Hey all!

If I look at base openssl in 7.3-RELEASE-p3

sys# openssl version -a
OpenSSL 0.9.8e 23 Feb 2007
built on: Mon Sep 27 11:54:36 MSD 2010
platform: FreeBSD-i386
options:  bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) blowfish(idx)
compiler: cc
OPENSSLDIR: "/etc/ssl"

but at www.openssl.org I see that it's not recent version

01-Jun-2010:       OpenSSL 0.9.8o is now available, including important
bug and security fixes

I know that freebsd security team make patches for base openssl, but
how can I know what patchlevel of openssl in base version?

Like "-p5" in "OpenSSL 0.9.8e-p5 23 Feb 2007".

c0re <nr1c0re*******> articulated:

Why not just install the ports version:

openssl version -a
OpenSSL 1.0.0a 1 Jun 2010
built on: Sun Jun  6 12:19:12 EDT 2010
platform: BSD-x86_64
options:  bn(64,64) rc4(8x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: cc -fPIC -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIOS -O3 -DMD32_REG_T=int -Wall -O2 -pipe -march=athlon64 -fno-strict-aliasing -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DWHIRLPOOL_ASM
OPENSSLDIR: "/usr/local/openssl"

You would need to add this to the "/etc/make.conf" file first I believe:

    WITH_OPENSSL_PORT=yes

--
Jerry ✌
FreeBSD.user*******

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the Reply-To header.
__________________________________________________________________
Fat Liberation: because a waist is a terrible thing to mind.

It breaks alot, and causes you to need to rebuild some parts of the basesystem. The most notable, is SSHD, which whenever I install the opensslfrom ports, will not work unless i rebuild SSHD or, remove the portsversion.

William Brown

pgp.mit.edu

Indexer <indexer*******> articulated:

There were (maybe still are) a few ports that don't work correctly with
openssl via ports; however, I have filed PRs on them and for the most
part they have been fixed. However, I would not let that fact deter
you from using a newer, safer version of the application.

When building a new system, I start with the newer version from the
start. If updating later, I have found that first installing the new
openssl version via ports, and then using portmanager with the "-p"
option rebuilds virtually any port still dependent on the deprecated
version. In any case, I believe it is a prerequisite to have the
previously noted notation in the "/etc/make.conf" file prior to building
any port(s) or kernel/world.

In jedem Falle jedoch zu seinem eigenen.

- --
Jerry ✌
FreeBSD.user*******

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the Reply-To header.
__________________________________________________________________
No man's ambition has a right to stand in
the way of performing a simple act of justice.
    John Altgeld

There are still too many broken ports with openssl from ports, I do
not like debug it and really like to use base openssl, almost no
difference.
But I just want to have some proves that base system openssl has
security patches because 7.3-RELEASE base openssl is 0.9.8e, but
0.9.8e has got security vulnerabilities. But how can I be sure that
freebsd base system with 0.9.8e version does not have any
vulnerabilities?

c0re <nr1c0re*******> articulated:

Might I suggest that if you are aware of ports that don't work
correctly with the port's version of openssl that you file a PR against
it. I have done so and succeeded in getting several patches issued to
correct the problem. This problem will not go away by itself.

--
Jerry ✌
FreeBSD.user*******

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the Reply-To header.
__________________________________________________________________

Jerry, I'm not about that :) base openssl are OK. But I need proves
that it has got no security problems - it's external IT auditors
request.
And I'm interested how I can know what patchlevel there on base
openssl version and prove them (auditors) that freebsd base openssl
are not vulnerable.

Please don't top-post, thanks.

http://security.freebsd.org/advisories/

The files say which version it's corrected in.

--
Adam Vande More

Sorry. Wont will in future. But why?

Thanks, it's better then nothing :)

Because it messes up the flow of reading.
I prefer to bottom-post.

--
chs,

I understood you.
They just look at "openssl version" and that's all.
I just install openssl from ports, hide /usr/bin/openssl temporary,
they get all they needs (there is openssl in /usr/local/bin/) and then
I deinstall openssl from ports and restore /usr/bin/openssl.
That's absurdity, but that's auditors... :)

Thanks all. It's hard to prove to auditors that base openssl are OK.

_authoritative_ answer: You _cannot_.

Statement rationale:
   "The number of discovered bugs in any system is a finite number.
    The number of _UNDISCOVERED_ bugs, on the other hand, is an infinite one.
    By definition."

While I agree with your point in this context, the statement "The number of
_UNDISCOVERED_ bugs, on the other hand, is an infinite one." is false.

http://www.unsw.edu.au/news/pad/articles/2009/sep/microkerne[..]

--
Adam Vande More

Adam Vande More <amvandemore*******> articulated:

It was later discovered that the software used to certify the kernel
100% bug-free was not itself bug-free thereby nullifying results.

--
Jerry ✌
FreeBSD.user*******

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the Reply-To header.
__________________________________________________________________
My sister opened a computer store in Hawaii.
She sells C shells by the seashore.

Link or another "Jerry Fact"

--
Adam Vande More

Adam Vande More <amvandemore*******> articulated:

I would have thought that was obvious. Although, it does remind me of
the old myth that the bumblebee should not be able to fly
< http://en.wikipedia.org/wiki/Bumblebee>.

"There's a sucker born every minute" is a phrase often credited to P.
T. Barnum, and quite often true.

--
Jerry ✌
FreeBSD.user*******

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the Reply-To header.
__________________________________________________________________

The paper  "Diverse Double-Compiling" by David A Wheeler is relevant
although not strictly the same topic. It could be used to avoid this
type of issue.

--
Eitan Adler

Even if it works it's only proving that at some level of abstraction
the implementation matches a formal specification, there's still scope
for higher and lower level bugs.

But just because something is unknown doesn't mean it's infinite.

No, it's not 'obvious', just like many other things.

People believed Aristotle's assurances about the rate of things
falling for nearly 2000 years until Galileo and Newton pointed out
'obvious' flaws in his method.

Again, link?

Chris

Chris Rees <utisoft*******> articulated:

Which is precisely my point in regards to the link shown above.

--
Jerry ✌
FreeBSD.user*******

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the Reply-To header.
__________________________________________________________________

Er, no.

YOU have the burden of proof in your assertion, 'obvious' is not good
enough. The link above refers to a study; if you think there's been a
bug then show us.

Chris

Filled one pr. http://www.freebsd.org/cgi/query-pr.cgi?pr=152483
Hope this would be resolved someday :)