2010/11/16 Dennis Glatting <d...@penx.com>: > On Tue, 2010-11-16 at 10:28 +0300, c0re wrote: >> Jerry, I'm not about that :) base openssl are OK. But I need proves >> that it has got no security problems - it's external IT auditors >> request. >> And I'm interested how I can know what patchlevel there on base >> openssl version and prove them (auditors) that freebsd base openssl >> are not vulnerable. >> > > Most operating systems have a variant of OpenSSL they patch from the > security bug set without bumping the OpenSSL version identifier (they > usually tack on an OS-specific identifier but the OpenSSL identifier > becomes meaningless). For example Debian is a patched "g,"which you > would conclude as old (in many respects it is old) and therefore > security hole riddled. > > Debian 5.0.6: > Tasha:# openssl version > OpenSSL 0.9.8g 19 Oct 2007 > > FreeBSD 8.1: > btw> openssl version > OpenSSL 0.9.8n 24 Mar 2010 > > That /does not/ mean those versions of OpenSSL have security holes. > > The fallacy with auditors is they look at version identifies to make > conclusions. This is in error. You need to figure out what they are > looking for. Do they have a specific issue? Bug? Test suite they want > run? > > You /could/ install the most recent version of OpenSSL but there is no > guarantee it will replace the running version and it /could/ break > applications, if only introducing holes that previously didn't exist > (data structure sizing, library binding, function argument sets, etc.) > > > > >> 2010/11/15 Jerry <freebsd.u...@seibercom.net>: >> > On Mon, 15 Nov 2010 18:40:27 +0300 >> > c0re <nr1c...@gmail.com> articulated: >> > >> >> There are still too many broken ports with openssl from ports, I do >> >> not like debug it and really like to use base openssl, almost no >> >> difference. >> > >> > Might I suggest that if you are aware of ports that don't work >> > correctly with the port's version of openssl that you file a PR against >> > it. I have done so and succeeded in getting several patches issued to >> > correct the problem. This problem will not go away by itself. >> > >> > -- >> > Jerry >> > freebsd.u...@seibercom.net >> > >> > Disclaimer: off-list followups get on-list replies or get ignored. >> > Please do not ignore the Reply-To header. >> > __________________________________________________________________ >> > >> > _______________________________________________ >> > freebsd-questions@freebsd.org mailing list >> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> > To unsubscribe, send any mail to >> > "freebsd-questions-unsubscr...@freebsd.org" >> > >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" >> > > >
I understood you. They just look at "openssl version" and that's all. I just install openssl from ports, hide /usr/bin/openssl temporary, they get all they needs (there is openssl in /usr/local/bin/) and then I deinstall openssl from ports and restore /usr/bin/openssl. That's absurdity, but that's auditors... :) Thanks all. It's hard to prove to auditors that base openssl are OK. _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
