From owner-freebsd-newbies@FreeBSD.ORG Thu Mar 18 11:08:36 2004 Return-Path: Delivered-To: freebsd-newbies@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 59B9816A4CE for ; Thu, 18 Mar 2004 11:08:36 -0800 (PST) Received: from thunder.nws.noaa.gov (fs1-nhdw.nws.noaa.gov [140.90.90.97]) by mx1.FreeBSD.org (Postfix) with ESMTP id E3D4F43D2F for ; Thu, 18 Mar 2004 11:08:35 -0800 (PST) (envelope-from ash.gokhale@noaa.gov) Received: from [192.168.0.66] (hel [140.90.90.7])ESMTP id TAA05168; Thu, 18 Mar 2004 19:08:32 GMT In-Reply-To: <20040318104500.H25030@floyd.gnulife.org> References: <20040318104500.H25030@floyd.gnulife.org> Mime-Version: 1.0 (Apple Message framework v613) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Ash Gokhale Date: Thu, 18 Mar 2004 14:08:30 -0500 To: Jamie X-Mailer: Apple Mail (2.613) cc: freebsd-newbies@freebsd.org Subject: Re: openssl upgrade confusion X-BeenThere: freebsd-newbies@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Gathering place for new users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Mar 2004 19:08:36 -0000 Backup, and overwrite the base library! Build it with the same target options that the os uses. If you are after a new version of the library that is symbol compatible; it's probably not worth have the old lib to fall back to . OpenSSL bugs are the kind of thing that get your system OwnZ3d; you want the later version unless your are testing exploits. On the other hand this approach doesn't play nice with the freebsd configuration management structure; where all the customizations live in /usr/local and don't get overwritten with make world. If you are trying to get _all_ the angels on one pinhead you can try going after ld.so's runtime configuration, specifically: man ld.so (whack) /LD_LIB (whack) = LD_LIBRARY_PATH A colon separated list of directories, overriding the default search path for shared libraries. This is ignored for set-user-ID and set-group-ID programs. and LD_PRELOAD A list of shared libraries, separated by colons and/or white space, to be linked in before any other shared libraries. If the directory is not specified then the directories specified by LD_LIBRARY_PATH will be searched first followed by the set of built-in stan- dard directories. This is ignored for set-user-ID and set-group-ID programs. You can use this to conceal the system's libcrypto from your app. Parting shot: DO check the MD5sum for the SSL package. It hasn't been trojaned; yet. On Mar 18, 2004, at 11:58 AM, Jamie wrote: > > > I'm trying to upgrade my to openssl 0.9.7d from 0.9.7c and am > having a > really rough time. I downloaded the 9.7d tarball and untarred it in > /usr/src. I did a ./config, make, and make install. It seems to have > placed the new openssl libraries in a different location than where the > original ones were installed: > # locate libcrypto.a > /usr/lib/libcrypto.a > /usr/local/ssl/lib/libcrypto.a > What is the best way to over-write the base install? I've considered > adding /usr/local/ssl/lib to the /var/run/ld-elf.so.hints file but I > can't > find a way to modify the order so that /usr/local/ssl/lib/ is checked > before /usr/lib. > > - Jamie > Ash.Gokhale@noaa.gov System Administration Lead, NOAA/MDL