From owner-freebsd-security@FreeBSD.ORG Mon Apr 28 19:07:45 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9823E290; Mon, 28 Apr 2014 19:07:45 +0000 (UTC) Received: from mail-out.apple.com (mail-out.apple.com [17.151.62.50]) (using TLSv1 with cipher DES-CBC3-SHA (168/168 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 739FB1472; Mon, 28 Apr 2014 19:07:45 +0000 (UTC) MIME-version: 1.0 Received: from mail-out.apple.com by local.mail-out.apple.com (Oracle Communications Messaging Server 7.0.5.30.0 64bit (built Oct 22 2013)) id <0N4R00C008QICP00@local.mail-out.apple.com>; Mon, 28 Apr 2014 12:07:45 -0700 (PDT) Received: from relay7.apple.com ([17.128.113.101]) by local.mail-out.apple.com (Oracle Communications Messaging Server 7.0.5.30.0 64bit (built Oct 22 2013)) with ESMTP id <0N4R004WD94P7F40@local.mail-out.apple.com>; Mon, 28 Apr 2014 12:07:44 -0700 (PDT) X-AuditID: 11807165-f79076d0000015d9-7c-535ea6f76381 Received: from [17.149.239.226] (Unknown_Domain [17.149.239.226]) (using TLS with cipher AES128-SHA (128/128 bits)) (Client did not present a certificate) by relay7.apple.com (Apple SCV relay) with SMTP id 2B.C2.05593.7F6AE535; Mon, 28 Apr 2014 12:07:36 -0700 (PDT) Subject: Re: ports requiring OpenSSL not honouring OpenSSL from ports From: Charles Swiger In-reply-to: <535E99C8.7050309@freebsd.org> Date: Mon, 28 Apr 2014 12:07:44 -0700 Message-id: <48F0201D-506E-4CDE-B758-D10A65CBBF9F@mac.com> References: <201404271508.s3RF8sMA014085@catnip.dyslexicfish.net> <86eh0hsq3w.fsf@nine.des.no> <535E99C8.7050309@freebsd.org> To: Julian Elischer X-Mailer: Apple Mail (2.1510) X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrILMWRmVeSWpSXmKPExsUiOPX9I90fy+KCDb7kW/RsesJmcXXuT2YH Jo8Zn+azBDBGcdmkpOZklqUW6dslcGU0vFnNVNBqXnF6VztbA+M7/S5GTg4JAROJjsf3mCFs MYkL99azdTFycQgJ9DNJdPR8YwNJMAskSOzdvBCoiIODV0BPYvsvORBTWMBV4sZ/IRCTTUBN YsJEHpBiTgFtiUVtR8EaWQRUJWYemcAEMcRL4tHjiYwgNq+AlcSbKU/YITZtZ5I4vug7O0hC REBD4vqOGawQ58hKnD73nGUCI98sJEfMQjgCIqwtsWzha7Aws4COxOSFjKjCEPbH80eYFjCy rWIUKErNSaw010ssKMhJ1UvOz93ECArIhsLUHYyNy60OMQpwMCrx8HbExAULsSaWFVfmHmKU 4GBWEuG1bQUK8aYkVlalFuXHF5XmpBYfYpTmYFES5z0UGRssJJCeWJKanZpakFoEk2Xi4JRq YFyVkfhS0I2hxFN3d9xHjdkStWuneLrXLNd4MPVarUndFvUwEcvKIzduTOzrrXkltUvGlVHs q99cf/6iR85e2zj+NUi+VdxvKZDvHlmxoeoWY+zaqS2X2zedvPZqP+vPyiaxqbFGW2t+13xg XrWR6XA+6/ybl2JqExuv/NEUOtjt6RDDIByop8RSnJFoqMVcVJwIAJVerh5EAgAA Content-Type: text/plain; CHARSET=US-ASCII Content-Transfer-Encoding: 7BIT X-Content-Filtered-By: Mailman/MimeDel 2.1.17 Cc: "freebsd-security@freebsd.org security" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Apr 2014 19:07:45 -0000 Hi-- On Apr 28, 2014, at 11:11 AM, Julian Elischer wrote: >> OpenSSL 0.9.x and 1.0.x are *not* binary compatible. > > are they somewhat "API" compatible? can you compile most code against either? Yes, you can compile most code against either OpenSSL 0.9x or 1.x. The OpenSSL API defines OPENSSL_VERSION_NUMBER like so to distinguish new functionality in 1.x: /* ECC support came along in OpenSSL 1.0.0 */ #if (OPENSSL_VERSION_NUMBER < 0x10000000) #define OPENSSL_NO_EC #endif That's the only test for OpenSSL 1 functionality in Apache, taken from httpd-2.2.27/modules/ssl/ssl_toolkit_compat.h. A quick check of other common users of SSL like curl, OpenLDAP, nmap, & nginx is pretty similar. Regards, -- -Chuck PS: curl seems to have the most checks against OpenSSL 1.x, in order to force SSLv3 vs TLS versions if the user specifies such. See curl-7.35.0/lib/vtls/openssl.c: case CURL_SSLVERSION_SSLv3: ctx_options |= SSL_OP_NO_SSLv2; ctx_options |= SSL_OP_NO_TLSv1; #if OPENSSL_VERSION_NUMBER >= 0x1000100FL ctx_options |= SSL_OP_NO_TLSv1_1; ctx_options |= SSL_OP_NO_TLSv1_2; #endif break; case CURL_SSLVERSION_TLSv1: ctx_options |= SSL_OP_NO_SSLv2; ctx_options |= SSL_OP_NO_SSLv3; break; case CURL_SSLVERSION_TLSv1_0: ctx_options |= SSL_OP_NO_SSLv2; ctx_options |= SSL_OP_NO_SSLv3; #if OPENSSL_VERSION_NUMBER >= 0x1000100FL ctx_options |= SSL_OP_NO_TLSv1_1; ctx_options |= SSL_OP_NO_TLSv1_2; #endif break; #if OPENSSL_VERSION_NUMBER >= 0x1000100FL case CURL_SSLVERSION_TLSv1_1: ctx_options |= SSL_OP_NO_SSLv2; ctx_options |= SSL_OP_NO_SSLv3; ctx_options |= SSL_OP_NO_TLSv1; ctx_options |= SSL_OP_NO_TLSv1_2; break; case CURL_SSLVERSION_TLSv1_2: ctx_options |= SSL_OP_NO_SSLv2; ctx_options |= SSL_OP_NO_SSLv3; ctx_options |= SSL_OP_NO_TLSv1; ctx_options |= SSL_OP_NO_TLSv1_1; break; #endif