Re-enabling old ciphers in openssl

Dan Mahoney (Gushi) freebsd at gushi.org
Sun Dec 27 23:49:17 UTC 2020 

Hey there all.

This is a "don't try this at home" question.  This is not something I'm 
asking how to do in the general case, but I'd like to know.

It seems recently (since 1.1.1, OpenSSL has deprecated a number of 
ciphers, and made them a compile-time default disable.)

WHat this means is that any app that you want to use those with, is also 
unable to use them.

And sure, if that app is "Firefox for day to day browsing", that's fine.

As a sysadmin, I have a need to connect to older dell iDracs.  I have a 
need to be able to use Nagios plugins linked against libssl and lbcrypto, 
like check_http.  I have a need to be able to use openssl s_client 
-connect.  I occasionally need to ssh in to cisco switches or APC PDU's 
that support older ciphers or shorter ssl key lengths (like RSA 768).

Sometimes, to manage these things, I need old versions of Java and even 
Flash.  I need to tell browsers that self-signed certs are "okay".  I need 
to use VM's with IE6 because my job is dumb.  (This isn't a ports problem, 
just a way of life descripter).  I just this year retired my last Windows 
95 machine, which was running a door-control system for building access 
cards.  Sysadmins occasionally work with shoestring budgets and are often 
forced to retrocompute.

These systems are protected by ACLs and VPNs, and the best certs they can 
take.  They are not world-facing.

Ergo, I am wondering what the best way forward is to get a reasonably 
patched version of openssl that has old ciphers turned on (since it is 
still possible at compile-time, the code hasn't been outright removed), 
that I can build *some* subset of ports against.

Here are the questions I can't seem to answer:

1) There's no make.conf entry to override the openssl ciphers.  This needs 
to be done at the port level.  (Probably reasonable, I don't think there 
should be an insecure "flavor")  But in the interest of making things 
reproducible, is there a "Standard" way to keep this consistent without 
running "make config" every time, or echo'ing options into 
/var/db/ports/security-openssl/options?

2) I'm unclear as to what to put in make.conf to tell ONE PORT to use the 
openssl from ports, while I want all the others to use base.  I know this 
is in some cases askign for trouble, but the nagios plugins are standalone 
binaries.  Is there some method in make.conf or on the port command line 
to tell ONE PORT to use a defaults+=ssl-openssl without making it the 
default for ALL PORTS?

3) If I do all that, ports seems to lack a standard way to build static 
binaries, which is what I'd really like.  Is there an easy way to do this, 
or is it best to work outside the ports system at that point?

-Dan

-- 

--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
FB:  fb.com/DanielMahoneyIV
LI:   linkedin.com/in/gushi
Site:  http://www.gushi.org
---------------------------

More information about the freebsd-ports mailing list