From owner-freebsd-isp@FreeBSD.ORG Thu Jun 12 20:10:52 2014 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id EE2309A6 for ; Thu, 12 Jun 2014 20:10:51 +0000 (UTC) Received: from mail-we0-x229.google.com (mail-we0-x229.google.com [IPv6:2a00:1450:400c:c03::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8507C23CC for ; Thu, 12 Jun 2014 20:10:51 +0000 (UTC) Received: by mail-we0-f169.google.com with SMTP id t60so1875312wes.28 for ; Thu, 12 Jun 2014 13:10:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=U7srf/tzYqzUbh095ttJm+dD1BGBOB3yHJBMJTVLF1o=; b=vT3AOuYLW6wKxWBTHHplpKVNijEYS3QSKij/n1yce9y4AvQWExtRQne6Cl70aOpyYE 54eSGRzZRTt9TINi9D+92WTMXgatmE8NqVx+3N63tX8s0/qIW2j1y3m8o4W79DYh34m1 TISksaobsddaBzMFdn9wzM183lGGv8ZAGm2fSP4E7eVzUcmmEdkJl4tmqJ1TeaRdlsZm YYLAqlbRZuIPiVtdSzuoDKM/yMovTQ7pIxInACNxu0stgWNpx5cZD5mCoHZukc47ZuC5 hEkjr71DmLTyMoyDidoLSAeK8WDjqqbDCAJj12gW5gmooYveJD4Ugn45+Ze8tDUMEebn II9Q== X-Received: by 10.180.160.205 with SMTP id xm13mr9605374wib.13.1402603849801; Thu, 12 Jun 2014 13:10:49 -0700 (PDT) Received: from [192.168.43.17] (tmo-097-25.customers.d1-online.com. [80.187.97.25]) by mx.google.com with ESMTPSA id i2sm6839720eem.11.2014.06.12.13.10.45 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 12 Jun 2014 13:10:46 -0700 (PDT) Content-Type: text/plain; charset=windows-1252 Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.2\)) Subject: Re: "Online" Updating of OpenSSL From: Florian Heigl In-Reply-To: <1207386468.87959.1402594732717@51579f81c1a348fb9060d70bbb215ff4.nuevasync.com> Date: Thu, 12 Jun 2014 22:10:41 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: References: <3783360C-9CB7-4286-955B-7CFC2D68C8A5@gmail.com> <1207386468.87959.1402594732717@51579f81c1a348fb9060d70bbb215ff4.nuevasync.com> To: "freebsd-isp@freebsd.org" X-Mailer: Apple Mail (2.1878.2) Cc: khatfield@socllc.net X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jun 2014 20:10:52 -0000 Hi, Thanks for the hints! On 12.06.2014, at 19:38, khatfield@socllc.net wrote: > There are a few ways to do it and I'm certain there is an easier = method than what I'm recommending. However, you can use portmaster, for = example. You could also use this wrapper script: >=20 > http://www.charlieroot.de/bsd/pkg_depends.pl That won=92t catch anything that uses an OpenSSL from base though, = right? Is it bad practice to use the one from base? (I wouldn't mind to know :) If I go with the depends I could probably hunt them down on the = tinderbox host, and compile some list there. maybe? >=20 > With no arguments you're going to pull everything. I would recommend = looking at running services and using this script to view the = dependencies per service package. >=20 > Ensuring that (of course) restart all services with open ports after = the upgrade. (Web/email/ssh/etc) The most ideal / exact way for *this* is what I=92m after. Especially identifying this =93all=94 100% correctly. I=92d like to have it down to a point where I=92d even see if a user has = a self-compiled binary running that is linked to OpenSSL (or anything = like this), so I can call them up. But I take it I should take a first shot the easy way? * source /etc/rc.local * for any service that is set to =93enabled=94, check if it=92s = something that surely uses ssl (apache, mail, stunnel, ssh) * search it=92s rc script * precedence for /usr/local/etc/rc.d and secondary for /etc/rc.d * restart it I=92m sure that=92ll cover most cases and it=92s also pretty reliable. But, as laid out above, imo that is far from making sure you get all of = it. Apache as an example shows it=92s pretty tricky: Apache isn=92t linked against openssl, only the mod_ssl is.=20 Right now I only see the way by ldd=92ing every file that is a library = or binary. Thanks for the inputs you all gave, I appreciate them! Florian