Date: Sun, 15 Sep 2002 17:41:53 +0200 From: Roman Neuhauser <neuhauser@bellavista.cz> To: richard childers <fscked@pacbell.net> Cc: freebsd-questions@freebsd.org Subject: Re: Answers (& Questions) Re: OpenSSH 3.4p1 Upgrade Message-ID: <20020915154153.GE56092@freepuppy.bellavista.cz> In-Reply-To: <20020911133311.GX83171@freepuppy.bellavista.cz> References: <3D7EB40F.331798E0@pacbell.net> <20020911133311.GX83171@freepuppy.bellavista.cz>
index | next in thread | previous in thread | raw e-mail
# neuhauser@bellavista.cz / 2002-09-11 15:33:11 +0200:
> # fscked@pacbell.net / 2002-09-10 20:10:07 -0700:
>
> ...
>
> > Next we upgrade OpenSSL. The current version is 0.9.6g and is available
> > from both ftp.freebsd.org (../branches/-current/ports/security/openssl/)
> > and from the source, at www.openbsd.org.
> >
> > FreeBSD purists will insist that one uses the port. I would have said
> > the same until I tried it and found that while it compiled and installed
> > flawlessly, I (again) wanted the new installation to overlay the old
> > installation, neatly, and it was insistent on installing the new OpenSSL
> > installation in /usr/local; leaving me with the task of (manually!!)
> > hunting down and eliminating the bits and pieces of the old OpenSSL
> > installation, in /usr.
>
> you could have just done
> make install clean -DOPENSSL_OVERWRITE_BASE
> but there's this prob with --openssldir; see below.
...
> > # make PREFIX=/usr LOCALBASE=/usr
> > # make PREFIX=/usr LOCALBASE=/usr install
>
> almost right (the specified LOCALBASE didn't bite you just
> because openssl has no dependancies [other than those in the base],
> and wasn't used)
>
> > This creates a pretty close installation to that received with FreeBSD
> > 4.6 but it still creates a /usr/local/openssl directory and puts some
> > libraries in there, if I recall correctly.
>
> actually, it'd create /usr/openssl, and this is a real bug imo.
> OPENSSL_OVERWRITE_BASE should set --openssldir=/etc/ssl.
>
> but even with openssldir set to /usr/openssl this should just work
> with the openssh port, but it doesn't look like it's actually the
> case.
>
> if you build openssh with -DUSE_OPENSSL_BASE, it expects you to have
> /etc/ssl, which will break if you installed the openssl port with
> -DOPENSSL_OVERWRITE_BASE.
>
> if you build openssh without the switch, it basically assumes you
> have /usr/local/openssl. bummer. :|
ok, i submitted a patch to the openssl port that sets
--openssldir=/etc/ssl if you have -DOPENSSL_OVERWRITE_BASE, and it
just got committed.
> > I would think that critical things that are so important that they are
> > included in the operating system release (OpenSSL, OpenSSH) would be
> > important enough elements of a security infrastructure, that upgrading
> > them via the ports mechanism would result in a neatly overlaid new
> > installation over the old one - not a mixture of new and old
> > libraries, executables, and configuration files.
>
> this *should* be the case with the openssl port and the
> -DOPENSSL_OVERWRITE_BASE switch, but openssh obviously can't be
> installed in /usr without hacking the port Makefile, although it
> doesn't look like it'd be too hard.
i *might* take a look at this, too. no promises, though.
--
begin 666 nonexistent.vbs
FreeBSD 4.6-STABLE
5:37PM up 25 days, 23:29, 16 users, load averages: 0.26, 0.08, 0.02
end
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020915154153.GE56092>