Date: Sat, 19 Dec 2009 09:58:49 +0100 From: "H. Ingow" <hingow@googlemail.com> To: freebsd-stable@freebsd.org Subject: SSL appears to be broken in 8-STABLE/RELEASE Message-ID: <f7206c210912190058u36222a04ge474279af10c9990@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
First my apologies for breaking the thread.
We also had this issue and tried to find an acceptable solution.
To make a long story short:
Please try to compile your application against the version of openssl
available in the ports tree.
As you already mentioned (SA-09:15) breaks renegotiation with base system's
openssl by fixing
a security issue ( it actually does).
Prerequisite for the following is, of course, to install
/usr/ports/security/openssl which will give you
openssl 0.9.8l . (You do not necessarily have to remove the base openssl)
You may then set 'WITH_OPENSSL_PORT=YES' to /etc/make.conf
and rebuild your application(s) with via the ports, they should then be
compiled correctly against the ports-version.
Or, but this will only work if if your application's configure script has a
switch to set the path to ssl
or openssl to the ports-openssl's location, something like
# setenv LD_LIBRARY_PATH /usr/local/lib ## this actually may be
removed after build
and configure with the appropriate option maybe alike
# ./configure --openssl-path=/usr/local/lib
Just make sure it compiled properly.
The output of ldd should show (apart from other):
# ldd application
/app/li/cation
......
libssl.so.5 => /usr/local/lib/libssl.so.5 (0x881bc000)
libcrypto.so.5 => /usr/local/lib/libcrypto.so.5 (0x88200000)
. ........
For the applications we use, this works with both versions of openssl on the
same box, without any i
interference.
Considerations about this ?
HTH
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?f7206c210912190058u36222a04ge474279af10c9990>