Running latest 21.1.2 LibreSSL version BUT...

Started by Black6spdZ, March 07, 2021, 02:08:06 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 07, 2021, 02:08:06 AM
root@OPNsense:~ # openssl version -a
OpenSSL 1.1.1d-freebsd  10 Sep 2019
built on: reproducible build, date unspecified
platform: FreeBSD-amd64
options:  bn(64,64) rc4(16x,int) des(int) idea(int) blowfish(ptr)
compiler: clang
OPENSSLDIR: "/etc/ssl"
ENGINESDIR: "/usr/lib/engines"
Seeding source: os-specific

I don't see LibreSSL version here.. whats going on here??
March 07, 2021, 09:55:40 AM #1
Screenshot of the Dashboard, upper left corner, maybe? ;-)

After setting the flavor to libreSSL you have to do an update to get it installed. Maybe swith to openSSL, update, switcht to libreSSL and update again.
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
March 08, 2021, 03:55:26 AM #2
Versions   OPNsense 21.1.2-amd64
FreeBSD 12.1-RELEASE-p13-HBSD
LibreSSL 3.2.4

March 08, 2021, 07:25:56 AM #3
just updated to OpenSSL version, rebooted and then back to LibreSSL version and rebooted again

root@OPNsense:~ # openssl
OpenSSL> version
OpenSSL 1.1.1d-freebsd  10 Sep 2019
OpenSSL>

is this some sort of trickery here?
March 08, 2021, 08:31:31 AM #4
When using "openssl" the shell picks /usr/bin/openssl but you actually wanted /usr/local/bin/openssl....


Cheers,
Franco
March 08, 2021, 09:05:16 AM #5 Last Edit: March 08, 2021, 09:13:01 AM by Black6spdZ
root@OPNsense:/usr/local/bin # openssl
OpenSSL> version
OpenSSL 1.1.1d-freebsd  10 Sep 2019
OpenSSL>

where is the system getting this old version from?

root@OPNsense:/ # find / -name openssl
/usr/bin/openssl
/usr/include/openssl
/usr/local/include/php/ext/openssl
/usr/local/include/openssl
/usr/local/openssl
/usr/local/lib/python3.7/site-packages/cryptography/hazmat/bindings/openssl
/usr/local/lib/python3.7/site-packages/cryptography/hazmat/backends/openssl
/usr/local/bin/openssl
/usr/share/openssl

tried them all, report same 1.1.1d version
March 08, 2021, 09:19:40 AM #6
Try /usr/local/bin/openssl


then version
OPNsense 24.7 - Qotom Q355G4 - ISP - Squirrel 1Gbps.

Team Rebellion Member
March 08, 2021, 10:07:31 AM #7
Quote from: Black6spdZ on March 08, 2021, 09:05:16 AM
root@OPNsense:/usr/local/bin # openssl

Running the command this way will still pick the first "openssl" in $PATH (which is in /usr/bin).  You would have to run "./openssl" to pick the binary in the directory you are in. Or just use the full path in the command as marjohn56 said
March 08, 2021, 10:19:09 AM #8
OK, I'm on LibreSSL as well

Code Select
#  /usr/local/bin/openssl
OpenSSL> version
LibreSSL 3.2.4
OpenSSL>


But dumb question: Why is there such an old version of openSSL present on my install AT ALL

Code Select
/usr/local/bin # openssl
OpenSSL> version
OpenSSL 1.1.1d-freebsd  10 Sep 2019


Isn't that a security issue?
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
March 08, 2021, 11:05:55 PM #9 Last Edit: March 08, 2021, 11:12:20 PM by Black6spdZ
./openssl did the trick in the appropriate folder..
March 08, 2021, 11:24:39 PM #10
Quote from: chemlud on March 08, 2021, 10:19:09 AM
But dumb question: Why is there such an old version of openSSL present on my install AT ALL

[...]

Isn't that a security issue?

Because FreeBSD 12.1 was released about two years ago when all these newer OpenSSL versions were not yet available.

It's not a security issue, because

(1) FreeBSD security advisories pick them up but do not change the version number (this is what the release patch level is for)

(2) We barely use this OS based library in our builds due to forcing the port version (which is also newer so yay for those shiny version numbers).

None of this information is new and can probably be found a couple of times in the forum.


Cheers,
Franco
March 09, 2021, 09:22:59 AM #11
Hi franco, but the search function for the forum is hmm... not that good in finding relevant threads.

I would have expected that if I choose flavour LibreSSL then there is no openSSL on my systems at all. What would happen, if the openSSL bins were deleted all and completely from a current OPNsense system that is on LibreSSL?
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
March 09, 2021, 03:09:01 PM #12
Quote from: chemlud on March 09, 2021, 09:22:59 AM
Hi franco, but the search function for the forum is hmm... not that good in finding relevant threads.

I would have expected that if I choose flavour LibreSSL then there is no openSSL on my systems at all. What would happen, if the openSSL bins were deleted all and completely from a current OPNsense system that is on LibreSSL?


Removing openSSL from your running system will basically be impossible.  You'd have to compile with LibreSSL from the get go - as in at makeworld and makekernel time.  And even then, there will inevitably be some packages that just won't work without openSSL.

https://attilagyorffy.com/2016/07/02/the-state-of-libressl-in-freebsd/
March 09, 2021, 03:43:03 PM #13
Quote from: SFC on March 09, 2021, 03:09:01 PM
Quote from: chemlud on March 09, 2021, 09:22:59 AM
Hi franco, but the search function for the forum is hmm... not that good in finding relevant threads.

I would have expected that if I choose flavour LibreSSL then there is no openSSL on my systems at all. What would happen, if the openSSL bins were deleted all and completely from a current OPNsense system that is on LibreSSL?


Removing openSSL from your running system will basically be impossible.  You'd have to compile with LibreSSL from the get go - as in at makeworld and makekernel time.  And even then, there will inevitably be some packages that just won't work without openSSL.

https://attilagyorffy.com/2016/07/02/the-state-of-libressl-in-freebsd/

Hi and thanks! The link is 5 years old now, really no progress in getting rid of this openSSL stuff? :-O
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
Print
Go Up Pages1
User actions