From owner-freebsd-questions@FreeBSD.ORG Mon Nov 15 15:40:29 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E732110656AE for ; Mon, 15 Nov 2010 15:40:29 +0000 (UTC) (envelope-from nr1c0re@gmail.com) Received: from mail-qw0-f54.google.com (mail-qw0-f54.google.com [209.85.216.54]) by mx1.freebsd.org (Postfix) with ESMTP id 9E6B28FC20 for ; Mon, 15 Nov 2010 15:40:28 +0000 (UTC) Received: by qwf7 with SMTP id 7so163477qwf.13 for ; Mon, 15 Nov 2010 07:40:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=pEWaOVLWv0mh5Wd0W/mRe7Q8yilq4NsJ+gcQA02wjbw=; b=DRCa5POg1OqD+5wyFV3nXUW8IXpPKLRBoo5FCCPrl1WPscqKAF7AJ13T/4dTAjWASY WsveSK6qu69BfR25rAOyJUM8iMw/BDk5sedeVabktqfBl4/mq441y2J395JsItCNEuUw qDth+AhT6X7Oy/M6McqPf2N+1SmD16GFFig60= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=O0lNZueoxNSuimjqBiIyBgrcH569Vg8Dgm+fnRPIJX30Jzaz26z21den7uBRwDLrkO vjwAK5crITkYEzaWwo+v/v6WL3ls+/sk9DmHtmpQFTuWpt2gOTjKvggmNPVmmFnTX0uD krSdZagrUINUfInteMKZwQDx+eNUp9XpspSWw= MIME-Version: 1.0 Received: by 10.229.184.13 with SMTP id ci13mr5158497qcb.253.1289835627455; Mon, 15 Nov 2010 07:40:27 -0800 (PST) Received: by 10.229.64.91 with HTTP; Mon, 15 Nov 2010 07:40:27 -0800 (PST) In-Reply-To: <20101115090851.237f167b@scorpio> References: <20101115090851.237f167b@scorpio> Date: Mon, 15 Nov 2010 18:40:27 +0300 Message-ID: From: c0re To: FreeBSD Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: openssl version - how to verify X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Nov 2010 15:40:30 -0000 2010/11/15 Jerry : > On Mon, 15 Nov 2010 16:17:10 +0300 > c0re articulated: > >> If I look at base openssl in 7.3-RELEASE-p3 >> >> sys# openssl version -a >> OpenSSL 0.9.8e 23 Feb 2007 >> built on: Mon Sep 27 11:54:36 MSD 2010 >> platform: FreeBSD-i386 >> options: =A0bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) >> blowfish(idx) compiler: cc >> OPENSSLDIR: "/etc/ssl" >> >> but at www.openssl.org I see that it's not recent version >> >> 01-Jun-2010: =A0 =A0 OpenSSL 0.9.8o is now available, including >> important bug and security fixes >> >> I know that freebsd security team make patches for base openssl, but >> how can I know what patchlevel of openssl in base version? >> >> Like "-p5" in "OpenSSL 0.9.8e-p5 23 Feb 2007". > > Why not just install the ports version: > > openssl version -a > OpenSSL 1.0.0a 1 Jun 2010 > built on: Sun Jun =A06 12:19:12 EDT 2010 > platform: BSD-x86_64 > options: =A0bn(64,64) rc4(8x,int) des(idx,cisc,16,int) idea(int) blowfish= (idx) > compiler: cc -fPIC -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -= D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIOS -O3 -DMD32_REG_= T=3Dint -Wall -O2 -pipe -march=3Dathlon64 -fno-strict-aliasing -DOPENSSL_IA= 32_SSE2 -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_AS= M -DAES_ASM -DWHIRLPOOL_ASM > OPENSSLDIR: "/usr/local/openssl" > > You would need to add this to the "/etc/make.conf" file first I believe: > > =A0 =A0 =A0 =A0WITH_OPENSSL_PORT=3Dyes > There are still too many broken ports with openssl from ports, I do not like debug it and really like to use base openssl, almost no difference. But I just want to have some proves that base system openssl has security patches because 7.3-RELEASE base openssl is 0.9.8e, but 0.9.8e has got security vulnerabilities. But how can I be sure that freebsd base system with 0.9.8e version does not have any vulnerabilities?