PfSense 2.1 still using OpenSSL 0.9.8y?

dreamslacker

Seems that most of the threads I've seen related to AES-NI states that pfSense 2.1 is using OpenSSL 1.0.1c but when I run OpenSSL version check on my system, it shows up as:

[2.1-RELEASE][admin@*******]/root(7): openssl version
OpenSSL 0.9.8y 5 Feb 2013

I'm also fairly certain that it's not utilizing AES-NI on my system as well after running the speed evp test so it's not just a mislabelled version tag.

I'd like to ask if this is supposed to be the case or if perhaps the specific snapshot is not updated?

I'm currently using:

2.1-RELEASE (i386)
built on Wed Sep 11 18:16:22 EDT 2013
FreeBSD 8.3-RELEASE-p11

This is a NanoBSD VGA 2G image.

Thanks.

phil.davis

[2.1-RELEASE][root@xxx]/home/phil.davis(6): openssl version
OpenSSL 0.9.8y 5 Feb 2013
[2.1-RELEASE][root@xxx]/home/phil.davis(12): /usr/bin/openssl version                                        
OpenSSL 0.9.8y 5 Feb 2013
[2.1-RELEASE][root@xxx]/home/phil.davis(7): /usr/local/bin/openssl version
OpenSSL 1.0.1e 11 Feb 2013

The one used by the pfSense code is in /usr/local/bin/openssl and is explicitly run from there.

dreamslacker

Brilliant! Thank you sir. .

jimp

And it'll be 1.0.1.f in pfSense 2.1.1

dreamslacker

Hi jimp, nice to know.  I didn't see any information regarding the cryptodev but would like to know if 2.1.1 includes the tweaked cryptodev (pipelining to utilize AES-NI properly) or would we have to wait till 2.2 for this?

jimp

That will have to wait for 2.2

dreamslacker

Thank you for the information update!

I'll look forward to 2.2 being rolled-out then.

jasonlitka

Why is the old version included if it isn't used?  Seems like it would just take up space and present a risk that a program would accidentally use it.

jimp

@Jason:

Why is the old version included if it isn't used?  Seems like it would just take up space and present a risk that a program would accidentally use it.

It is the version from FreeBSD's base used for things like ssh. It's very difficult to get some parts to work with only the ports OpenSSL on FreeBSD. It'll be a non-issue once we're on FreeBSD 10 and the base is up-to-date.

jasonlitka

@jimp:

@Jason:

Why is the old version included if it isn't used?  Seems like it would just take up space and present a risk that a program would accidentally use it.

It is the version from FreeBSD's base used for things like ssh. It's very difficult to get some parts to work with only the ports OpenSSL on FreeBSD. It'll be a non-issue once we're on FreeBSD 10 and the base is up-to-date.

That's kind of what I figured.  Thanks for the confirmation.

NOYB

@jimp:

It'll be a non-issue once we're on FreeBSD 10 and the base is up-to-date.

By then will the base still be up to date?  ;)