You should at least be able to know which of your packages have access to an SSL private key, and speak SSL.
You also need to recursively check each library dovecot links to... That libdovecot looks like a likely candidate for linking ssl.so. That said, For dovecot, I THINK it uses dlopen at runtime to load ssl.so. You might try fstat on a running dovecot process that talks SSL. -- Matthew Weigel > On Apr 8, 2014, at 12:26 PM, Didier Wiroth <dwir...@gmail.com> wrote: > > Hello, > I'm not a developer but more of an openbsd hobbyist. > I'm using current with current packages that are a few days old. > > I patched my openbsd servers and revoked all my ssl keys, generated > new ones and changed every possible password. > Even though, as far as I understood, you can't be sure credentials > have not been read out of memory and your system has not been > compromised at some point in the past. > Anyway, I had a look at the following patch and was reading the comments: > <http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/002_openssl.patch.sig> > and came across this line: > "Also recompile any statically-linked binaries depending on it" > > F.ex. I use dovecot: > # ldd `which dovecot` > /usr/local/sbin/dovecot: > Start End Type Open Ref GrpRef Name > 000004f81c500000 000004f81c913000 exe 1 0 0 /usr/local/sbin/dovecot > 000004fa2152c000 000004fa219f4000 rlib 0 1 0 > /usr/local/lib/dovecot/libdovecot.so.2.0 > 000004fa1d890000 000004fa1dd7d000 rlib 0 1 0 /usr/lib/libc.so.74.0 > 000004fa275a7000 000004fa27aa4000 rlib 0 1 0 > /usr/local/lib/libiconv.so.6.0 > 000004fa2bb00000 000004fa2bb00000 rtld 0 1 0 /usr/libexec/ld.so > > The following library is not listed: /usr/lib/libssl.so.20.0 > So I guess ssl was statically compiled in the dovecot package/port, as > dovecot supports ssl and I currently use it. > > Is it possible to track which ports or packages have statically > compiled in ssl support? > > Do I need to recompile/rebuild the port with the patched libssl library? > or better ... but slower: > Do I need to recompile every ports to be sure the bug can't be > exploited on my openbsd systems? > > Thank you very much! > Kind regards, > Didier
