Re: OpenSSL 1.1.1t vs OpenSSL 3.1.4 linking on 13.2

From: Enji Cooper <yaneurabeya_at_gmail.com>
Date: Mon, 27 Nov 2023 16:16:36 UTC
> On Nov 26, 2023, at 20:15, Eugene Grosbein <eugen@grosbein.net> wrote:
> 
> 27.11.2023 8:00, Timothy Legge wrote:
> 
>> I have been updating a Perl CPAN module for OpenSSL v3. and ran into
>> an issue when testing in a clean FreeBSD 13.2 install with OpenSSL v3
>> installed.
>> 
>> So clean install and then install v3 via sudo pkg install openssl31
>> 
>> When I build Crtpt::OpenSSL::Blowfish (from
>> https://github.com/perl-openssl/perl-Crypt-OpenSSL-Blowfish.git) with:
>> 
>> perl Makefile.PL
>> make
>> 
>> It builds and links against openssl3.1.4
>> 
>> When I attempt:
>> 
>> make test
>> 
>> It attempts to load the openssl 1.1.1t library.
>> 
>> If I do:
>> 
>> export set OPENSSL_PREFIX=/usr
>> 
>> and add the following line to the Makefile.PL then
>> OpenSSL::Crypt::Guess correctly finds openssl 1.1.1t and links to it:
>> 
>> $args{CCFLAGS} = openssl_lib_paths();
>> 
>> So, is there a way on FreeBSD to figure out which openssl version is
>> the default?  Is there a method that you can think of that can solve
>> the linking/run issue without requiring the OPENSSL_PREFIX to be set
>> for Crypt::OpenSSL::Guess's benefit.
>> 
>> Any ideas are greatly appreciated.
> 
> If you are making a port then you should respect ssl=base/openssl111/whatever
> user setting in /etc/make.conf in DEFAULT_VERSIONS, so check for it in port's Makefile:
> 
> .if ${SSL_DEFAULT} == openssl111
> ...
> endif
> 
> If you want to provide packages for different openssl versions,
> you may consider adding FLAVORS to the port:
> 
> FLAVORS=        base openssl111 openssl30
> openssl111_PKGNAMESUFFIX=       -${FLAVOR}
> openssl30_PKGNAMESUFFIX=        -${FLAVOR}
> 
> .include <bsd.port.options.mk>
> .if ${SSL_DEFAULT} == openssl30
> FLAVOR= openssl30
> .endif
> 
> # For OpenSSL 3.0.x in base (14+) or installed as port/package
> .if ${OSVERSION} >= 1400092 || ${FLAVOR:U} == openssl30
> ...
> # For OpenSSL 1.1.x in base or installed as port/package
> .else
> ...
> .endif
> 
> This is just an example and you may want to support more openssl versions we have in ports.

I honestly think FLAVORS OpenSSL support should be added to ports . It would make some things considerably easier for self-standing apps (it would still be largely impossible if/when base system libraries like kerberos5 are linked in, though).
Cheers,
-Enji