From owner-freebsd-security@FreeBSD.ORG Sun May 17 21:15:44 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7C9D5CB1 for ; Sun, 17 May 2015 21:15:44 +0000 (UTC) Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4C1301FE0 for ; Sun, 17 May 2015 21:15:44 +0000 (UTC) Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 64D7420A50 for ; Sun, 17 May 2015 17:15:43 -0400 (EDT) Received: from web3 ([10.202.2.213]) by compute4.internal (MEProxy); Sun, 17 May 2015 17:15:43 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=+I2FSlQIapFkt9Q sbpeI1kc12Vc=; b=X+cj5DVN34OdN3HA8WXPVUQrsSQEH0QulzrS5GiWgC5eEZw oqUzhGCru0zN6scY7AxmgDCHscFCrGsclNBBLNRfdGGFO4S3Gsa7Z0SWC02C7ngy iXgVkfo3rscdzMQZ8JJiawujAW/lh5XtBsYCQ46hDP6PjqkV1cIBf+dxXH0s= Received: by web3.nyi.internal (Postfix, from userid 99) id 39C6D1016A5; Sun, 17 May 2015 17:15:43 -0400 (EDT) Message-Id: <1431897343.1957655.271052497.1254498A@webmail.messagingengine.com> X-Sasl-Enc: 8IT/s+bVs0bpJxbSqkQTYZEYvnXZyHJianVn+Lm01D7U 1431897343 From: Mark Felder To: Roger Marquis Cc: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-e7ca9928 Subject: Re: Forums.FreeBSD.org - SSL Issue? Date: Sun, 17 May 2015 16:15:43 -0500 In-Reply-To: References: <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <5554879D.7060601@obluda.cz> <1431697272.3528812.269632617.29548DB0@webmail.messagingengine.com> <5556E5DC.7090809@obluda.cz> <1431894012.1947726.271026057.54BB4786@webmail.messagingengine.com> <1431896211.1954759.271044297.00C7D719@webmail.messagingengine.com> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 May 2015 21:15:44 -0000 On Sun, May 17, 2015, at 16:08, Roger Marquis wrote: > Mark Felder wrote: > >> Considering the time to write and test patches is the same in either case > >> it is still an open question. > > > Again, this is not possible. You can't just "replace" the base OpenSSL. > > That port or package would also have to replace every binary and library > > in the base system linked to an OpenSSL library such as libcrypt with a > > version that was built against the updated OpenSSL. > > Sure, when you must change the ABI you also have to rebuild linked libs > and bins, but how many openssl 0.9 updates have required ABI changes? > > Roger This entire discussion has been about doing MAJOR updates to OpenSSL in base. Updates that obviously require ABI changes. Please tell me about a feature change between FreeBSD 9.3's OpenSSL 0.9.8za and the latest compatible 0.9.8ze that validates a port for OpenSSL that replaces base. I cannot find any that justify the effort.