From owner-freebsd-stable@FreeBSD.ORG Sat Dec 19 09:29:48 2009 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3B3FA1065672 for ; Sat, 19 Dec 2009 09:29:48 +0000 (UTC) (envelope-from hingow@googlemail.com) Received: from mail-fx0-f227.google.com (mail-fx0-f227.google.com [209.85.220.227]) by mx1.freebsd.org (Postfix) with ESMTP id BE7238FC08 for ; Sat, 19 Dec 2009 09:29:47 +0000 (UTC) Received: by fxm27 with SMTP id 27so3493016fxm.3 for ; Sat, 19 Dec 2009 01:29:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=7X9uVjpyU5mRwmI/tLEUbE4fsT0KqyHL/GpApcz91f4=; b=lzY3q5Rrkw8xeEOvEKTjus1P5ZY8B4VHa3VhaE41ZJTF2hUV7IgfJkHjb5Ro4JQ+6j Mpa0RrNTqW+tLnB3D3xCUT0dsBHT3Tx2Mb19ye/fN0xJIoN5740Ewc2nlehFwNYlU68O ui60TigYB/u4hMnapLPSvNCfzuvAwFdph51Hk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=HXaVA+Ola3umrujRyXXa4MzZKoAvmEtD63XDO62yEZqJYJe5sKb4UtP7j6b96lXrOB Qldw8UqI7t3ISxatZCCc6RAd6SNuxj8A7iAomII8HpE2Xd8D4j6qy42QiF5ZUVaPRQli 15qUoOaq7/STTOgLpzlf7ABgcq1vrpncQYU5E= MIME-Version: 1.0 Received: by 10.103.76.40 with SMTP id d40mr792475mul.117.1261213129783; Sat, 19 Dec 2009 00:58:49 -0800 (PST) Date: Sat, 19 Dec 2009 09:58:49 +0100 Message-ID: From: "H. Ingow" To: freebsd-stable@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: SSL appears to be broken in 8-STABLE/RELEASE X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Dec 2009 09:29:48 -0000 First my apologies for breaking the thread. We also had this issue and tried to find an acceptable solution. To make a long story short: Please try to compile your application against the version of openssl available in the ports tree. As you already mentioned (SA-09:15) breaks renegotiation with base system's openssl by fixing a security issue ( it actually does). Prerequisite for the following is, of course, to install /usr/ports/security/openssl which will give you openssl 0.9.8l . (You do not necessarily have to remove the base openssl) You may then set 'WITH_OPENSSL_PORT=YES' to /etc/make.conf and rebuild your application(s) with via the ports, they should then be compiled correctly against the ports-version. Or, but this will only work if if your application's configure script has a switch to set the path to ssl or openssl to the ports-openssl's location, something like # setenv LD_LIBRARY_PATH /usr/local/lib ## this actually may be removed after build and configure with the appropriate option maybe alike # ./configure --openssl-path=/usr/local/lib Just make sure it compiled properly. The output of ldd should show (apart from other): # ldd application /app/li/cation ...... libssl.so.5 => /usr/local/lib/libssl.so.5 (0x881bc000) libcrypto.so.5 => /usr/local/lib/libcrypto.so.5 (0x88200000) . ........ For the applications we use, this works with both versions of openssl on the same box, without any i interference. Considerations about this ? HTH