From owner-freebsd-security@FreeBSD.ORG Sun Apr 27 15:29:08 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6E817CD for ; Sun, 27 Apr 2014 15:29:08 +0000 (UTC) Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 469111FED for ; Sun, 27 Apr 2014 15:29:08 +0000 (UTC) Received: from [10.20.30.90] (142-254-17-198.dsl.dynamic.fusionbroadband.com [142.254.17.198]) (authenticated bits=0) by hoffman.proper.com (8.14.8/8.14.7) with ESMTP id s3RFT2YE043491 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for ; Sun, 27 Apr 2014 08:29:04 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) X-Authentication-Warning: hoffman.proper.com: Host 142-254-17-198.dsl.dynamic.fusionbroadband.com [142.254.17.198] claimed to be [10.20.30.90] Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\)) Subject: Re: ports requiring OpenSSL not honouring OpenSSL from ports From: Paul Hoffman In-Reply-To: <201404271508.s3RF8sMA014085@catnip.dyslexicfish.net> Date: Sun, 27 Apr 2014 08:29:01 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: References: <201404271508.s3RF8sMA014085@catnip.dyslexicfish.net> To: freebsd-security@freebsd.org X-Mailer: Apple Mail (2.1874) X-Mailman-Approved-At: Sun, 27 Apr 2014 15:52:21 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Apr 2014 15:29:08 -0000 On Apr 27, 2014, at 8:08 AM, Jamie Landeg-Jones = wrote: > Basically what I'm asking: Shouldn't a port that uses OpenSSL *always* > build against the port if it's installed? Yes, that is a reasonable expectation. I certainly had it in my head = when I rebuilt Sendmail+TLS after heartbleed, but I didn't think of = checking it. > I realise this isn't always possible to test, especially if the port = Makefile > doesn't have any openSSL configuration options, but I'd like to hear > others opinions on the matter. It would be good to add such options to as many ports as possible if it = can be done cleanly. Also, note that this is not bashing on OpenSSL: given their new = significant funding, I would certainly expect the OpenSSL project to be = finding-and-fixing Heartbleed-level bugs repeatedly in the coming years. = It is basically impossible to fix such a bug without bad actors being = able to determine and exploit some of the fixes in unpatched systems. --Paul Hoffman=