When does PFSense plan on upgrading OpenSSL >= 1.0.1c

sysfu

I'd like to configure PFSense as an OpenVPN client for a provider using ciphers that require OpenSSL v1.0.1c or higher.

Does the PFSense project have any concrete plans for bringing OpenSSL up to date with the current version, i.e. 1.0.1e?

jimp

[2.1-RELEASE][root@pfsense-amd64.localdomain]/root(1): /usr/local/bin/openssl version
OpenSSL 1.0.1e 11 Feb 2013

2.1 has 1.0.1e and it is used for OpenVPN, IPsec, etc.

sysfu

Was not aware of the existence of two versions of openssl on the system. Still, the version bundled with my 2.1 release is < 1.0.1c.

**# openssl version
OpenSSL 0.9.8y 5 Feb 2013

which openssl

/usr/bin/openssl

/usr/local/bin/openssl version

OpenSSL 1.0.0h 12 Mar 2012**

This was an upgrade from a 2.1 devolopment snapshot. Do I need to perform a clean installation of 2.1 to get the 1.0.1e OpenSSL binary?

jimp

You should get it just by upgrading to 2.1-RELEASE. I'm not sure how you would have ended up with a binary that old unless it didn't really update your system somehow.

sysfu

@jimp:

You should get it just by upgrading to 2.1-RELEASE. I'm not sure how you would have ended up with a binary that old unless it didn't really update your system somehow.

That makes two of us.

I'll go ahead with a fresh installation to see if that resolves the issue.

sysfu

Fresh installation solved the problem.

# /usr/local/bin/openssl version
OpenSSL 1.0.1e 11 Feb 2013

dplat

/usr/bin/openssl version
OpenSSL 0.9.8y 5 Feb 2013

/usr/local/bin/openssl version
OpenSSL 1.0.1e 11 Feb 2013

Why is there 2 openssl versions installed??

By default, the first OLD one is used !
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/root/bin

Is it a NSA "recommendation"?

jimp

The FreeBSD base system uses/needs the older one, it is not easily upgraded or replaced. It is current/secure on its line.

Most things will use the newer one, we don't just run "openssl" we use full paths to things (trusting $PATH is bad), and you can check with ldd which version of the library things like OpenVPN will use.

It's not a conspiracy or a problem.

mervincm

anyword on if/when this will be upgraded to 1.01g to deal with this heartbleed bug?

https://www.openssl.org/news/secadv_20140407.txt

What versions of the OpenSSL are affected?

Status of different versions:

OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable
Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.

jimp

See one of the other dozen threads already open for Heartbleed. Soon.

mervincm

Thanks for the quick response, and sorry for the duplicate.