svn commit: r406060 - head/security/openssl

Matthew Seaman m.seaman at infracaninophile.co.uk
Thu Jan 14 10:24:40 UTC 2016 

On 01/13/16 19:16, Bernard Spil wrote:
> On 2016-01-13 18:56, Mark Felder wrote:
>> On Wed, Jan 13, 2016, at 11:29, Bernard Spil wrote:
>>> Author: brnrd
>>> Date: Wed Jan 13 17:29:12 2016
>>> New Revision: 406060
>>> URL: https://svnweb.freebsd.org/changeset/ports/406060
>>>
>>> Log:
>>>   security/openssl: Fix No-SSLv3 option
>>>
>>>     - This change adds `no-ssl3-method` to config args
>>>     - Bump portrevision
>>>
>>>   Testing with security/openssl buillt with SSL3 option disabled [1]
>>>   revealed that the openssl binary and the libraries still support SSLv3
>>>   connections and methods. With the added no-ssl3-method argument passed
>>>   to the config script, the binary no longer supports the -ssl3 option
>>>   and ports requiring SSLv3 methods fail on undefined references to
>>>   methods.
>>>
>>>   PR:             203693 [1]
>>>   Reviewed by:    koobs (mentor), feld (mentor, ports-secteam), dinoex
>>>   (maintainer)
>>>   Approved by:    koobs (mentor), feld (mentor, ports-secteam
>>>   MFH:            2016Q1
>>>   Differential Revision:  D4924
>>>
>>
>> koobs and I (mentors) goofed up with the review process here. Dinoex as
>> maintainer was not involved in the review or approval process, but we
>> approved this commit and the commit log message.
>>
>> This change is a no-op for users who do not set SSL3=off.
>>
>> Sorry, dinoex :-)
> Hi,
> 
> I did send an email to dinoex with a request to review this patch. After
> the 2 approvals I committed but should've held back...
> 
> For users that set SSL3=off this is NOT a no-op. This may trigger build
> failures for people, a list of known affected ports is maintained on
> https://wiki.freebsd.org/OpenSSL/No-SSLv3. Luckily most major ports have
> already been patched.
> 
> Sorry...
> 

Yes, in hindsight, some sort of exp-run would have been appropriate here
-- there's too much that depends on openssl to take liberties with that
port.

Now I'm getting moaned at because the nagios-plugins package amongst
others are not available in our package repo.  Which is particularly
galling because this security fix only bit me due to using ports openssl
and turning off SSLv2 and SSLv3 as *security* enhancements.

Thanks to Bernard for his page of patches -- they're very welcome.

	Cheers,

	Matthew



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/svn-ports-head/attachments/20160114/e0c3ab26/attachment.sig>

More information about the svn-ports-head mailing list