About protocols in openssl

Willem Jan Withagen wjw at digiware.nl
Thu Feb 27 21:11:17 UTC 2020 

On 27-2-2020 21:53, Mathieu Arnold wrote:
> On Thu, Feb 27, 2020 at 12:45:51PM -0800, Freddie Cash wrote:
>> On Thu, Feb 27, 2020, 12:37 PM Willem Jan Withagen, <wjw at digiware.nl> wrote:
>>
>>> Interesting, but not quite what I want....
>>> It is not for personal usage, but for ports that I have commited to the
>>> ports collection, and want to upgrade.
>>> And yes, fixing openssl works for this problem, but it is not only my
>>> problem.
>>>
>>> I maintain these Ceph ports, and now upstream uses a python module that
>>> expects SSlv3 to be available in the openssl that encounters on the system.
>>> And the question is how to accommodate that?
>>> Short of embedding my own openssl libs with the ceph-libs, thus creating
>>> a huge maintenance problem.
>>>
>>> I could also argue that switching of SSLv3 in a generic library is sort
>>> of impractical, even if it is a protocol that we want to erradicate.
>>> But I guess that the maintainers of openssl have decided that this is
>>> the smart thing to do.
>>> And I'm in peace with that, but now require an escape from this catch-22.
>>>
>>> --WjW
>>>
>> There's no mechanism in the ports tree framework for port X to depend on
>> feature Y being enabled in port Z.
>>
>> All you can do is add a pkg-message alert to your ceph port saying the use
>> needs to compile the openssl port with SSLv3 enabled.
>>
>> You could create a slave port for openssl that has that option enabled,
>> then depend on that slave port. But that might create dependency issues
>> elsewhere.
> You can do it, but nobody will commit that kind of change.  The choice
> of which OpenSSL version to use is a user facing change, and it is done
> globally.
>
> As a side note, SSLv3 is going away, anything done right now that needs
> it is doomed.
I wholehartedly agree, SSLv3 is a pain that should go. I've excluded it 
on webservers
already for ages. And TLS1 and TLS1.1 going down the same path.

But none the less I run into this problem that a python module
does not want to load because the includes .so is looking for SSLv3 
stuff during.

Adding a openssl port with SSLv3 enabled would be an option, and as long 
a it
builds on the regular openssl port it would be a compatible library.
I only fear for the tantrum that `pkg install` is going to throw, when 
install
openssl-sslv3 is going to override openssl. Nothing but matching paths.
Doubt if that is going to be workable?

--WjW

More information about the freebsd-ports mailing list