SSL appears to be broken in 8-STABLE/RELEASE

Chris H chris# at
Sat Dec 19 10:56:00 UTC 2009

Greetings, and thank you for taking the time to respond.
On Sat, December 19, 2009 12:58 am, H. Ingow wrote:
> First my apologies for breaking the thread.
> We also had this issue and tried to find an acceptable solution.
> To make a long story short:
> Please try to compile your application against the version of openssl
> available in the ports tree.
> As you already mentioned (SA-09:15) breaks renegotiation with base system's
> openssl by fixing a security issue ( it actually does).
> Prerequisite for the following is, of course, to install
> /usr/ports/security/openssl which will give you
> openssl 0.9.8l . (You do not necessarily have to remove the base openssl)
> You may then set      'WITH_OPENSSL_PORT=YES' to /etc/make.conf
> and rebuild your application(s) with via the ports, they should then be compiled
> correctly against the ports-version.
> Or, but this will only work if if your application's configure script has a
> switch to set  the path to ssl or openssl to the ports-openssl's location,
> something like
> #  setenv LD_LIBRARY_PATH /usr/local/lib       ## this actually may be
> removed after build
> and  configure with the appropriate option maybe alike
> # ./configure --openssl-path=/usr/local/lib
> Just make sure it compiled properly.
> The output of ldd should show (apart from other):
> # ldd application
> /app/li/cation
> ......
> => /usr/local/lib/ (0x881bc000) =>
> /usr/local/lib/ (0x88200000)
> .                ........
> For the applications we use, this works with both versions of openssl on the
> same box, without any i interference.

Excellent suggestion! I hadn't /yet/ compared the ports version against base.
Your suggestion has a great deal less overhead than my initial thoughts to
"back-patch" to pre-2009-12-03-openssl, and flagging that portion of the tree
as HOLD. I like your suggestion /much/ better. Thank you very much for taking the
time to share it. :)

Best wishes.

--Chris H
> Considerations about this ?
> _______________________________________________
> freebsd-stable at mailing list
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe at"

More information about the freebsd-stable mailing list