Date: Fri, 18 Dec 2015 14:21:04 -0800 (PST) From: Roger Marquis <marquis@roble.com> To: freebsd-security@freebsd.org Subject: Re: [OpenSSL] /etc/ssl/cert.pem not honoured by default In-Reply-To: <5674364A.7090600@infracaninophile.co.uk> References: <loom.20151218T123930-865@post.gmane.org> <5673FB3B.2010201@freebsd.org> <loom.20151218T164148-505@post.gmane.org> <5674364A.7090600@infracaninophile.co.uk>
| previous in thread | raw e-mail | index | archive | help
rhi wrote: >> Until now, I have avoided installing the OpenSSL port because the base >> OpenSSL gets security updates via freebsd-update and so it's one thing less >> to care about... also, I don't like the idea of having two different >> versions of the same thing on the system A fair number of sites have this issue, particularly with ssl and ssh binaries. IME this one of FreeBSD's more longstanding administrative and security weaknesses. It is paricularly painful for those of us who have to support a release for several years (after the last base update). >> Or is it recommended to let ports use the port OpenSSL, so that base OpenSSL >> is only used for the system itself? If you need the most recent ciphers and protocols you'll normally need to use the port. Features are backported from the (higher) port version to the base version i.e., without bumping the version string, however, it's not clear whether all applications can take advantage of them. Matthew Seaman wrote: > There are plans to make many of the base system shlibs private and that > includes switching the ports to use openssl from ports, but I don't think > any changes along those lines are really imminent. Are you Sure? 3 months ago DES thought they'd be ready for 11: > The plan is for 11 to have a fully packaged base system. There should > be some information in developer summit reports on the wiki. The code > is in projects/release-pkg. However I don't see a projects/release-pkg dir in -CURRENT. Any recommendations as to how we might help this particular effort? Roger
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?>