Does pfSense use openssl 3.x at all?

bribri007 · Oct 31, 2022, 3:09 PM

A critical fix for openssl 3.x is pending. I'm curious if anyone knows any functions within pfSense that are using openssl 3.x?
https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html

johnpoz · Oct 31, 2022, 3:08 PM

@bribri007 that would be highly unlikely since the current version I show is

[22.05-RELEASE][admin@sg4860.local.lan]/root: openssl version
OpenSSL 1.1.1n-freebsd  15 Mar 2022
[22.05-RELEASE][admin@sg4860.local.lan]/root:

bingo600 · Nov 1, 2022, 12:38 PM

@johnpoz
Well they withdrew 1.1.1.r , along w. 3.0.6

https://www.openssl.org/

🔒 Log in to view

Did someone "Zerorize" a pointer again ??? (HeartBleed)

New version should be released Nov-01 between 13 .. 17 UTC
https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html

They are kind'a "URGING OUT LOUD"
.

🔒 Log in to view
.

/Bingo

johnpoz · Nov 1, 2022, 12:17 PM

@bingo600 yeah they seem to be having some trouble.. Guess good thing that we are bit behind on 1.1.1n

MAW · Nov 2, 2022, 6:37 AM

@johnpoz Just a FYI, I have Openssl 1.1.1l on three pfSense "2.6.0-RELEASE" systems that I manage/administor.

dmalick · Nov 2, 2022, 7:50 AM

i have

OpenSSL 1.1.1l-freebsd  24 Aug 2021
[2.6.0-RELEASE][admin@pfsense.local.dev]/root:

jimp · Nov 2, 2022, 12:26 PM

pfSense software does not use OpenSSL 3.x on any version/edition, not even on the newest development snapshots.

bingo600 · Nov 2, 2022, 2:40 PM

From
https://thehackernews.com/2022/11/just-in-openssl-releases-patch-for-2.html

🔒 Log in to view

Combined with what @jimp said above:

pfSense is not vulnerable at all

/Bingo