Re-enabling old ciphers in openssl

Russell L. Carter rcarter at pinyon.org
Mon Dec 28 00:58:53 UTC 2020 

On 12/27/20 4:49 PM, Dan Mahoney (Gushi) wrote:
> Hey there all.

[...]

> Here are the questions I can't seem to answer:
> 
> 1) There's no make.conf entry to override the openssl ciphers.  This 
> needs to be done at the port level.  (Probably reasonable, I don't think 
> there should be an insecure "flavor")  But in the interest of making 
> things reproducible, is there a "Standard" way to keep this consistent 
> without running "make config" every time, or echo'ing options into 
> /var/db/ports/security-openssl/options?
> 
> 2) I'm unclear as to what to put in make.conf to tell ONE PORT to use 
> the openssl from ports, while I want all the others to use base.  I know 
> this is in some cases askign for trouble, but the nagios plugins are 
> standalone binaries.  Is there some method in make.conf or on the port 
> command line to tell ONE PORT to use a defaults+=ssl-openssl without 
> making it the default for ALL PORTS?
> 
> 3) If I do all that, ports seems to lack a standard way to build static 
> binaries, which is what I'd really like.  Is there an easy way to do 
> this, or is it best to work outside the ports system at that point?
> 
> -Dan
> 


Not judging.  I am always in some sort of disagreement with the
otherwise world-class ports+poudriere system of FreeBSD package
management.  Like, now, texlive.  And I locally maintain a
fluctuating group that occasionally has members migrate back
into mainstream ports because my disagreement is no longer
material.

If I was in your situation, I would start with whatever version of
openssl works best for the obsolete packages you want to link/plugin
against.  Stuff the source down into /usr/local/pkg/repo/openssl1,
write some 15 liner shell scripts to configure, build, and install
it to /usr/local/pkg/lib.  In my experience one needs to fixup
PREFIX and occasionally rpaths.  Other hacks go into a git branch
in the repo.  Setup your path for your obsolete packages user
account and off you go.  (Could be some dependency hell in your
future, I would keep it simple.)

*or*

Install an ancien version of FreeBSD that does what you want
in a vm.  No idea how to deal with the packages for that system,
maybe it's trivial.  This method is how I deal with Unifi software
(on old debian versions) after battling the outdated "*" problem
for years.  Works great with bhyve.  If I want a current version
of something that doesn't work great in the obsolete version and
is orthogonal to the support task at hand I generally just try to
configure, build, and install it to... /usr/local/pkg in the vm
Compared to dealing with this before, now my life is awesome.
OMG I forgot FreeBSD => jails.  I don't use jails but that would
be the quickest route here I'm guessing.

I am assuming here that you don't need any big frameworks, because
then I doubt it would make sense at all to battle the problem this
way.

Good luck!
Russell

More information about the freebsd-ports mailing list