From owner-freebsd-questions@FreeBSD.ORG Wed Nov 17 09:54:52 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7EA3D106564A for ; Wed, 17 Nov 2010 09:54:52 +0000 (UTC) (envelope-from nr1c0re@gmail.com) Received: from mail-qw0-f54.google.com (mail-qw0-f54.google.com [209.85.216.54]) by mx1.freebsd.org (Postfix) with ESMTP id 2D2298FC1F for ; Wed, 17 Nov 2010 09:54:51 +0000 (UTC) Received: by qwd7 with SMTP id 7so616769qwd.13 for ; Wed, 17 Nov 2010 01:54:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=8he3Xb2tgcAsmLALbjQu93BZOF2fSNqLDOqCw/VEaL8=; b=YE9hHGMqW/68IJrqZDRj0rF3eI+CXQSTgPoYe+ug9aTZHViGKhueM2J/mb3V1RUed8 1sz1A8ixMqjXjaz5WR6rs7NFGnElUuLbunKfay3ezG5XB6lvI4FLlRbwgbopOfY/2xeN KCvK/m412vWgqMzxjYx6mXEHJ9vMxamDajrJ8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=I3tGZMmyGdckwyXF5JsNC9xTzftoPyToCeVxVpItuthNfE9fwnn+M8VZa2rkEz3CFT fpK7Qn+6+3xZUrZfJlZbudg2Gc2VUDv4FecIXLZVO6JkJyoY/FTNCvAd1dBMTVNVeNqz ZpNcAmaiqo745HwfbWugAKheFyOX7HA46LJxc= MIME-Version: 1.0 Received: by 10.229.227.12 with SMTP id iy12mr7391584qcb.101.1289987690577; Wed, 17 Nov 2010 01:54:50 -0800 (PST) Received: by 10.229.64.91 with HTTP; Wed, 17 Nov 2010 01:54:50 -0800 (PST) In-Reply-To: <1289922439.2570.157.camel@btw.pki2.com> References: <20101115090851.237f167b@scorpio> <20101115122428.294dde4f@scorpio> <1289922439.2570.157.camel@btw.pki2.com> Date: Wed, 17 Nov 2010 12:54:50 +0300 Message-ID: From: c0re To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: openssl version - how to verify X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Nov 2010 09:54:52 -0000 2010/11/16 Dennis Glatting : > On Tue, 2010-11-16 at 10:28 +0300, c0re wrote: >> Jerry, I'm not about that :) base openssl are OK. But I need proves >> that it has got no security problems - it's external IT auditors >> request. >> And I'm interested how I can know what patchlevel there on base >> openssl version and prove them (auditors) that freebsd base openssl >> are not vulnerable. >> > > Most operating systems have a variant of OpenSSL they patch from the > security bug set without bumping the OpenSSL version identifier (they > usually tack on an OS-specific identifier but the OpenSSL identifier > becomes meaningless). For example Debian is a patched "g,"which you > would conclude as old (in many respects it is old) and therefore > security hole riddled. > > Debian 5.0.6: > =A0 =A0 =A0 =A0Tasha:# openssl version > =A0 =A0 =A0 =A0OpenSSL 0.9.8g 19 Oct 2007 > > FreeBSD 8.1: > =A0 =A0 =A0 =A0btw> openssl version > =A0 =A0 =A0 =A0OpenSSL 0.9.8n 24 Mar 2010 > > That /does not/ mean those versions of OpenSSL have security holes. > > The fallacy with auditors is they look at version identifies to make > conclusions. This is in error. You need to figure out what they are > looking for. Do they have a specific issue? Bug? Test suite they want > run? > > You /could/ install the most recent version of OpenSSL but there is no > guarantee it will replace the running version and it /could/ break > applications, if only introducing holes that previously didn't exist > (data structure sizing, library binding, function argument sets, etc.) > > > > >> 2010/11/15 Jerry : >> > On Mon, 15 Nov 2010 18:40:27 +0300 >> > c0re articulated: >> > >> >> There are still too many broken ports with openssl from ports, I do >> >> not like debug it and really like to use base openssl, almost no >> >> difference. >> > >> > Might I suggest that if you are aware of ports that don't work >> > correctly with the port's version of openssl that you file a PR agains= t >> > it. I have done so and succeeded in getting several patches issued to >> > correct the problem. This problem will not go away by itself. >> > >> > -- >> > Jerry >> > FreeBSD.user@seibercom.net >> > >> > Disclaimer: off-list followups get on-list replies or get ignored. >> > Please do not ignore the Reply-To header. >> > __________________________________________________________________ >> > >> > _______________________________________________ >> > freebsd-questions@freebsd.org mailing list >> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebs= d.org" >> > >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.= org" >> > > > I understood you. They just look at "openssl version" and that's all. I just install openssl from ports, hide /usr/bin/openssl temporary, they get all they needs (there is openssl in /usr/local/bin/) and then I deinstall openssl from ports and restore /usr/bin/openssl. That's absurdity, but that's auditors... :) Thanks all. It's hard to prove to auditors that base openssl are OK.