[Fed-Talk] Building OpenSSL 0.9.8o for OS X 10.6.4
[Fed-Talk] Building OpenSSL 0.9.8o for OS X 10.6.4
- Subject: [Fed-Talk] Building OpenSSL 0.9.8o for OS X 10.6.4
- From: Michael Kluskens <email@hidden>
- Date: Tue, 22 Jun 2010 12:19:42 -0400
Question:
On OS X 10.6.x has anyone been successful truly replacing the old Apple supplied OpenSSL with any newer or patched version of OpenSSL.
That means "/usr/bin/openssl version" does not return "OpenSSL 0.9.8l 5 Nov 2009"
Background:
The version of OpenSSL included with OS X 10.6.4 is 0.9.8l, current required version is 0.9.8o (or evidence of backports)
Bugs listed in CVE-2009-3555 were fixed by SecUpd 2010-001, this gave us OpenSSL 0.9.8l in 10.6.2
Bugs listed in CVE-2009-3245 were fixed in OpenSSL 0.9.8m, but Apple has neither updated nor documented any backports to fix these bugs
Bugs listed in CVE-2010-0740 & CVE-2010-0433 were fixed in OpenSSL 0.9.8n, same null response from Apple
Bugs listed in CVE-2010-0742 were fixed in OpenSSL 0.9.8o, again no response
Bugs listed in CVE-2010-1633 only apply to the OpenSSL 1.0.0 series
(I've searched http://support.apple.com/kb as well as https://developer.apple.com/mac/)
Previously I build OpenSSL 0.9.8k from the open source project using the following build commands:
sudo ./config --prefix=/usr --openssldir=/System/Library/OpenSSL shared
sudo make ; sudo make test ; sudo make install
These configuration flags mean that when you install you really do replace the Apple supplied OpenSSL, if you choose the default everything goes into /usr/local so both versions are on the machine and any security scans detect Apple's version and people falsely believe this is a false positive. The resulting installer that I built was used without problems on over 20 different OS X systems (10.4/10.5/Intel/PPC)
However, under OS X 10.6.4 with OpenSSL 0.9.8o following the above course of action resulted in a non-bootable machine, which I fixed by manually putting the old Apple supplied OpenSSL files.
I know there are workarounds to fool the various security scanners.
My question is has anyone been successful truly replacing the old Apple supplied OpenSSL with any version of OpenSSL
Michael Kluskens
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden