SSL appears to be broken in 8-STABLE/RELEASE

Chris H chris# at 1command.com
Sat Dec 19 10:56:00 UTC 2009 

Greetings, and thank you for taking the time to respond.
On Sat, December 19, 2009 12:58 am, H. Ingow wrote:
> First my apologies for breaking the thread.
> We also had this issue and tried to find an acceptable solution.
> To make a long story short:
>
>
> Please try to compile your application against the version of openssl
> available in the ports tree.
>
> As you already mentioned (SA-09:15) breaks renegotiation with base system's
> openssl by fixing a security issue ( it actually does).
>
> Prerequisite for the following is, of course, to install
> /usr/ports/security/openssl which will give you
> openssl 0.9.8l . (You do not necessarily have to remove the base openssl)
>
> You may then set      'WITH_OPENSSL_PORT=YES' to /etc/make.conf
> and rebuild your application(s) with via the ports, they should then be compiled
> correctly against the ports-version.
>
> Or, but this will only work if if your application's configure script has a
> switch to set  the path to ssl or openssl to the ports-openssl's location,
> something like
>
> #  setenv LD_LIBRARY_PATH /usr/local/lib       ## this actually may be
> removed after build
>
> and  configure with the appropriate option maybe alike
>
> # ./configure --openssl-path=/usr/local/lib
>
>
> Just make sure it compiled properly.
> The output of ldd should show (apart from other):
> # ldd application
> /app/li/cation
> ......
> libssl.so.5 => /usr/local/lib/libssl.so.5 (0x881bc000) libcrypto.so.5 =>
> /usr/local/lib/libcrypto.so.5 (0x88200000)
> .                ........
>
>
> For the applications we use, this works with both versions of openssl on the
> same box, without any i interference.

Excellent suggestion! I hadn't /yet/ compared the ports version against base.
Your suggestion has a great deal less overhead than my initial thoughts to
"back-patch" to pre-2009-12-03-openssl, and flagging that portion of the tree
as HOLD. I like your suggestion /much/ better. Thank you very much for taking the
time to share it. :)

Best wishes.

--Chris H
>
> Considerations about this ?
>
>
> HTH
> _______________________________________________
> freebsd-stable at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"
>
>

More information about the freebsd-stable mailing list