Date: Mon, 13 Jul 2015 15:58:11 -0700 From: Kevin Oberman <rkoberman@gmail.com> To: Brandon Allbery <allbery.b@gmail.com> Cc: Matt Smith <fbsd@xtaz.co.uk>, FreeBSD-STABLE Mailing List <freebsd-stable@freebsd.org> Subject: Re: WITHOUT_OPENSSL and make delete-old Message-ID: <CAN6yY1sYMk00Eog6wuup-oZpkZFTopiHGy=%2BZhPxC02zk8xymQ@mail.gmail.com> In-Reply-To: <CAKFCL4WeT4da_MJk_pyLKeJ0HFvXrYSNjPxbVDZyLZ0X%2B6LL=g@mail.gmail.com> References: <20150713140352.GB1284@xtaz.uk> <CAN6yY1u4M7AD%2Bw%2BkdPu4JYQh45R6zdHm7Z3Vp0QSsNtN9scBkg@mail.gmail.com> <20150713191414.GC1284@xtaz.uk> <CAKFCL4WeT4da_MJk_pyLKeJ0HFvXrYSNjPxbVDZyLZ0X%2B6LL=g@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jul 13, 2015 at 12:18 PM, Brandon Allbery <allbery.b@gmail.com> wrote: > On Mon, Jul 13, 2015 at 3:14 PM, Matt Smith <fbsd@xtaz.co.uk> wrote: > >> See now I assumed that the only things in the base that used it were >> Kerberos, GSSAPI, and OpenSSH. If you read the man page for src.conf it >> says that setting WITHOUT_OPENSSL also sets WITHOUT_KERBEROS, >> WITHOUT_GSSAPI, and WITHOUT_OPENSSH. This makes me think these are the only >> things in the base that do actually use OpenSSL? > > > OpenSSL has two components, one of which is a general crypto library. I'd > imagine that a lot of stuff could make use of that part of OpenSSL. > > -- > brandon s allbery kf8nh sine nomine > associates > allbery.b@gmail.com > ballbery@sinenomine.net > unix, openafs, kerberos, infrastructure, xmonad > http://sinenomine.net > Annoying! ssh has explicitly never used of OpenSSL. I just confirmed that it still does not. It does use gssapi and kerberos, so even though it makes no use of OpenSSL, it does use those two things which are not actually part of OpenSSL. If you check /usr/src/crypto/openssl, there is no gssapi or kerberos there. Both of these are in the heimdal sources. Looks to me like WITHOUT_OPENSSL is really without a few other things but NOT OpenSSL. Very weird. Can anyone explain this? Or is it a bug (and a bad one as it misleads people about an important security issue). I am aware of at least one time when base ssh was newer and better than the ports version, though that is not the norm. Now that the HPC patches are in base and PKCS11 is supported, I can see little reason to use the ports version. -- Kevin Oberman, Network Engineer, Retired E-mail: rkoberman@gmail.com PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAN6yY1sYMk00Eog6wuup-oZpkZFTopiHGy=%2BZhPxC02zk8xymQ>