Date: Thu, 12 Jun 2014 22:10:41 +0200 From: Florian Heigl <florian.heigl@gmail.com> To: "freebsd-isp@freebsd.org" <freebsd-isp@freebsd.org> Cc: khatfield@socllc.net Subject: Re: "Online" Updating of OpenSSL Message-ID: <AEF6B7B3-D156-4685-BDDA-1EC6E5A28CCF@gmail.com> In-Reply-To: <1207386468.87959.1402594732717@51579f81c1a348fb9060d70bbb215ff4.nuevasync.com> References: <3783360C-9CB7-4286-955B-7CFC2D68C8A5@gmail.com> <1207386468.87959.1402594732717@51579f81c1a348fb9060d70bbb215ff4.nuevasync.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, Thanks for the hints! On 12.06.2014, at 19:38, khatfield@socllc.net wrote: > There are a few ways to do it and I'm certain there is an easier = method than what I'm recommending. However, you can use portmaster, for = example. You could also use this wrapper script: >=20 > http://www.charlieroot.de/bsd/pkg_depends.pl That won=92t catch anything that uses an OpenSSL from base though, = right? Is it bad practice to use the one from base? (I wouldn't mind to know :) If I go with the depends I could probably hunt them down on the = tinderbox host, and compile some list there. maybe? >=20 > With no arguments you're going to pull everything. I would recommend = looking at running services and using this script to view the = dependencies per service package. >=20 > Ensuring that (of course) restart all services with open ports after = the upgrade. (Web/email/ssh/etc) The most ideal / exact way for *this* is what I=92m after. Especially identifying this =93all=94 100% correctly. I=92d like to have it down to a point where I=92d even see if a user has = a self-compiled binary running that is linked to OpenSSL (or anything = like this), so I can call them up. But I take it I should take a first shot the easy way? * source /etc/rc.local * for any service that is set to =93enabled=94, check if it=92s = something that surely uses ssl (apache, mail, stunnel, ssh) * search it=92s rc script * precedence for /usr/local/etc/rc.d and secondary for /etc/rc.d * restart it I=92m sure that=92ll cover most cases and it=92s also pretty reliable. But, as laid out above, imo that is far from making sure you get all of = it. Apache as an example shows it=92s pretty tricky: Apache isn=92t linked against openssl, only the mod_ssl is.=20 Right now I only see the way by ldd=92ing every file that is a library = or binary. Thanks for the inputs you all gave, I appreciate them! Florian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AEF6B7B3-D156-4685-BDDA-1EC6E5A28CCF>