# openssl port DEPRECATED



## chrcol (Jan 13, 2010)

I see since the 12 jan 2010 this port has been marked as depreciated, I assume they plan to no longer maintain the port, this is quite a major move by freebsd as numerous public facing packages depend on the port and its not impressive to revert to a base version that rarely see's updates.

For example on a 6.4 machine which is not a EOL version of bsd I have openssl 0.9.7e which is 5 years old, no problem as I install the ports version 0.9.8l which is only a couple of months old but now it seems this option will no longer be available and I cannot help thinking this is a move to try and keep people constantly updating to the latest OS version.

The side affect of this move was also to have suddenly dozens of ports refuse to upgrade as they depend on a port I got installed marked as broken.


----------



## DutchDaemon (Jan 13, 2010)

Note that the port is also flagged as broken

```
BROKEN=         coredumps on i386 and amd64
```

Your assumption that the port is or will be abandoned sounds unfounded at this point. There simply may not be time to fix the vulnerabilities, or the vulnerabilities are still being addressed by the OpenSSL authors at this point in time. A port maintainer can only work with what he's supplied with by the authors.

Interesting sidenote: I have openssl-0.9.8l_1 from ports, and it built and installed just fine on Jan 6, 2010. My OpenVPN is linked against it, and I've seen no errros.


----------



## SirDice (Jan 13, 2010)

chrcol said:
			
		

> I assume they plan to no longer maintain the port


Why would you assume that? It's depricated because that version has several vulnerabilities and it doesn't build properly on i386 and amd64.


```
BROKEN=		coredumps on i386 and amd64
DEPRECATED=	has unfixed vulnerabilities
```

There's no newer version on the openssl site except a beta for 1.0.0. This means it's an upstream problem.


----------



## EasyTarget (Jan 13, 2010)

This is a mess.. This is one of the most important FreeBSD ports of all (unless you /really/ think the majority of BSD systems are desktops or only used via the console).

Suddenly marking it Vulnerable and Depreciated (WTF are we supposed to replace it with?) with a terse unexplanation, no attempt to announce on the Security list etc. No workarounds, no nothing.. will attract negative attention.

FreeBSD used to be a project that prided itself on it's engineering process. What I have just seen looks like the OpenSSL devs being uninformative, and the portmaintainer throwing the pram out of the window in frustration.


----------



## SirDice (Jan 13, 2010)

Err... Again.. It's an OpenSSL issue, NOT a FreeBSD issue.

The IETF needs to aprove this draft first. Once that's done the openssl people can start implementing it. If they release a new version it will take some time to port it over to FreeBSD.


----------



## dennylin93 (Jan 13, 2010)

It should be fixed now: http://www.freebsd.org/cgi/cvsweb.cgi/ports/security/openssl/Makefile?rev=1.162.


----------



## DutchDaemon (Jan 13, 2010)

Yep, looks good.

Not sure why they went through those specific steps to mark the port BROKEN/DEPRECATED for what amounts to a single day.


----------



## SirDice (Jan 13, 2010)

Probably to prevent people from installing a vulnerable version.


----------



## EasyTarget (Jan 13, 2010)

Thanks for clarifying this and apologies; I was a bit hasty in posting earlier, I'd had a quick look at http://marc.info/?l=openssl-announce and could not see any security reports since march'09. So to suddenly see it marked vulnerable -and- depreciated pressed the wrong buttons. Sorry.


----------



## chrcol (Jan 13, 2010)

the problem I had was that marking it broken effectively stopped me upgrading various other ports such as php and proftpd.  If that version was vulnerable why not just roll it back instead.  Also why mark it as broken stating it coredumps and depreciate it? Depreciate means they plan to stop supporting it so if thats not the case it is very misleading.


----------



## DutchDaemon (Jan 13, 2010)

No, 'depreciate' means to lose value. You're looking for 'deprecate' :f


----------



## chrcol (Jan 13, 2010)

ok so we can expect this port to be active again in future?


----------



## DutchDaemon (Jan 13, 2010)

Sometime today, yes. It usually shows up in portsnap within 24 hours (depending on the mirrors).


----------



## SirDice (Jan 13, 2010)

chrcol said:
			
		

> If that version was vulnerable why not just roll it back instead.


Because all previous versions are just as vulnerable. The vulnerability is in the protocol not the implementation.


----------



## chrcol (Jan 13, 2010)

SirDice said:
			
		

> Because all previous versions are just as vulnerable. The vulnerability is in the protocol not the implementation.



does that include the very old version in base freebsd, which the broken port would be forcing the user back to?


----------



## DutchDaemon (Jan 13, 2010)

I think there were patches for the base system version, disabling the renegotiation?


----------



## SirDice (Jan 13, 2010)

Most likely it is. Unless renegotiation has been turned off by default. 

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555


----------



## chrcol (Jan 13, 2010)

fixed port already in portsnap database, good news


----------

