On Mon, Jul 13, 2015 at 12:18 PM, Brandon Allbery <allbery.b at gmail.com>
wrote:
> On Mon, Jul 13, 2015 at 3:14 PM, Matt Smith <fbsd at xtaz.co.uk>
wrote:
>
>> See now I assumed that the only things in the base that used it were
>> Kerberos, GSSAPI, and OpenSSH. If you read the man page for src.conf it
>> says that setting WITHOUT_OPENSSL also sets WITHOUT_KERBEROS,
>> WITHOUT_GSSAPI, and WITHOUT_OPENSSH. This makes me think these are the
only
>> things in the base that do actually use OpenSSL?
>
>
> OpenSSL has two components, one of which is a general crypto library.
I'd
> imagine that a lot of stuff could make use of that part of OpenSSL.
>
> --
> brandon s allbery kf8nh sine nomine
> associates
> allbery.b at gmail.com
> ballbery at sinenomine.net
> unix, openafs, kerberos, infrastructure, xmonad
> http://sinenomine.net
>
Annoying! ssh has explicitly never used of OpenSSL. I just confirmed that
it still does not. It does use gssapi and kerberos, so even though it makes
no use of OpenSSL, it does use those two things which are not actually part
of OpenSSL. If you check /usr/src/crypto/openssl, there is no gssapi or
kerberos there. Both of these are in the heimdal sources. Looks to me
like WITHOUT_OPENSSL
is really without a few other things but NOT OpenSSL. Very weird.
Can anyone explain this? Or is it a bug (and a bad one as it misleads
people about an important security issue). I am aware of at least one time
when base ssh was newer and better than the ports version, though that is
not the norm. Now that the HPC patches are in base and PKCS11 is supported,
I can see little reason to use the ports version.
--
Kevin Oberman, Network Engineer, Retired
E-mail: rkoberman at gmail.com
PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683