poudriere and WITH_OPENSSL_PORTS=YES

bw bw.mail.lists at gmail.com
Fri Mar 22 10:51:45 UTC 2013


what's the proper way to do it?

As far as I understand from googling around, and please correct me if 
I'm wrong, the way to compile ports with openssl is, first install 
openssl from ports, then add WITH_OPENSSL_PORTS=YES to make.conf, then 
compile everything that uses openssl. That is, with something like 
portmaster, not poudriere.

I tried adding WITH_OPENSSL_PORTS=YES to poudriere's make.conf, but it 
doesn't pull in openssl as a dependency. I suppose that is because it 
has to be already installed for the ports to see it at compile time and 
use that one instead of base. Which, I suppose, means that I should 
install openssl in poudriere's jail first and remember to upgrade it in 
that jail if needed before compiling stuff when it gets updated.

Is that correct? Is there a better way?

The way I thought it was going to work is add WITH_OPENSSL_PORTS=YES to 
poudriere's make.conf then openssl will be considered a dependency for 
any port that uses it and treated as such by poudriere.


On a side note, might be totally unrelated but I don't have a better 
place to ask about it anyway, the reason I need to do this is because I 
have Nginx as a loadbalancing proxy talking to Apache backends over 
https. Apache is compiled with openssl from ports, while Nginx is 
compiled with base. The problem is that when I try to load one of the 
https websites, I get a 502 Bad Gateway in Nginx and the following error 
in nginx-error.log:

[error] 13004#0: *7 SSL_do_handshake() failed (SSL: error:1408E0F4:SSL 
routines:SSL3_GET_MESSAGE:unexpected message) while SSL handshaking to 
upstream, client: XXX.XXX.XXX.XXX, server: ssl.enabled.site.example.com, 
request: "GET /favicon.ico HTTP/1.1", upstream: 
"https://YYY.YYY.YYY.YYY:443/favicon.ico", host: 
"ssl.enabled.site.example.com"

There's another set of Nginx' that are compiled with openssl from ports, 
just like Apache, and I don't get the error there. The 'workaround' I 
found (http://code.google.com/p/googleappengine/issues/detail?id=5075) 
is to add

proxy_ssl_session_reuse off;

to Nginx. This works, but I'd still like to know what is going on and 
why it works w/o that line on the Nginx servers compiled with the same 
version of openssl as Apache. I can't see anything in Apache's logs, the 
load balancing is done through ip_hash, which means that I should talk 
to the same Apache server every time, and it happens even if all 
backends except one are marked as down in Nginx conf. The config files 
on all Nginx servers are identical.


More information about the freebsd-ports mailing list