System based openssl

Jason Unovitch jason.unovitch at
Mon Mar 30 22:39:59 UTC 2015

On Sat, Mar 28, 2015 at 4:02 PM, Michael Powell <nightrecon at> wrote:
> Subscriber wrote:
>> Hi.
>> Witch version of system based OpenSSL last for FreeBSD 10.1?
>> I have # uname -srm
>> FreeBSD 10.1-RELEASE-p8 amd64
>> # freebsd-version -ku
>> 10.1-RELEASE-p8
>> 10.1-RELEASE-p8
>> # /usr/bin/openssl version
>> OpenSSL 1.0.1l-freebsd 15 Jan 2015
> This is correct. This is what is currently in the system base.
>> But says the last version OpenSSL in 1.0.1 tree is 1.0.1m
>> (19-Mar-2015)
> This would have to be imported into the system base. This involves developer
> time and effort. It is not quite trivial.
> There is also a newer OpenSSL in the ports tree. Version 1.0.2 if memory
> serves. I have seen bugs and problem reports filed against the 1.0.2 so I
> would be hesitant to just blindly 'install the port version' simply because
> it's newer.
> The FreeBSD devs do a pretty fair job at vetting what gets into the system
> base, and the resulting maintenance issues which arise from time to time.
> Trying to "outsmart" ones self with the delusion that I know more than they
> do is how many go about creating their own problems.
Just to be clear, the version number doesn't tell the whole story when
it comes to security updates.  Security updates change the minimum to
fix the issue and version number is not part of the change.
Introducing new versions means new features and more possibility for a
fix to cause new bugs.   If you look through the security advisories
page and what they change, you'll see what I mean.

With that said, with any rule there seems to be some exception
somewhere.  An errata notice to bump OpenSSL versions has happened in
the recent past.  The reasons for the bump are explained in the

Bottom line, keep the OS up to date first and you'll be fine.

>> No OpenSSL files available during freebsd-update:
>> # freebsd-update fetch
>> Looking up mirrors... 5 mirrors found.
>> Fetching metadata signature for 10.1-RELEASE from
>> done. Fetching metadata index... done.
>> Inspecting system... done.
>> Preparing to download files... done.
>> The following files will be updated as part of updating to
>> 10.1-RELEASE-p8: /boot/kernel/kernel
>> What is wrong?
>> Thx.
> My first impression is nothing is wrong. You have what you're supposed to
> have. Other than that, I have never used freebsd-update so can't speak to
> anything relevant to that.
> -Mike

Your uname -srm shows 10.1-RELEASE-p8 while 10.1-RELEASE-p6 would be
the kernel distributed by freebsd-update.  The updates after that were
not kernel related.  Do you have custom kernel?  If so, removing the
'kernel' from the components line in /etc/freebsd-update.conf may be
warranted to prevent what's happening here.


More information about the freebsd-questions mailing list