Date: Sat, 19 Dec 2009 02:55:57 -0800 (PST) From: "Chris H" <chris#@1command.com> To: freebsd-stable@freebsd.org Cc: "H. Ingow" <hingow@googlemail.com> Subject: Re: SSL appears to be broken in 8-STABLE/RELEASE Message-ID: <556cc9475b9060a5f228a845dcb54df8.HRCIM@webmail.1command.com> In-Reply-To: <f7206c210912190058u36222a04ge474279af10c9990@mail.gmail.com> References: <f7206c210912190058u36222a04ge474279af10c9990@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Greetings, and thank you for taking the time to respond. On Sat, December 19, 2009 12:58 am, H. Ingow wrote: > First my apologies for breaking the thread. > We also had this issue and tried to find an acceptable solution. > To make a long story short: > > > Please try to compile your application against the version of openssl > available in the ports tree. > > As you already mentioned (SA-09:15) breaks renegotiation with base system's > openssl by fixing a security issue ( it actually does). > > Prerequisite for the following is, of course, to install > /usr/ports/security/openssl which will give you > openssl 0.9.8l . (You do not necessarily have to remove the base openssl) > > You may then set 'WITH_OPENSSL_PORT=YES' to /etc/make.conf > and rebuild your application(s) with via the ports, they should then be compiled > correctly against the ports-version. > > Or, but this will only work if if your application's configure script has a > switch to set the path to ssl or openssl to the ports-openssl's location, > something like > > # setenv LD_LIBRARY_PATH /usr/local/lib ## this actually may be > removed after build > > and configure with the appropriate option maybe alike > > # ./configure --openssl-path=/usr/local/lib > > > Just make sure it compiled properly. > The output of ldd should show (apart from other): > # ldd application > /app/li/cation > ...... > libssl.so.5 => /usr/local/lib/libssl.so.5 (0x881bc000) libcrypto.so.5 => > /usr/local/lib/libcrypto.so.5 (0x88200000) > . ........ > > > For the applications we use, this works with both versions of openssl on the > same box, without any i interference. Excellent suggestion! I hadn't /yet/ compared the ports version against base. Your suggestion has a great deal less overhead than my initial thoughts to "back-patch" to pre-2009-12-03-openssl, and flagging that portion of the tree as HOLD. I like your suggestion /much/ better. Thank you very much for taking the time to share it. :) Best wishes. --Chris H > > Considerations about this ? > > > HTH > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?556cc9475b9060a5f228a845dcb54df8.HRCIM>