From owner-freebsd-security Wed May 1 7:20: 2 2002 Delivered-To: freebsd-security@freebsd.org Received: from be-well.ilk.org (lowellg.ne.client2.attbi.com [24.147.188.158]) by hub.freebsd.org (Postfix) with ESMTP id 36C9637B404 for ; Wed, 1 May 2002 07:19:55 -0700 (PDT) Received: from be-well.ilk.org (lowellg.ne.client2.attbi.com [24.147.188.158]) by be-well.ilk.org (8.12.3/8.12.3) with ESMTP id g41EJs8A012990 for ; Wed, 1 May 2002 10:19:54 -0400 (EDT) (envelope-from lowell@world.std.com) Received: (from lowell@localhost) by be-well.ilk.org (8.12.3/8.12.3/Submit) id g41EJruh012987; Wed, 1 May 2002 10:19:53 -0400 (EDT) X-Authentication-Warning: be-well.ilk.org: lowell set sender to lowell@world.std.com using -f To: freebsd-security@freebsd.org Subject: Re: Upgrading default OpenSSL References: From: Lowell Gilbert Date: 01 May 2002 10:19:53 -0400 In-Reply-To: Message-ID: <44pu0grlva.fsf@be-well.ilk.org> Lines: 36 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org SolarfluX writes: > Would this question be more appropriate for freebsd-ports, if not here? Only if you want to install from ports. > I figured the ability (or lack of) to upgrade the default OpenSSL is more of a > security issue first, then a ports issue second. That depends on your particular needs, of course. You probably wouldn't be hurting your security profile much by bringing in a different version of OpenSSL than the one in the FreeBSD base system, but there's always the risk of your screwing something up. If you're assuming that a later version of OpenSSL will be more secure than the patched earlier verson that FreeBSD includes, then you are jumping to unwarranted (and, as I already implied, likely incorrect) conclusions. > I don't want to install OpenSSL > manually using the source and have two different versions on my system. That's your choice; there's no strong objective argument either way on the point. > I > want to replace the default version 0.9.6a with 0.9.6b (0.9.6c would be really > nice). Could someone please comment on how this can (or cannot, and why) be > done? You can always build from source and install right over the top of the system versions. There is a make.conf(5) knob to tell "make world" not to build or install its version. The odds of your reducing your system's security by doing so are probably higher than your odds of improving your security, but (barring installation errors on your part) neither possibility is very likely in the big picture. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message