From owner-freebsd-questions Sun Sep 15 8:41:51 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CA96637B400 for ; Sun, 15 Sep 2002 08:41:48 -0700 (PDT) Received: from mail.thundernet.cz (mail.thundernet.cz [62.77.87.114]) by mx1.FreeBSD.org (Postfix) with SMTP id 6E82443E6A for ; Sun, 15 Sep 2002 08:41:47 -0700 (PDT) (envelope-from neuhauser@bellavista.cz) Received: (qmail 16986 invoked from network); 15 Sep 2002 15:41:46 -0000 Received: from unknown (HELO freepuppy.bellavista.cz) (62.168.44.50) by mail.thundernet.cz with SMTP; 15 Sep 2002 15:41:46 -0000 Received: by freepuppy.bellavista.cz (Postfix, from userid 1001) id 9C910D6; Sun, 15 Sep 2002 17:41:53 +0200 (CEST) Date: Sun, 15 Sep 2002 17:41:53 +0200 From: Roman Neuhauser To: richard childers Cc: freebsd-questions@freebsd.org Subject: Re: Answers (& Questions) Re: OpenSSH 3.4p1 Upgrade Message-ID: <20020915154153.GE56092@freepuppy.bellavista.cz> Mail-Followup-To: richard childers , freebsd-questions@freebsd.org References: <3D7EB40F.331798E0@pacbell.net> <20020911133311.GX83171@freepuppy.bellavista.cz> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020911133311.GX83171@freepuppy.bellavista.cz> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG # neuhauser@bellavista.cz / 2002-09-11 15:33:11 +0200: > # fscked@pacbell.net / 2002-09-10 20:10:07 -0700: > > ... > > > Next we upgrade OpenSSL. The current version is 0.9.6g and is available > > from both ftp.freebsd.org (../branches/-current/ports/security/openssl/) > > and from the source, at www.openbsd.org. > > > > FreeBSD purists will insist that one uses the port. I would have said > > the same until I tried it and found that while it compiled and installed > > flawlessly, I (again) wanted the new installation to overlay the old > > installation, neatly, and it was insistent on installing the new OpenSSL > > installation in /usr/local; leaving me with the task of (manually!!) > > hunting down and eliminating the bits and pieces of the old OpenSSL > > installation, in /usr. > > you could have just done > make install clean -DOPENSSL_OVERWRITE_BASE > but there's this prob with --openssldir; see below. ... > > # make PREFIX=/usr LOCALBASE=/usr > > # make PREFIX=/usr LOCALBASE=/usr install > > almost right (the specified LOCALBASE didn't bite you just > because openssl has no dependancies [other than those in the base], > and wasn't used) > > > This creates a pretty close installation to that received with FreeBSD > > 4.6 but it still creates a /usr/local/openssl directory and puts some > > libraries in there, if I recall correctly. > > actually, it'd create /usr/openssl, and this is a real bug imo. > OPENSSL_OVERWRITE_BASE should set --openssldir=/etc/ssl. > > but even with openssldir set to /usr/openssl this should just work > with the openssh port, but it doesn't look like it's actually the > case. > > if you build openssh with -DUSE_OPENSSL_BASE, it expects you to have > /etc/ssl, which will break if you installed the openssl port with > -DOPENSSL_OVERWRITE_BASE. > > if you build openssh without the switch, it basically assumes you > have /usr/local/openssl. bummer. :| ok, i submitted a patch to the openssl port that sets --openssldir=/etc/ssl if you have -DOPENSSL_OVERWRITE_BASE, and it just got committed. > > I would think that critical things that are so important that they are > > included in the operating system release (OpenSSL, OpenSSH) would be > > important enough elements of a security infrastructure, that upgrading > > them via the ports mechanism would result in a neatly overlaid new > > installation over the old one - not a mixture of new and old > > libraries, executables, and configuration files. > > this *should* be the case with the openssl port and the > -DOPENSSL_OVERWRITE_BASE switch, but openssh obviously can't be > installed in /usr without hacking the port Makefile, although it > doesn't look like it'd be too hard. i *might* take a look at this, too. no promises, though. -- begin 666 nonexistent.vbs FreeBSD 4.6-STABLE 5:37PM up 25 days, 23:29, 16 users, load averages: 0.26, 0.08, 0.02 end To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message