"Online" Updating of OpenSSL

[Florian Heigl]

Hi,

Thanks for the hints!

On 12.06.2014, at 19:38, khatfield at socllc.net wrote:

> There are a few ways to do it and I'm certain there is an easier method than what I'm recommending. However, you can use portmaster, for example. You could also use this wrapper script:
> 
> http://www.charlieroot.de/bsd/pkg_depends.pl

That won’t catch anything that uses an OpenSSL from base though, right?
Is it bad practice to use the one from base? (I wouldn't mind to know :)

If I go with the depends I could probably hunt them down on the tinderbox host, and compile some list there.
maybe?


> 
> With no arguments you're going to pull everything. I would recommend looking at running services and using this script to view the dependencies per service package.
> 
> Ensuring that (of course) restart all services with open ports after the upgrade. (Web/email/ssh/etc)

The most ideal / exact way for *this* is what I’m after.
Especially identifying this “all” 100% correctly.

I’d like to have it down to a point where I’d even see if a user has a self-compiled binary running that is linked to OpenSSL (or anything like this), so I can call them up.

But I take it I should take a first shot the easy way?

* source /etc/rc.local
* for any service that is set to “enabled”, check if it’s something that surely uses ssl (apache, mail, stunnel, ssh)
* search it’s rc script
* precedence for /usr/local/etc/rc.d and secondary for /etc/rc.d
* restart it

I’m sure that’ll cover most cases and it’s also pretty reliable.

But, as laid out above, imo that is far from making sure you get all of it.
Apache as an example shows it’s pretty tricky:
Apache isn’t linked against openssl, only the mod_ssl is. 

Right now I only see the way by ldd’ing every file that is a library or binary.


Thanks for the inputs you all gave, I appreciate them!

Florian