Date: Wed, 17 Nov 2010 12:54:50 +0300 From: c0re <nr1c0re@gmail.com> To: freebsd-questions@freebsd.org Subject: Re: openssl version - how to verify Message-ID: <AANLkTi=-wMQt=ukhE1mtVngP7jpRgFDyz0K%2BvyQXBb56@mail.gmail.com> In-Reply-To: <1289922439.2570.157.camel@btw.pki2.com> References: <AANLkTinFoAC=t6-cp7ofphi=X%2BbGwkY-CL3X6B_ChTXH@mail.gmail.com> <20101115090851.237f167b@scorpio> <AANLkTinNd0mzR6x3fnB8xWFqJhX61mv3_EipUwaha6ux@mail.gmail.com> <20101115122428.294dde4f@scorpio> <AANLkTik7fLcRFoM6H4uohexXBVchKHxv4bSgiufTX-dp@mail.gmail.com> <1289922439.2570.157.camel@btw.pki2.com>
next in thread | previous in thread | raw e-mail | index | archive | help
2010/11/16 Dennis Glatting <dg17@penx.com>: > On Tue, 2010-11-16 at 10:28 +0300, c0re wrote: >> Jerry, I'm not about that :) base openssl are OK. But I need proves >> that it has got no security problems - it's external IT auditors >> request. >> And I'm interested how I can know what patchlevel there on base >> openssl version and prove them (auditors) that freebsd base openssl >> are not vulnerable. >> > > Most operating systems have a variant of OpenSSL they patch from the > security bug set without bumping the OpenSSL version identifier (they > usually tack on an OS-specific identifier but the OpenSSL identifier > becomes meaningless). For example Debian is a patched "g,"which you > would conclude as old (in many respects it is old) and therefore > security hole riddled. > > Debian 5.0.6: > =A0 =A0 =A0 =A0Tasha:# openssl version > =A0 =A0 =A0 =A0OpenSSL 0.9.8g 19 Oct 2007 > > FreeBSD 8.1: > =A0 =A0 =A0 =A0btw> openssl version > =A0 =A0 =A0 =A0OpenSSL 0.9.8n 24 Mar 2010 > > That /does not/ mean those versions of OpenSSL have security holes. > > The fallacy with auditors is they look at version identifies to make > conclusions. This is in error. You need to figure out what they are > looking for. Do they have a specific issue? Bug? Test suite they want > run? > > You /could/ install the most recent version of OpenSSL but there is no > guarantee it will replace the running version and it /could/ break > applications, if only introducing holes that previously didn't exist > (data structure sizing, library binding, function argument sets, etc.) > > > > >> 2010/11/15 Jerry <freebsd.user@seibercom.net>: >> > On Mon, 15 Nov 2010 18:40:27 +0300 >> > c0re <nr1c0re@gmail.com> articulated: >> > >> >> There are still too many broken ports with openssl from ports, I do >> >> not like debug it and really like to use base openssl, almost no >> >> difference. >> > >> > Might I suggest that if you are aware of ports that don't work >> > correctly with the port's version of openssl that you file a PR agains= t >> > it. I have done so and succeeded in getting several patches issued to >> > correct the problem. This problem will not go away by itself. >> > >> > -- >> > Jerry >> > FreeBSD.user@seibercom.net >> > >> > Disclaimer: off-list followups get on-list replies or get ignored. >> > Please do not ignore the Reply-To header. >> > __________________________________________________________________ >> > >> > _______________________________________________ >> > freebsd-questions@freebsd.org mailing list >> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebs= d.org" >> > >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.= org" >> > > > I understood you. They just look at "openssl version" and that's all. I just install openssl from ports, hide /usr/bin/openssl temporary, they get all they needs (there is openssl in /usr/local/bin/) and then I deinstall openssl from ports and restore /usr/bin/openssl. That's absurdity, but that's auditors... :) Thanks all. It's hard to prove to auditors that base openssl are OK.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTi=-wMQt=ukhE1mtVngP7jpRgFDyz0K%2BvyQXBb56>