State of LibreSSL in FreeBSD ports

From: Felix Palmen <>
Date: Sun, 03 Oct 2021 14:16:54 UTC
Hi all,

I wonder what's the state of LibreSSL in FreeBSD ports. Is it supported?
Reading the (kind of old) wiki entries, you could get the impression
that it is (so, one should expect no build errors when setting
DEFAULT_VERSIONS+= ssl=libressl).

Still, I've come across very unfortunate situations a few times. I'd
have to start with acknowledging that not all upstream projects are
willing to support LibreSSL. And that's probably an understandable
decision. Given the (constantly moving) OpenSSL API (so you already have
your code littered with checks for OPENSSL_VERSION_NUMBER) and given
that LibreSSL claims to be compatible but often isn't (so you'd have to
additionally litter LIBRESSL_VERSION_NUMBER all over the place and, even
worse, these checks will have to change over time), it's no surprise
some people don't want to waste their time on that.

So, supporting LibreSSL for these projects would mean to maintain local
patches in the port. Now add a maintainer who's unwilling to do *that*
kind of maintenance to the picture. Again, that's understandable (for
the same reasons as for upstream devs). It would leave one last resort:
mark the port BROKEN with LibreSSL. Not exactly what I would declare
"support", but at least, it would avoid "random" build failures.

Two examples I recently came across are freeradius and stunnel. With
freeradius[1], upstream sends kind of mixed signals, but in practice,
it's kind of obvious they'd rather not support LibreSSL. With
stunnel[2][3], upstream clearly stated they will not add any LibreSSL
support whatsoever. Still, the maintainer of the port repeatedly demands
taking patches upstream, just ignoring the fact this would be pointless.

I'd like to know whether there is any kind of policy how LibreSSL should
be handled.

Is LibreSSL in FreeBSD ports

* supported, so ports should build with it if at all possible?
* supported on a "best effort" base, so setting a port BROKEN is
  acceptable if maintaining (working) patches would be too much hassle?
* NOT supported at all, so random build failures with LibreSSL are fine?

Thank you!


 Dipl.-Inform. Felix Palmen  <>   ,.//..........
 {web}  {jabber} [see email]   ,//
 {pgp public key}   //   """""""""""
 {pgp fingerprint} A891 3D55 5F2E 3A74 3965 B997 3EF2 8B0A BC02 DA2A