From owner-freebsd-questions@FreeBSD.ORG  Mon Mar 30 22:39:58 2015
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id D405B374
 for <freebsd-questions@freebsd.org>; Mon, 30 Mar 2015 22:39:58 +0000 (UTC)
Received: from mail-ie0-x22e.google.com (mail-ie0-x22e.google.com
 [IPv6:2607:f8b0:4001:c03::22e])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 9B6142F3
 for <freebsd-questions@freebsd.org>; Mon, 30 Mar 2015 22:39:58 +0000 (UTC)
Received: by ierf6 with SMTP id f6so2234685ier.2
 for <freebsd-questions@freebsd.org>; Mon, 30 Mar 2015 15:39:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:in-reply-to:references:date:message-id:subject:from:to
 :cc:content-type;
 bh=ePzyrGhfGAZay1SzPaAwePJhaORRmba10Cawliqrp+E=;
 b=zy7J5AeTAvMLw0m+Y0dG6C/wX2arPdEiwfyt8/J1Zv46I6TM3X1nqs8+Umma56A9FR
 EV9LRvpaBsva3ZWSANiH1Y+3alnELcIXzqYdL9D15O4heoXDXMrE0vnbXluHzitTJk6h
 nf45ZfMmaHpIzw5ywQGQ2+gJGzag6cYgjbt3AIt3pA/TXTlT++D/o6NGAMEbRGjy2Kxt
 gq75AuQVciLdxe/dpj+/P6dJm4sCJ9Yvy81ks5N9afzuujpaIaoqk2zj3g4iiMq92HNQ
 EPW69jrZph0lexvt8/Zn6zebVBFJk+fB+F5VX3jiGy0xaSjH5ulhJb0ZIeLHN9sGcb0J
 9P5Q==
MIME-Version: 1.0
X-Received: by 10.50.129.9 with SMTP id ns9mr76970igb.24.1427755197910; Mon,
 30 Mar 2015 15:39:57 -0700 (PDT)
Received: by 10.36.111.15 with HTTP; Mon, 30 Mar 2015 15:39:57 -0700 (PDT)
In-Reply-To: <mf71cl$s6u$1@ger.gmane.org>
References: <1912673295.20150327152451@agoris.net.ua>
 <mf71cl$s6u$1@ger.gmane.org>
Date: Mon, 30 Mar 2015 18:39:57 -0400
Message-ID: <CABW2x9oni=d8nmEZn2z3dw4uV+3JLFnGMvPhfKW8AGFKx3g6+w@mail.gmail.com>
Subject: Re: System based openssl
From: Jason Unovitch <jason.unovitch@gmail.com>
To: nightrecon@hotmail.com
Content-Type: text/plain; charset=UTF-8
Cc: freebsd-questions@freebsd.org
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Mar 2015 22:39:59 -0000

On Sat, Mar 28, 2015 at 4:02 PM, Michael Powell <nightrecon@hotmail.com> wrote:
> Subscriber wrote:
>
>>
>> Hi.
>> Witch version of system based OpenSSL last for FreeBSD 10.1?
>>
>> I have # uname -srm
>> FreeBSD 10.1-RELEASE-p8 amd64
>>
>> # freebsd-version -ku
>> 10.1-RELEASE-p8
>> 10.1-RELEASE-p8
>>
>> # /usr/bin/openssl version
>> OpenSSL 1.0.1l-freebsd 15 Jan 2015
>
> This is correct. This is what is currently in the system base.
>
>> But  openssl.org says the last version OpenSSL in 1.0.1 tree is 1.0.1m
>> (19-Mar-2015)
>
> This would have to be imported into the system base. This involves developer
> time and effort. It is not quite trivial.
>
> There is also a newer OpenSSL in the ports tree. Version 1.0.2 if memory
> serves. I have seen bugs and problem reports filed against the 1.0.2 so I
> would be hesitant to just blindly 'install the port version' simply because
> it's newer.
>
> The FreeBSD devs do a pretty fair job at vetting what gets into the system
> base, and the resulting maintenance issues which arise from time to time.
> Trying to "outsmart" ones self with the delusion that I know more than they
> do is how many go about creating their own problems.
>
Just to be clear, the version number doesn't tell the whole story when
it comes to security updates.  Security updates change the minimum to
fix the issue and version number is not part of the change.
Introducing new versions means new features and more possibility for a
fix to cause new bugs.   If you look through the security advisories
page and what they change, you'll see what I mean.

https://www.freebsd.org/security/advisories.html

With that said, with any rule there seems to be some exception
somewhere.  An errata notice to bump OpenSSL versions has happened in
the recent past.  The reasons for the bump are explained in the
advisory.

https://www.freebsd.org/security/advisories/FreeBSD-EN-15:02.openssl.asc

Bottom line, keep the OS up to date first and you'll be fine.

>> No OpenSSL files available during freebsd-update:
>> # freebsd-update fetch
>> Looking up update.FreeBSD.org mirrors... 5 mirrors found.
>> Fetching metadata signature for 10.1-RELEASE from update4.freebsd.org...
>> done. Fetching metadata index... done.
>> Inspecting system... done.
>> Preparing to download files... done.
>>
>> The following files will be updated as part of updating to
>> 10.1-RELEASE-p8: /boot/kernel/kernel
>>
>> What is wrong?
>> Thx.
>
> My first impression is nothing is wrong. You have what you're supposed to
> have. Other than that, I have never used freebsd-update so can't speak to
> anything relevant to that.
>
> -Mike

Your uname -srm shows 10.1-RELEASE-p8 while 10.1-RELEASE-p6 would be
the kernel distributed by freebsd-update.  The updates after that were
not kernel related.  Do you have custom kernel?  If so, removing the
'kernel' from the components line in /etc/freebsd-update.conf may be
warranted to prevent what's happening here.

-Jason