OpenSSL Base vs. OpenSSL Port?

Wed Jun 17 07:07:23 UTC 2009

>I had been running 6.2 with openssl base for quite a while. Then I
>attempted to implement the dkim-filter port which required using openssl
>to generate keys.  That's when I noticed that openssl is broken on my
>machine.  See this example:

># openssl genrsa -out rsa.private 1024
>Error configuring OpenSSL
>28086:error:260AB089:engine routines:ENGINE_ctrl_cmd_string:invalid cmd
>name:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/engine/eng_ctrl.c:318:
>28086:error:0E07406D:configuration file
>routines:CONF_modules_load:module initialization
>error:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto
>/conf/conf_mod.c:234:module=engines,
>value=openssl_engines, retcode=-1

>So I thought rebuilding world might fix it and while I was at it, I
>upgraded to 6.4 but still have the same problem.

I'm not familiar with this problem.  If you have the a supported version of 6.X
installed, and you've read the documentation, and are convinced that the error
is due to some problem with the openssl in base, then you should submit a PR:

http://www.freebsd.org/support/bugreports.html

>Next I tried installing openssl from ports.  This openssl seems to work:

># /usr/local/bin/openssl genrsa -out rsa.private 1024
>Generating RSA private key, 1024 bit long modulus
>..............................................................++++++
>..............++++++
>e is 65537 (0x10001)

>But now I am unclear as to what state my system is in.  What is the
>preferred method for using openssl from ports vs. using openssl base.  I
>don't really care which I use but want to avoid trouble with multiple
>versions of openssl and/or ports compiled against the wrong version.
>I've been Googling all day but can not find a clear guide.

No need to waste time googling -- just go straight to the code, the
port makefiles
on your system that actually _do_ the work -- in this case
/usr/ports/Mk/bsd.openssl.mk
(or substitute the value of PORTSDIR for /usr/ports if you've got your
Ports tree in some
nondefault location). There you will see some comments and the actual code
governing the use of the variables.

>Specifically, what should I have in my /etc/make.conf and what
>portupgrade command should I use to ensure things are build against the
>correct openssl?  I've seen things like OPENSSL_OVERWRITE_BASE=yes,
>NO_OPENSSL=yes, WITH_OPENSSL_PORT=yes, WITH_OPENSSL_BETA=yes, and
>portupgrade -rf openssl but remain confused.

Put WITH_OPENSSL_PORT=yes in your build environment -- /etc/make.conf is a good
way -- and then rebuild all ports that depend on openssl.  There are
many different
ways to do this -- you could use:

pkgdb -L && portupgrade -fur openssl-*

(The first command may not be necessary, but I find that the
dependencies of some
ports on openssl are sometimes missing from the pkgdb, and need to be added.)

or

portmaster -t -r openssl-*

for example.  Note that this will only ensure that ports that correctly use
USE_OPENSSL are linked to the proper version of openssl -- some ports may
not have been constructed properly, and may still end up being linked
to the base
openssl.  You can check if there are any such ports by using ldd(1) or
the sysutils/libchk
port.

b.