# Why is base OpenSSL not showing the new version number



## Roger Eddins (May 9, 2016)

Currently sitting on 9.3-RELEASE-p39 and performed `freebsd-update/install` and /usr/bin/openssl is still showing version "OpenSSL 0.9.8zh-freebsd 3 Dec 2015".  I see the timestamp of the binary (/usr/bin/openssl) shows the latest timestamp when I ran freebsd-update install so am I just to assume it updated?  Is this a little know secret that you should just trust it updated?

A little help or breadcrumb please... nothing in searches of the other FreeBSD forums hint about this except one reply but that's not enough to be convincing.


----------



## drhowarddrfine (May 10, 2016)

End of life for version 9.2 ended December 2014. I don't know when 9.3 ended but end of life for version 10.0 was February 2015.


----------



## YuryG (May 10, 2016)

Well, 9.3 is supported release with expected end of life set to the 31st of December, 2016. But, I believe, there will be no new OpenSSL versions for 9.3. The file modifications dates could be about some small bugfixes (security advisories), not changing the version.


----------



## SirDice (May 10, 2016)

FreeBSD 9.3 is supported until the end of this year (just like 10.1 and 10.2).

https://www.freebsd.org/security/security.html#sup


----------



## geodni (Jun 1, 2016)

Hi all, I have several FreeBSD 10.2-RELEASE recently updated to 10.3-RELEASE-p3 then 10.3-RELEASE-p4 using "freebsd-update" mechanism.
OpenSSL Base was updated from "1.0.1p-freebsd 9 Jul 2015" to "1.0.1s-freebsd  1 Mar 2016".
I though that applying the security advisory FreeBSD-SA-16:17 with "freebsd-update" (includes CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2109, CVE-2016-2176) would update OpenSSL Base to latest 1.0.1t but it's not the case !
Does that mean I have to use OpenSSL from ports to have the latest security advisory about OpenSSL in place ?
Thanks


----------



## kpa (Jun 1, 2016)

This comes up from time to time (maybe a sticky post would be in order...). The FreeBSD security team has decided not to update the date and version number in the base system OpenSSL even if the security fixes are applied to it. The security fixes are backported from the fixed newer revisions so they are there even if the version number does not reflect that. The only proper way to see if your system is up to date with the security and errata fixes is to use freebsd-version(1) (not available in FreeBSD 9 and earlier unfortunately).


The userland versions is the more reliable version to check, the kernel version with the -k option may lag behind because not every update installs a new kernel:

`freebsd-version -u`

On earlier versions such as FreeBSD 9 the `freebsd-update fetch update` can be run to see what the currently installed patchlevel is and if there are any available updates at the same time.


----------



## cpm@ (Jun 1, 2016)

Yes, here you have the current versions and further details of OpenSSL in base:
https://wiki.freebsd.org/OpenSSL#OpenSSL_in_base

Also, I recommend to read the following article written by Bernard Spil: FOSDEM 2016 - State of LibreSSL and OpenSSL in FreeBSD


----------



## geodni (Jun 2, 2016)

OK for CVE includes in the OpenSSL base, I believe that. Perhaps there a log of ths decision womewhere ?
But our security officers want the patched version to be installed, or to be sure last CVE are well applied. How can I check in OpenSSL base that CVE are applied even if "openssl version" gives a not updated version ?
I tried all options for "openssl version" with no success nor running strings on the binary.
Thanks


----------



## SirDice (Jun 2, 2016)

geodni said:


> How can I check in OpenSSL base that CVE are applied even if "openssl version" gives a not updated version ?


https://www.freebsd.org/security/advisories.html

Specifically this one: https://www.freebsd.org/security/advisories/FreeBSD-SA-16:17.openssl.asc

So, if you have 9.3-RELEASE-p41, 10.1-RELEASE-p33, 10.2-RELEASE-p16 or 10.3-RELEASE-p2 it's applied.

On FreeBSD 10.x you can easily check with `freebsd-version -u`. On FreeBSD 9.x you'll have to trust freebsd-update(8).


----------



## geodni (Jun 2, 2016)

Thanks all, it's running 10.3-RELEASE-p4 so patches are applied.
Sorry if I badly explained what I need. You tell me `freebsd-version -u` is sufficient to know the patches are applied according to SA-16:17. If it's the only way to go, I will tell the security officers it's applied even if version number claimed by `openssl` is not what it's supposed to be.

I looked at https://svnweb.freebsd.org/base/vendor-crypto/?view=log and inside the opensslv.conf https://svnweb.freebsd.org/base/ven....1t/crypto/opensslv.h?view=log&pathrev=298994 at line #37 shows 
	
	



```
# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1t 3 May 2016"
```
In my 10.3-RELEASE-p4 running systems,  /usr/include/openssl/opensslv.h shows at same line  #37
	
	



```
#  define OPENSSL_VERSION_TEXT  "OpenSSL 1.0.1s-freebsd  1 Mar 2016"
```
I may suppose the revision 298994 is not yet included.


----------



## SirDice (Jun 2, 2016)

https://svnweb.freebsd.org/base/releng/10.3/crypto/openssl/crypto/?view=log


----------



## kpa (Jun 2, 2016)

Those are vendor imports and they are not used directly for building the releases, stable or current versions. Instead, they are merged selectively to the code that is actually used such as the example linked by SirDice above.


----------



## geodni (Jun 2, 2016)

Each time I come on this forum I learn something new, like each day I use FreeBSD !
Thank you all !


----------

