Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 11 Dec 2020 12:23:15 -0800
From:      Benjamin Kaduk <kaduk@mit.edu>
To:        Andrea Venturoli <ml@netfence.it>
Cc:        freebsd-security@freebsd.org
Subject:   Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl
Message-ID:  <20201211202315.GK64351@kduck.mit.edu>
In-Reply-To: <0ccfbeb4-c4e1-53e6-81e8-112318cd9bf1@netfence.it>
References:  <20201209230300.03251CA1@freefall.freebsd.org> <0ccfbeb4-c4e1-53e6-81e8-112318cd9bf1@netfence.it>

next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Dec 11, 2020 at 11:11:54AM +0100, Andrea Venturoli wrote:
> On 12/10/20 12:03 AM, FreeBSD Security Advisories wrote:
> 
> > Note: The OpenSSL project has published publicly available patches for
> > versions included in FreeBSD 12.x.  This vulnerability is also known to
> > affect OpenSSL versions included in FreeBSD 11.4.  However, the OpenSSL
> > project is only giving patches for that version to premium support contract
> > holders.  The FreeBSD project does not have access to these patches and
> > recommends FreeBSD 11.4 users to either upgrade to FreeBSD 12.x or leverage
> > up to date versions of OpenSSL in the ports/pkg system. The FreeBSD Project
> > may update this advisory to include FreeBSD 11.4 should patches become
> > publicly available.
> 
> So I'm looking for suggestion on how to handle this.
> I guess I'll just upgrade some 11.4 to 12.2 and that'll be it.
> 
> However there are a few boxes I can't or don't want to upgrade and I'm 
> thinking about using openssl from ports.
> 
> 
> 
> If I'm correct, I'll need to put "DEFAULT_VERSIONS= ssl=openssl" either 
> in /etc/make.conf and/or in /usr/local/etc/poudriere.d/114amd64-make.conf.
> 
> I started with the latter, but a bulk run ended up in some port failing 
> (and a lot being skipped) due to kerberos support: AFAICT I cannot use 
> base's kerberos with ports' openssl. Which is a better replacement: MIT 
> or HEIMDAL?

It would be useful to give more specifics on the failures, as there's a few
classes of things that can go wrong.  It doesn't look like openssl from
ports attempts to support the TLS ciphers with kerberos, which would rule
out the "openssl tries to depend on kerberos" class of issues.  I assume,
then, that you're running into API conflicts where hcrypto and libcrypto
present similar-named symbols, in which case MIT would be preferred.
(The heimdal in base is quite old anyway, and using an external kerberos
would be recommended in general if you're using it for much.)

-Ben



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20201211202315.GK64351>