Date: Fri, 18 Dec 2015 16:37:30 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: freebsd-security@freebsd.org Subject: Re: [OpenSSL] /etc/ssl/cert.pem not honoured by default Message-ID: <5674364A.7090600@infracaninophile.co.uk> In-Reply-To: <loom.20151218T164148-505@post.gmane.org> References: <loom.20151218T123930-865@post.gmane.org> <5673FB3B.2010201@freebsd.org> <loom.20151218T164148-505@post.gmane.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --GFgxJihWPS5N4oBuSRrDb5HB9UTjA3DM5 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 2015/12/18 15:47, rhi wrote: > Matthew Seaman <matthew <at> freebsd.org> writes: >=20 >> Is that the ports or the base version of openssl? I can recreate your= >> results with the base openssl, but everything works as expected with t= he >> ports version: >=20 > Yes, it's the base OpenSSL. Is this a known limitation or a bug in the = base > OpenSSL or do I use it wrongly? >=20 > Until now, I have avoided installing the OpenSSL port because the base > OpenSSL gets security updates via freebsd-update and so it's one thing = less > to care about... also, I don't like the idea of having two different > versions of the same thing on the system (because some applications mig= ht > use the one versions, others the second one, and then it's quite diffic= ult > to find the bugs). >=20 > Or is it recommended to let ports use the port OpenSSL, so that base Op= enSSL > is only used for the system itself? >=20 > And thanks for your help! I wouldn't have had the idea that base OpenSS= L vs. > port OpenSSL could be the cause of the problem. The default at the moment is to use the base system openssl, but there's no particular recommendation over choosing that rather than using the ports openssl. There are plans to make many of the base system shlibs private and that includes switching the ports to use openssl from ports, but I don't think any changes along those lines are really imminent. I don't know if the base system not reading /etc/ssl/certs.pem is by design or not. I can't see any advantage of not reading it though. While you will get security updates via freebsd-update for stuff in the base, you'll equally get security updates for ports via pkg(8) -- evn if you're building your own, you can still get alerts via 'pkg audit' and in fact, you're likely to be more exposed to security problems through ported software than you are through the base system. So updating your ports is at least as important, and probably more important, than updating the OS. Cheers, Matthew --GFgxJihWPS5N4oBuSRrDb5HB9UTjA3DM5 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQJ8BAEBCgBmBQJWdDZRXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxOUYxNTRFQ0JGMTEyRTUwNTQ0RTNGMzAw MDUxM0YxMEUwQTlFNEU3AAoJEABRPxDgqeTnI80P/iujEae+pMY4HYKalM86NljI /WmJvKRcXPpgZLPgh2FSsNeq9gIthZyQqQ7HgcxFa8ig23p9xoTOMeKfnv7AIyhX wrVZQ4ggKAYwYTJghbcp2C+eAV21xdiK8h7Fme6ETVcIgPQ3BKY/AHbhCAoHRRO+ Q9xtnqHSO/dMj1+n5Lbu9dgf1TRo3Dl+3fX262df7u6hBp7bDa/UFih2l0ppFC9N LNzRSj+v9eB4BAWtBNdM7PaaVF3va9rjN9F7WuUBmV2Vzgr5sMttNboFnc5ghhZs QnsrLimgkC6YF8XV/V1gC7UecaYujn/o2eyHG+UN4/yPQINXgRvFNwdBB12cI9bo kMrGNml6wAz+s252DeO30eV616Kvz1iSxgz9LgW86FwLtYbUQ2Sx2A037zPS4L/d TJ7xMZrOVUv6ACrQR8RO3GLOau2wUfCdBNEE4wr/tvWSzkuCqb7/UTIjdvtDk/gb u9DDq1fUZnR/Gl7JYwUj9FbKHFVjNGZfjJTtn4XcIjY2dWPgt6mv2EGzIBhPOPGP rG6XxzTfFPAXbl7JSkMYdwzeyNob4Sb3jeEY4+4WC34QbskT9cD9Lgl4O5POJq3I RyPBSnxkA2VmAOr+icPyZqwVh7bb0pGmDgMFBzIwTiyP0x2aZBPoYwGlQ/qfHUVV Frytho8aXttu9FyLV1qk =kbL0 -----END PGP SIGNATURE----- --GFgxJihWPS5N4oBuSRrDb5HB9UTjA3DM5--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5674364A.7090600>