SSL appears to be broken in 8-STABLE/RELEASE
chris# at 1command.com
Sat Dec 19 10:56:00 UTC 2009
Greetings, and thank you for taking the time to respond.
On Sat, December 19, 2009 12:58 am, H. Ingow wrote:
> First my apologies for breaking the thread.
> We also had this issue and tried to find an acceptable solution.
> To make a long story short:
> Please try to compile your application against the version of openssl
> available in the ports tree.
> As you already mentioned (SA-09:15) breaks renegotiation with base system's
> openssl by fixing a security issue ( it actually does).
> Prerequisite for the following is, of course, to install
> /usr/ports/security/openssl which will give you
> openssl 0.9.8l . (You do not necessarily have to remove the base openssl)
> You may then set 'WITH_OPENSSL_PORT=YES' to /etc/make.conf
> and rebuild your application(s) with via the ports, they should then be compiled
> correctly against the ports-version.
> Or, but this will only work if if your application's configure script has a
> switch to set the path to ssl or openssl to the ports-openssl's location,
> something like
> # setenv LD_LIBRARY_PATH /usr/local/lib ## this actually may be
> removed after build
> and configure with the appropriate option maybe alike
> # ./configure --openssl-path=/usr/local/lib
> Just make sure it compiled properly.
> The output of ldd should show (apart from other):
> # ldd application
> libssl.so.5 => /usr/local/lib/libssl.so.5 (0x881bc000) libcrypto.so.5 =>
> /usr/local/lib/libcrypto.so.5 (0x88200000)
> . ........
> For the applications we use, this works with both versions of openssl on the
> same box, without any i interference.
Excellent suggestion! I hadn't /yet/ compared the ports version against base.
Your suggestion has a great deal less overhead than my initial thoughts to
"back-patch" to pre-2009-12-03-openssl, and flagging that portion of the tree
as HOLD. I like your suggestion /much/ better. Thank you very much for taking the
time to share it. :)
> Considerations about this ?
> freebsd-stable at freebsd.org mailing list
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"
More information about the freebsd-stable