From owner-freebsd-security@freebsd.org Tue Dec 22 19:47:09 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E7BFEA4F9ED for ; Tue, 22 Dec 2015 19:47:09 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C123A1030 for ; Tue, 22 Dec 2015 19:47:09 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id C879220776 for ; Tue, 22 Dec 2015 14:47:08 -0500 (EST) Received: from web3 ([10.202.2.213]) by compute3.internal (MEProxy); Tue, 22 Dec 2015 14:47:08 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=iT5VtJGvLSqglKp 5H0wum1nbV74=; b=jL7hEVAhnEYZGA+EUh0Glb2haZkbholEpTfPhuZ/lHxZqCf 4yaHwe8JKzQH6b7Y+jARXNHXb6Ij+EMwFdm+LSrdU+rUc7WKCvdEyGBfi/pYSUBS eAVNqjg9xW32jrhRnyvC0qqBfblDakUzL2vUwAfI2vq66fT88YcfHzmgyeoQ= Received: by web3.nyi.internal (Postfix, from userid 99) id 9CA4410869B; Tue, 22 Dec 2015 14:47:08 -0500 (EST) Message-Id: <1450813628.928199.474310569.10D06284@webmail.messagingengine.com> X-Sasl-Enc: BCORaDW7ptR5zP626e0KHGGiviUWrnFe61vHYfZnxpkO 1450813628 From: Mark Felder To: Roger Marquis , freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-a93c17cb Subject: Re: [OpenSSL] /etc/ssl/cert.pem not honoured by default Date: Tue, 22 Dec 2015 13:47:08 -0600 In-Reply-To: References: <5673FB3B.2010201@freebsd.org> <5674364A.7090600@infracaninophile.co.uk> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Dec 2015 19:47:10 -0000 On Fri, Dec 18, 2015, at 16:21, Roger Marquis wrote: > rhi wrote: > >> Until now, I have avoided installing the OpenSSL port because the base > >> OpenSSL gets security updates via freebsd-update and so it's one thing less > >> to care about... also, I don't like the idea of having two different > >> versions of the same thing on the system > > A fair number of sites have this issue, particularly with ssl and ssh > binaries. IME this one of FreeBSD's more longstanding administrative and > security weaknesses. It is paricularly painful for those of us who have > to support a release for several years (after the last base update). > > >> Or is it recommended to let ports use the port OpenSSL, so that base OpenSSL > >> is only used for the system itself? > > If you need the most recent ciphers and protocols you'll normally need to > use the port. Features are backported from the (higher) port version to > the base version i.e., without bumping the version string, however, it's > not clear whether all applications can take advantage of them. > > Matthew Seaman wrote: > > There are plans to make many of the base system shlibs private and that > > includes switching the ports to use openssl from ports, but I don't think > > any changes along those lines are really imminent. > > Are you Sure? 3 months ago DES thought they'd be ready for 11: > > > The plan is for 11 to have a fully packaged base system. There should > > be some information in developer summit reports on the wiki. The code > > is in projects/release-pkg. > > However I don't see a projects/release-pkg dir in -CURRENT. > > Any recommendations as to how we might help this particular effort? > What do you mean? It has been there for a while https://svnweb.freebsd.org/base/projects/release-pkg/ -- Mark Felder ports-secteam member feld@FreeBSD.org