Breaking SSL options: Which to use to build 1000 ports?
Julian H. Stacey
jhs at berklix.com
Thu Dec 1 01:37:36 UTC 2016
Don Lewis wrote:
> On 30 Nov, Julian H. Stacey wrote:
> > Hi ports at freebsd.org
> > Advice Please:
> > I need some SSL settings I can compile 1000 ports with.
> > I dont care which SSL. (Any of eg base from src/ or any from devel/ )
> > I dont care if SSL fails to run on most ports.
> > I need 1000 ports to compile & install, & stop wasting my time with SSL.
> > SSL will not even be used in most cases,
> > Here's a small subset of ever growing DUDS= fail to build because of SSL:
> > arandr fetchmail fvwm2 xf86-input-keyboard xf86-input-mouse
> > xf86-video-chips xf86-video-fbdev xf86-video-neomagic
> > xf86-video-vesa xorg xorg-apps xorg-server
> >
> > I make ports from sources, never packages, using ports/*/Makefile.local
> > with SUBDIR+= ports_i_want
> >
> > I purged some old old duplicate bins & libs, & now need to do eg
> > cd /usr/ports ; make BERKLIX_CLIENT=YES BERKLIX_SERVER=YES install
> > Lots of ports fail to build, no matter which SSL options I try,
> > currently (with make.conf below) I'm seeing a dependent port eg:
> > cd /usr/ports/security/p5-GSSAPI ; make
> > ===> p5-GSSAPI-0.28_1 You are using OpenSSL from ports and have selected
> > GSSAPI from base, please select another GSSAPI value.
> >
> > I can't revert to src/ base as loads of ports want devel/openssl
> > pkg delete openssl-1.0.2j_1,1 # Number of packages to be removed: 149
> >
> > FreeBSD's SSL defaults seem a mess : complex, breaking on loads
> > of ports, inadequately documented, insufficiently clear error messages.
> >
> > My current /etc/make.conf:
> > ----------------
> > # GSSAPI: Generic Security Services Application Program Interface
> > # http://en.wikipedia.org/wiki/Generic_Security_Services_Application_Program_Interface
> > # /usr/ports/Mk/Uses/gssapi.mk:
> > # You are using OpenSSL from ports and have selected
> > # GSSAPI from base, please select another GSSAPI value.
> > # cd /usr/ports/security/openssl; echo ../*ssl*
> > # SSL_DEFAULT=base # Disapproved of by
> > # /usr/ports/Mk/bsd.default-versions.mk
> > # which instead reccomends:
> > # DEFAULT_VERSIONS+=ssl=base
> > # DEFAULT_VERSIONS+=ssl=openssl
> > # Possible values: base, openssl, openssl-devel, libressl, libressl-devel
> > # & also has:
> > # WITH_OPENSSL_*
> > DEFAULT_VERSIONS+=ssl=openssl
> > # WITH_OPENSSL="YES"
> > # WITH_OPENSSL="openssl"
> > # WITH_OPENSSL_PORT="YES"
> > # WITH_OPENSSL_PORT="openssl"
> > # SEE ALSO
> > # /etc/src.conf (used only by src/),
> > # whereas this make.conf used by both src/ & ports/.
> > # https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/openssl.html
> > # WITH_OPENSSL_PORT WITH_OPENSSL_BASE
> > # man 7 ports
> > # /usr/ports/Mk/Uses/gssapi.mk
> > ----------------
> >
> > Advice welcome, Thanks !
>
> This is what I use in /etc/make.conf to build ports with openssl from
> ports:
>
> WITH_OPENSSL_PORT=yes
> DEFAULT_VERSIONS+=ssl=openssl
> OPTIONS_SET=GSSAPI_NONE KRB_NONE
> OPTIONS_UNSET=GSSAPI_BASE KRB_BASE KERBEROS
>
> The GSSAPI and KERBEROS adjustments are needed because openssl from
> ports can't be combined with base gssapi / kerberos. GSSAPI_HEIMDAL or
> GSSAPI_MIT should also work, likewise KRB_HEIMDAL or KRB_MIT.
Valuable magic ! Saved me lots of time, Thanks Don !
I also added WITHOUT_KERBEROS="TRUE" to /etc/src.conf & removed
/usr/lib/
libgssapi.a libgssapi_ntlm.so.10 libkrb5.so.11
libgssapi.so libgssapi_ntlm_p.a libkrb5_p.a
libgssapi.so.10 libgssapi_p.a librpcsec_gss.a
libgssapi_krb5.a libgssapi_spnego.a librpcsec_gss.so
libgssapi_krb5.so libgssapi_spnego.so librpcsec_gss.so.1
libgssapi_krb5.so.10 libgssapi_spnego.so.10 pam_krb5.so
libgssapi_krb5_p.a libgssapi_spnego_p.a pam_krb5.so.6
libgssapi_ntlm.a libkrb5.a
libgssapi_ntlm.so libkrb5.so
/usr/include/
krb5/ krb5-protos.h krb5.h krb5_ccapi.h openssl/
krb5-private.h krb5-types.h krb5_asn1.h krb5_err.h
& ldconfig -R
I seem to be making some progress now, Thanks :-)
Maybe we could have a handbook section for it starting from the above to
help people, without arousing the ire of people Mathieu Arnold referred to ?
Cheers,
Julian
--
Julian Stacey, BSD Linux Unix Sys Eng Consultant Munich
Reply below, Prefix '> '. Plain text, No .doc, base64, HTML, quoted-printable.
http://berklix.eu/brexit/#stolen_votes
More information about the freebsd-ports
mailing list