search

opnsense / ports

OPNsense ports on top of FreeBSD
https://opnsense.org/
Other
163 stars 116 forks source link

LibreSSL Upgrade Ineffective #51

Closed NOYB closed 6 years ago

NOYB commented 6 years ago

After upgrading to LibreSSL, OpenSSL is still found in the environment path prior to LibreSSL. PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin

/usr/bin/openssl version OpenSSL 1.0.2k-freebsd 26 Jan 2017

/usr/local/bin/openssl version LibreSSL 2.5.5

So anything relying on the environment path rather than specifying absolute path to "/usr/local/bin/openssl" will be running OpenSSL instead.

fichtner commented 6 years ago

This is expected. I found one instance not using the right path and fixed it. We want use the full path in scripting to avoid ambiguities.

Ports correctly build against LibreSSL, that also means PHP is built against LibreSSL. OpenSSL cannot be removed from FreeBSD base due to multiple dependencies there.

Close?

PS: Wrong repo referenced via https://github.com/opnsense/core/commit/6b24c4ba572

NOYB commented 6 years ago

If you're confident it's fixed.

fichtner commented 6 years ago

I don't know. What would you propose?

fabianfrz commented 6 years ago

In the libraries it can be checked which version is used. For example this is for Ruby:

screenshot_20171229_124926

Perl, Python and PHP are also linked against the correct library where it is possible to check.

NOYB commented 6 years ago

Wasn't proposing anything. Just saying that if you're confident the issue is resolved, it can be closed. Thanks.

fichtner commented 6 years ago

This was a topic in the last few years with varying degrees of progress and hurdles. The short version is any OS needs a crypto library in base. FreeBSD does not allow removal of its OpenSSL for that reason (a knob WITHOUT_OPENSSL exists but it does not work). We also need a crypto library in ports for better means of updating. We did the LibreSSL ports work in 2015 so that the switching was seamless from our perspective. In 2016-2017 work was done to replace OpenSSL with LibreSSL in HardenedBSD base. It's the same problem now there too, just from an opposite direction. We also can't change PATH to use /usr/local first, it would me we could overlay base binaries, which is not as secure as the other way around.

So for now we tiptoe around the crypto in base. It was a mess in 2015, but the subsequent changes and work made this work well enough. We will see if something else can be done in the long-term future, e.g. FreeBSD discussed removing OpenSSL from base for a better alternative, but it would still be years and does not really solve the chicken-egg problem of crypto requirements in the base system vs. the ports system.

It's a classic "WONTFIX" sadly, but there are enough ways around this and side-effects are well-known and avoided.

Cheers, Franco