[OpenSSL] /etc/ssl/cert.pem not honoured by default
Matthew Seaman
m.seaman at infracaninophile.co.uk
Fri Dec 18 16:37:43 UTC 2015
On 2015/12/18 15:47, rhi wrote:
> Matthew Seaman <matthew <at> freebsd.org> writes:
>
>> Is that the ports or the base version of openssl? I can recreate your
>> results with the base openssl, but everything works as expected with the
>> ports version:
>
> Yes, it's the base OpenSSL. Is this a known limitation or a bug in the base
> OpenSSL or do I use it wrongly?
>
> Until now, I have avoided installing the OpenSSL port because the base
> OpenSSL gets security updates via freebsd-update and so it's one thing less
> to care about... also, I don't like the idea of having two different
> versions of the same thing on the system (because some applications might
> use the one versions, others the second one, and then it's quite difficult
> to find the bugs).
>
> Or is it recommended to let ports use the port OpenSSL, so that base OpenSSL
> is only used for the system itself?
>
> And thanks for your help! I wouldn't have had the idea that base OpenSSL vs.
> port OpenSSL could be the cause of the problem.
The default at the moment is to use the base system openssl, but there's
no particular recommendation over choosing that rather than using the
ports openssl. There are plans to make many of the base system shlibs
private and that includes switching the ports to use openssl from ports,
but I don't think any changes along those lines are really imminent.
I don't know if the base system not reading /etc/ssl/certs.pem is by
design or not. I can't see any advantage of not reading it though.
While you will get security updates via freebsd-update for stuff in the
base, you'll equally get security updates for ports via pkg(8) -- evn if
you're building your own, you can still get alerts via 'pkg audit' and
in fact, you're likely to be more exposed to security problems through
ported software than you are through the base system. So updating your
ports is at least as important, and probably more important, than
updating the OS.
Cheers,
Matthew
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 972 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20151218/b166ea28/attachment.sig>
More information about the freebsd-security
mailing list