FreeBSD The Power to Serve

OpenSSL 3 in base — Improved

Links:
OpenSSL Downloads URL: https://www.openssl.org/source/

Contact: Pierre Pronchery <pierre@freebsdfoundation.org>

This is a follow-up to the previous quarterly report on the integration of OpenSSL 3 into the base system.

The most obvious updates since the previous report are certainly the 3.0.10 and then 3.0.11 releases, fixing CVE issues with low to medium severity (CVE-2023-2975, CVE-2023-3446, CVE-2023-3817, CVE-2023-4807).

However these are not the only changes, and this quarter some issues specific to the integration were fixed, most of which were found while building ports with OpenSSL 3 in the base system.

Fixes included:

  • Linking the engines and the legacy provider with the libcrypto.so shared object, for proper visibility of symbols, and for which a hack was required in the build system.

  • Correcting the list of source files for the FIPS provider.

  • Ensuring backward compatibility for the deprecated 0.9.8 API, which was notably helpful for the PAM authentication module from security/pam_ssh_agent_auth, based on OpenSSH’s ssh-agent(1) authentication mechanism.

Last modified on: November 1, 2023 by Lorenzo Salvadore