From owner-freebsd-security@freebsd.org  Fri Dec 18 16:55:23 2015
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id EF4F9A4B43C
 for <freebsd-security@mailman.ysv.freebsd.org>;
 Fri, 18 Dec 2015 16:55:23 +0000 (UTC) (envelope-from dan@obluda.cz)
Received: from smtp1.ms.mff.cuni.cz (smtp1.ms.mff.cuni.cz
 [IPv6:2001:718:1e03:801::4])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 8E5A310C9
 for <freebsd-security@freebsd.org>; Fri, 18 Dec 2015 16:55:23 +0000 (UTC)
 (envelope-from dan@obluda.cz)
X-SubmittedBy: id 100000045929 subject
 /DC=org/DC=terena/DC=tcs/C=CZ/O=Charles+20University+20in+20Prague/CN=Dan+20Lukes+20100000045929+20332603
 issued by
 /C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA+20eScience+20Personal+20CA+203
 auth type TLS.MFF
Received: from [10.20.12.2] ([194.108.204.138]) (authenticated)
 by smtp1.ms.mff.cuni.cz (8.14.9/8.14.9) with ESMTP id tBIGtIWS070300
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=OK)
 for <freebsd-security@freebsd.org>; Fri, 18 Dec 2015 17:55:20 +0100 (CET)
 (envelope-from dan@obluda.cz)
Subject: Re: [OpenSSL] /etc/ssl/cert.pem not honoured by default
To: freebsd-security <freebsd-security@freebsd.org>
References: <loom.20151218T123930-865@post.gmane.org>
 <5673FB3B.2010201@freebsd.org> <loom.20151218T164148-505@post.gmane.org>
From: Dan Lukes <dan@obluda.cz>
Message-ID: <56743A77.4080001@obluda.cz>
Date: Fri, 18 Dec 2015 17:55:19 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:42.0) Gecko/20100101
 Firefox/42.0 SeaMonkey/2.39
MIME-Version: 1.0
In-Reply-To: <loom.20151218T164148-505@post.gmane.org>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Dec 2015 16:55:24 -0000

On 18.12.2015 16:47, rhi wrote:
> Or is it recommended to let ports use the port OpenSSL, so that base OpenSSL
> is only used for the system itself?

On 9.x-R (still considered supported version) the base's OpenSSL is so 
old for today's SSL server. The best TLS version supported is 1.0 which 
is considered unacceptable old for some recent SSH clients.

You have almost no choice but port's OpenSSL (if you wish to provide a 
SSL server, of course) here.


Dan