one thing less > >> to care about... also, I don't like the idea of having two different > >> versions of the same thing on the system > > A fair number of sites have this issue, particularly with ssl and ssh > binaries. IME this one of FreeBSD's more longstanding administrative and > security weaknesses. It is paricularly painful for those of us who have > to support a release for several years (after the last base update). > > >> Or is it recommended to let ports use the port OpenSSL, so that base OpenSSL > >> is only used for the system itself? > > If you need the most recent ciphers and protocols you'll normally need to > use the port. Features are backported from the (higher) port version to > the base version i.e., without bumping the version string, however, it's > not clear whether all applications can take advantage of them. > > Matthew Seaman wrote: > > There are plans to make many of the base system shlibs private and that > > includes switching the ports to use openssl from ports, but I don't think > > any changes along those lines are really imminent. > > Are you Sure? 3 months ago DES thought they'd be ready for 11: > > > The plan is for 11 to have a fully packaged base system. There should > > be some information in developer summit reports on the wiki. The code > > is in projects/release-pkg. > > However I don't see a projects/release-pkg dir in -CURRENT. > > Any recommendations as to how we might help this particular effort? > What do you mean? It has been there for a while https://svnweb.freebsd.org/base/projects/release-pkg/ -- Mark Felder ports-secteam member feld@FreeBSD.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1450813628.928199.474310569.10D06284>