openssl version - how to verify
c0re
nr1c0re at gmail.com
Wed Nov 17 09:54:52 UTC 2010
2010/11/16 Dennis Glatting <dg17 at penx.com>:
> On Tue, 2010-11-16 at 10:28 +0300, c0re wrote:
>> Jerry, I'm not about that :) base openssl are OK. But I need proves
>> that it has got no security problems - it's external IT auditors
>> request.
>> And I'm interested how I can know what patchlevel there on base
>> openssl version and prove them (auditors) that freebsd base openssl
>> are not vulnerable.
>>
>
> Most operating systems have a variant of OpenSSL they patch from the
> security bug set without bumping the OpenSSL version identifier (they
> usually tack on an OS-specific identifier but the OpenSSL identifier
> becomes meaningless). For example Debian is a patched "g,"which you
> would conclude as old (in many respects it is old) and therefore
> security hole riddled.
>
> Debian 5.0.6:
> Tasha:# openssl version
> OpenSSL 0.9.8g 19 Oct 2007
>
> FreeBSD 8.1:
> btw> openssl version
> OpenSSL 0.9.8n 24 Mar 2010
>
> That /does not/ mean those versions of OpenSSL have security holes.
>
> The fallacy with auditors is they look at version identifies to make
> conclusions. This is in error. You need to figure out what they are
> looking for. Do they have a specific issue? Bug? Test suite they want
> run?
>
> You /could/ install the most recent version of OpenSSL but there is no
> guarantee it will replace the running version and it /could/ break
> applications, if only introducing holes that previously didn't exist
> (data structure sizing, library binding, function argument sets, etc.)
>
>
>
>
>> 2010/11/15 Jerry <freebsd.user at seibercom.net>:
>> > On Mon, 15 Nov 2010 18:40:27 +0300
>> > c0re <nr1c0re at gmail.com> articulated:
>> >
>> >> There are still too many broken ports with openssl from ports, I do
>> >> not like debug it and really like to use base openssl, almost no
>> >> difference.
>> >
>> > Might I suggest that if you are aware of ports that don't work
>> > correctly with the port's version of openssl that you file a PR against
>> > it. I have done so and succeeded in getting several patches issued to
>> > correct the problem. This problem will not go away by itself.
>> >
>> > --
>> > Jerry
>> > FreeBSD.user at seibercom.net
>> >
>> > Disclaimer: off-list followups get on-list replies or get ignored.
>> > Please do not ignore the Reply-To header.
>> > __________________________________________________________________
>> >
>> > _______________________________________________
>> > freebsd-questions at freebsd.org mailing list
>> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> > To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>> >
>> _______________________________________________
>> freebsd-questions at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>>
>
>
>
I understood you.
They just look at "openssl version" and that's all.
I just install openssl from ports, hide /usr/bin/openssl temporary,
they get all they needs (there is openssl in /usr/local/bin/) and then
I deinstall openssl from ports and restore /usr/bin/openssl.
That's absurdity, but that's auditors... :)
Thanks all. It's hard to prove to auditors that base openssl are OK.
More information about the freebsd-questions
mailing list