ports requiring OpenSSL not honouring OpenSSL from ports
gemini at geminix.org
Fri May 2 06:24:28 UTC 2014
On 01.05.14 22:24, Michael Grimm wrote:
> On 01.05.2014, at 18:12, Uwe Doering <gemini at geminix.org> wrote:
>> And it is also not mentioned there that it is, to
>> my knowledge, considered good practice to have that setting in
>> "/etc/make.conf" in order to avoid any confusion about which port is
>> linked with what version of OpenSSL.
> Here's my question: Which knobs are considered good practice? Is it experience, is it gut feeling, religion, ...? I would love to see a documentation covering the pro and cons about every "knob" ... I do not complain, I know, that is hard work and hard to accomplish.
> But any links to documents -besides the ones already mentioned- are highly appreciated.
Well, links to documents I cannot provide, but for years I at least have
only these settings in "/etc/make.conf":
Or rather, the last line I added only recently because I haven't
switched to the "pkg" port, yet. And the first line is only relevant if
you compile your own modified kernel, like I do.
There can be other things in it like compiler switches, but I'm rather
conservative in this regard and try to keep defaults wherever I can,
because these mainstream settings are usually the best tested ones. I
need my servers to just run and do their job. In fact, I do not have the
time for surprises due to unnecessary experiments.
> E.g: excuse my ignorance, but should I stay with ...
> | www-jail> ldd `which nginx`
> | /usr/local/sbin/nginx:
> | libcrypt.so.5 => /lib/libcrypt.so.5 (0x8008aa000)
> ..., or would there be an alternative in ports? libgcrypt? or? (All my relevant services are run being compiled from ports, and within jails.)
Don't mix up "libcrypt" with "libcrypto". Only the latter has to do with
OpenSSL. If you install OpenSSL from ports you actually have two sets of
similarly named libs. One in "/lib", the other in "/usr/local/lib". In
my case (FreeBSD 8.4):
And while I don't have Nginx installed, here is the relevant "ldd" line
for Apache's "mod_ssl":
libcrypto.so.8 => /usr/local/lib/libcrypto.so.8 (0x800d66000)
I would think that if you haven't had the "WITH_OPENSSL_PORT" directive
in "/etc/make.conf" so far it would be best to make sure that you have
the latest version of OpenSSL from ports installed and then reinstall
all packages that depend on OpenSSL. "portmaster", for instance, has the
"-r" option to do this automatically in one go.
Uwe Doering | EscapeBox - IT Consulting
gemini at geminix.org | http://www.escapebox.net
More information about the freebsd-ports