About protocols in openssl

[Pete Wright]

On 2020-02-27 11:42, Willem Jan Withagen wrote:
> On 27-2-2020 20:25, Miroslav Lachman wrote:
>> Willem Jan Withagen wrote on 2020/02/27 20:00:
>>> Hi,
>>>
>>> My ceph ports uses all kinds of python stuff, and now the trouble is 
>>> that I'm getting
>>> an error on missing:
>>>      SSLv3_client_method
>>>
>>> Which i guess, is because in the current openssl libs SSLv3 is 
>>> disabled.
>>> And I sort of get this, SSLv3 is unsafe.
>>>
>>> But I need it to be able to run parts of the ceph port.
>>>
>>> So how do I get a openssl lib dependancy that has SSLv3 enabled.
>>
>> You can build OpenSSL 1.1.1 from the ports where you can enable SSLv3 
>> in the options dialog.
>>
>> https://www.freshports.org/security/openssl/
>>
>> The defaults are:
>> ====> Protocol Support
>> NEXTPROTONEG=on: Next Protocol Negotiation (SPDY)
>> SCTP=on: SCTP (Stream Control Transmission)
>> SSL3=off: SSLv3 (unsafe)
>> TLS1=on: TLSv1.0 (requires TLS1_1, TLS1_2)
>> TLS1_1=on: TLSv1.1 (requires TLS1_2)
>> TLS1_2=on: TLSv1.2
>
> Yup, this is what I did, and that works.
> But how do I do that for a port? And the make sure that the installer 
> of the ceph-package gets an openssl that had SSLv3
It may be best to build an internal package with the options you need 
configured accordingly.  I do this via poudriere for some of my internal 
software.  For example I have this file on my package builder:
/usr/local/etc/poudriere.d/make.conf

which contains the following:
x11-servers_xorg-server_SET=FIXDRM

I think this matches the same format of make.conf you would use if 
building the ports tree locally.

-pete

-- 
Pete Wright
pete at nomadlogic.org
@nomadlogicLA