[OpenSSL] /etc/ssl/cert.pem not honoured by default
Mark Felder
feld at FreeBSD.org
Tue Dec 22 19:47:10 UTC 2015
On Fri, Dec 18, 2015, at 16:21, Roger Marquis wrote:
> rhi wrote:
> >> Until now, I have avoided installing the OpenSSL port because the base
> >> OpenSSL gets security updates via freebsd-update and so it's one thing less
> >> to care about... also, I don't like the idea of having two different
> >> versions of the same thing on the system
>
> A fair number of sites have this issue, particularly with ssl and ssh
> binaries. IME this one of FreeBSD's more longstanding administrative and
> security weaknesses. It is paricularly painful for those of us who have
> to support a release for several years (after the last base update).
>
> >> Or is it recommended to let ports use the port OpenSSL, so that base OpenSSL
> >> is only used for the system itself?
>
> If you need the most recent ciphers and protocols you'll normally need to
> use the port. Features are backported from the (higher) port version to
> the base version i.e., without bumping the version string, however, it's
> not clear whether all applications can take advantage of them.
>
> Matthew Seaman wrote:
> > There are plans to make many of the base system shlibs private and that
> > includes switching the ports to use openssl from ports, but I don't think
> > any changes along those lines are really imminent.
>
> Are you Sure? 3 months ago DES thought they'd be ready for 11:
>
> > The plan is for 11 to have a fully packaged base system. There should
> > be some information in developer summit reports on the wiki. The code
> > is in projects/release-pkg.
>
> However I don't see a projects/release-pkg dir in -CURRENT.
>
> Any recommendations as to how we might help this particular effort?
>
What do you mean? It has been there for a while
https://svnweb.freebsd.org/base/projects/release-pkg/
--
Mark Felder
ports-secteam member
feld at FreeBSD.org
More information about the freebsd-security
mailing list