Re: OpenSSL in the FreeBSD base system / FreeBSD 14

On Thu, 20 Apr 2023 at 09:14, Joerg Pulz <Joerg.Pulz@frm2.tum.de> wrote:
>
> Would the OpenSSL privatelib change mean that it's no longer possible to
> build and link base software against libs from ports given that those libs
> are linked to OpenSSL from ports then?
>
> e.g. link base Sendmail (with OpenSSL privatelib) with libsasl from
> security/cyrus-sasl2 and libldap from net/openldap26-client which are then
> linked with libssl an libcrypto from security/openssl
>
> or
>
> link base Heimdal (with OpenSSL privatelib) with libldap from
> net/openldap26-client which is then linked with libssl an libcrypto
> from security/openssl
>
> Both examples above are maybe not common but in use by myself since
> "ages".

Yes, I believe privatelib would preclude use cases like this.

The problem is that we have conflicting constraints: OpenSSL 1.1.1 is
EOL shortly after 14.0 releases, and there are ports that do not yet
build against OpenSSL 3. I am not sure how much will be broken if we
update the base system to OpenSSL 3 but leave the privatelib aside
(i.e., have the base system provide OpenSSL 3 to ports).

> If such setups will no longer work with OpenSSL privatelib and updating
> OpenSSL in base is such a complicated, heavy and time consuming task, one
> could ask - why use OpenSSL instead of one other SSL implementation in
> base at all?

This is a good question, and is something that's been discussed on
occasion. The base system has some components that depend on OpenSSL
right now. If we switch to privatelib it is quite possible that we'll
migrate those to something else over time.