From owner-freebsd-security@freebsd.org  Fri Dec 18 16:37:43 2015
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 62F57A4C8D7
 for <freebsd-security@mailman.ysv.freebsd.org>;
 Fri, 18 Dec 2015 16:37:43 +0000 (UTC)
 (envelope-from m.seaman@infracaninophile.co.uk)
Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk
 [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.infracaninophile.co.uk",
 Issuer "infracaninophile.co.uk" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id E29681155
 for <freebsd-security@freebsd.org>; Fri, 18 Dec 2015 16:37:42 +0000 (UTC)
 (envelope-from m.seaman@infracaninophile.co.uk)
Received: from host-4-75.office.adestra.com (no-reverse-dns.metronet-uk.com
 [85.199.232.226] (may be forged)) (authenticated bits=0)
 by smtp.infracaninophile.co.uk (8.15.2/8.15.2) with ESMTPSA id tBIGbbCq050493
 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO)
 for <freebsd-security@freebsd.org>; Fri, 18 Dec 2015 16:37:38 GMT
 (envelope-from m.seaman@infracaninophile.co.uk)
Authentication-Results: smtp.infracaninophile.co.uk;
 dmarc=none header.from=infracaninophile.co.uk
DKIM-Filter: OpenDKIM Filter v2.10.3 smtp.infracaninophile.co.uk tBIGbbCq050493
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=infracaninophile.co.uk; s=201001-infracaninophile; t=1450456658;
 bh=Gp/OgG6U6cRWPTzne35t3habGbgICHuLGLssbkNLXnI=;
 h=Subject:To:References:From:Date:In-Reply-To;
 z=Subject:=20Re:=20[OpenSSL]=20/etc/ssl/cert.pem=20not=20honoured=2
 0by=20default|To:=20freebsd-security@freebsd.org|References:=20<lo
 om.20151218T123930-865@post.gmane.org>=0D=0A=20<5673FB3B.2010201@f
 reebsd.org>=20<loom.20151218T164148-505@post.gmane.org>|From:=20Ma
 tthew=20Seaman=20<m.seaman@infracaninophile.co.uk>|Date:=20Fri,=20
 18=20Dec=202015=2016:37:30=20+0000|In-Reply-To:=20<loom.20151218T1
 64148-505@post.gmane.org>;
 b=SHSgkp84Jx7CZ47tG4UyQRYTKae/50v9cDuTq5RYiw9wFAW5HHXBo9UQXrl09qnY+
 leOdFefDFBBwr0+ibfcDDNri1HlaFROjIXorqpSyYoDxto5FHQW/AFAX2aVqgWikT3
 Gy1nXkL6ZvRr6ovWbQXQmFBekSfZ92xQxIjbcJcA=
X-Authentication-Warning: lucid-nonsense.infracaninophile.co.uk: Host
 no-reverse-dns.metronet-uk.com [85.199.232.226] (may be forged) claimed to be
 host-4-75.office.adestra.com
Subject: Re: [OpenSSL] /etc/ssl/cert.pem not honoured by default
To: freebsd-security@freebsd.org
References: <loom.20151218T123930-865@post.gmane.org>
 <5673FB3B.2010201@freebsd.org> <loom.20151218T164148-505@post.gmane.org>
From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
X-Enigmail-Draft-Status: N1110
Message-ID: <5674364A.7090600@infracaninophile.co.uk>
Date: Fri, 18 Dec 2015 16:37:30 +0000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0)
 Gecko/20100101 Thunderbird/38.4.0
MIME-Version: 1.0
In-Reply-To: <loom.20151218T164148-505@post.gmane.org>
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature";
 boundary="GFgxJihWPS5N4oBuSRrDb5HB9UTjA3DM5"
X-Virus-Scanned: clamav-milter 0.98.7 at lucid-nonsense.infracaninophile.co.uk
X-Virus-Status: Clean
X-Spam-Status: No, score=-1.5 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00,
 DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU autolearn=ham autolearn_force=no
 version=3.4.1
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on
 lucid-nonsense.infracaninophile.co.uk
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Dec 2015 16:37:43 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--GFgxJihWPS5N4oBuSRrDb5HB9UTjA3DM5
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

On 2015/12/18 15:47, rhi wrote:
> Matthew Seaman <matthew <at> freebsd.org> writes:
>=20
>> Is that the ports or the base version of openssl?  I can recreate your=

>> results with the base openssl, but everything works as expected with t=
he
>> ports version:
>=20
> Yes, it's the base OpenSSL. Is this a known limitation or a bug in the =
base
> OpenSSL or do I use it wrongly?
>=20
> Until now, I have avoided installing the OpenSSL port because the base
> OpenSSL gets security updates via freebsd-update and so it's one thing =
less
> to care about... also, I don't like the idea of having two different
> versions of the same thing on the system (because some applications mig=
ht
> use the one versions, others the second one, and then it's quite diffic=
ult
> to find the bugs).
>=20
> Or is it recommended to let ports use the port OpenSSL, so that base Op=
enSSL
> is only used for the system itself?
>=20
> And thanks for your help! I wouldn't have had the idea that base OpenSS=
L vs.
> port OpenSSL could be the cause of the problem.

The default at the moment is to use the base system openssl, but there's
no particular recommendation over choosing that rather than using the
ports openssl.  There are plans to make many of the base system shlibs
private and that includes switching the ports to use openssl from ports,
but I don't think any changes along those lines are really imminent.

I don't know if the base system not reading /etc/ssl/certs.pem is by
design or not. I can't see any advantage of not reading it though.

While you will get security updates via freebsd-update for stuff in the
base, you'll equally get security updates for ports via pkg(8) -- evn if
you're building your own, you can still get alerts via 'pkg audit'  and
in fact, you're likely to be more exposed to security problems through
ported software than you are through the base system.  So updating your
ports is at least as important, and probably more important, than
updating the OS.

	Cheers,

	Matthew




--GFgxJihWPS5N4oBuSRrDb5HB9UTjA3DM5
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQJ8BAEBCgBmBQJWdDZRXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxOUYxNTRFQ0JGMTEyRTUwNTQ0RTNGMzAw
MDUxM0YxMEUwQTlFNEU3AAoJEABRPxDgqeTnI80P/iujEae+pMY4HYKalM86NljI
/WmJvKRcXPpgZLPgh2FSsNeq9gIthZyQqQ7HgcxFa8ig23p9xoTOMeKfnv7AIyhX
wrVZQ4ggKAYwYTJghbcp2C+eAV21xdiK8h7Fme6ETVcIgPQ3BKY/AHbhCAoHRRO+
Q9xtnqHSO/dMj1+n5Lbu9dgf1TRo3Dl+3fX262df7u6hBp7bDa/UFih2l0ppFC9N
LNzRSj+v9eB4BAWtBNdM7PaaVF3va9rjN9F7WuUBmV2Vzgr5sMttNboFnc5ghhZs
QnsrLimgkC6YF8XV/V1gC7UecaYujn/o2eyHG+UN4/yPQINXgRvFNwdBB12cI9bo
kMrGNml6wAz+s252DeO30eV616Kvz1iSxgz9LgW86FwLtYbUQ2Sx2A037zPS4L/d
TJ7xMZrOVUv6ACrQR8RO3GLOau2wUfCdBNEE4wr/tvWSzkuCqb7/UTIjdvtDk/gb
u9DDq1fUZnR/Gl7JYwUj9FbKHFVjNGZfjJTtn4XcIjY2dWPgt6mv2EGzIBhPOPGP
rG6XxzTfFPAXbl7JSkMYdwzeyNob4Sb3jeEY4+4WC34QbskT9cD9Lgl4O5POJq3I
RyPBSnxkA2VmAOr+icPyZqwVh7bb0pGmDgMFBzIwTiyP0x2aZBPoYwGlQ/qfHUVV
Frytho8aXttu9FyLV1qk
=kbL0
-----END PGP SIGNATURE-----

--GFgxJihWPS5N4oBuSRrDb5HB9UTjA3DM5--