# [heads up] OpenSSL - read before upgrading



## DutchDaemon (Nov 6, 2009)

A new version of OpenSSL (security/openssl) has appeared in the ports tree. 

Please note that this new release does not fix the TLS bug which has been discussed in security circles in the past few days; it merely disbles TLS/SSL renegotiation by default.

Read the following analysis and make sure you thoroughly test any application that needs/uses OpenSSL before putting it into production use:

http://isc.sans.org/diary.html?storyid=7543

Note: this only concerns OpenSSL from the ports tree. I do not know how and when OpenSSL in the base system will be upgraded, and with which defaults.


----------



## DutchDaemon (Nov 7, 2009)

Just some preliminary findings:

* https (Apache 22 / OpenSSL) OK
* OpenVPN (same OpenSSL on both sides) OK
* imaps (Dovecot/OpenSSL) OK


----------

