ignoring openssl port

Tue Oct 14 06:37:10 PDT 2003

Hello!

On Mon, 4 Aug 2003 14:48:38 +0300, I wrote:

> Some of my machines were running RELENG_4_7 when I installed ports such
> as apache13_modssl and cyrus-imapd on them. Since that version of
> FreeBSD had OpenSSL 0.9.6 in the base system and these ports required
> 0.9.7, I ended up with openssl port installed on these systems.

> Now that I'm upgrading to RELENG_4_8, which includes OpenSSL 0.9.7, I
> want to get rid of the port. It would just feel cleaner to not have
> multiple versions of same libraries in /usr/lib and /usr/local/lib.

Among several recommendations of how to get rid of the port, the best 
one seemed to be from Matthew Seaman: define WITH_OPENSSL_BASE=yes, 
rebuild the dependent ports (make build while the old port is still 
running), and then "make install" the port. Then remove the OpenSSL 
port.

Back then I decided that I can live with both base and port version of 
OpenSSL installed, and I decided not to spend time on following this 
advice.

Now, in light of recent OpenSSL security advisories, something needs to 
be done. I have upgraded the base system to 4.8-RELEASE-p13, so the 
base OpenSSL should be safe. I have two options right now:

(1) upgrade the port
(2) get rid of the port, leaving only the base system OpenSSL installed 
    (what I wanted to do back in August)

I'd like to use option (2), so I tried to follow Matthew Seaman's 
advice. I put WITH_OPENSSL_BASE=yes into /etc/make.conf and tried to 
run 'make build' in /usr/ports/www/apache13-modssl. This resulted in 
the following message:

This port wants the OpenSSL library from the FreeBSD base system. You 
can't build against it, while a newer Version is installed by a port.
Please deinstall the port or undefine WITH_OPENSSL_BASE.

I found the place which causes this message in 
/usr/ports/Mk/bsd.port.mk:

.if exists(${LOCALBASE}/lib/libcrypto.so)
.BEGIN:
       @${ECHO_CMD} "This port wants the OpenSSL library from the
       FreeBSD" @${ECHO_CMD} "base system. You can't build against it,
       while a newer" @${ECHO_CMD} "Version is installed by a port."
       @${ECHO_CMD} "Please deinstall the port or undefine
       WITH_OPENSSL_BASE." @${FALSE}
.endif

Looking at this while not being a Makefile guru, it seems to me that 
this merely checks if /usr/local/lib/libcrypto.so exists and if it does 
then the port build process is halted with the message. But this would 
mean that WITH_OPENSSL_BASE cannot be used at all if the port is 
installed. If that were true, there wouldn't be any point in having 
this variable in the first place, so I must be overlooking something.

Anyway, I tried commenting out the above passage in 
/usr/ports/Mk/bsd.port.mk and rebuilding another port which depends on 
OpenSSL, namely /usr/ports/ftp/wget. I checked with 
ldd /usr/local/bin/wget 
before and after installing and this showed that now I indeed have wget 
linked against  /usr/lib/libssl.so.3, whereas before it was linked 
against  /usr/local/lib/libssl.so.3.

Before I try the same with apache13-modssl port, I just wanted to 
verify if commenting out the above passage in /usr/ports/Mk/bsd.port.mk 
can cause any unforeseen damage.

Sorry for the long message. When I started out I didn't realise that 
it takes so many keystrokes to word such a simple question ;-)
--
Toomas Aas | toomas.aas at raad.tartu.ee | http://www.raad.tartu.ee/~toomas/
* Key ring - a handy little gadget that allows you to lose all your keys at once.