OpenSSL from Ports

Matthew Seaman m.seaman at infracaninophile.co.uk
Mon Jul 30 21:18:32 UTC 2012 

On 30/07/2012 21:38, Chuck Burns wrote:
> On Mon, 30 Jul 2012 21:01:23 +0200
> Beat Siegenthaler <beat.siegenthaler at beatsnet.com> wrote:

>> It seems to be important to know, what "build from port" means. There is
>> still some tweaking necessary.

> Is it possible that openssl in base is just left over from the
> previous world? I don't think "build from ports" entails removing
> something from the disk, just that it isn't rebuilt when buildworld is
> issued.

Arguments in this thread about which openssl binary is found first on
$PATH are kind of missing the point.  For pretty much all use cases,
it's not the openssl binary itself which is important, but the shared
libraries that come with it.

WITH_OPENSSL_PORT=yes means that any ports you build which use SSL
functions will be linked against the shlibs from the openssl port rather
than those from the base.  Like so:

% ldd /usr/local/sbin/opendkim
/usr/local/sbin/opendkim:
	libopendkim.so.6 => /usr/local/lib/libopendkim.so.6 (0x800839000)
	libar.so.2 => /usr/local/lib/libar.so.2 (0x800a55000)
	libmilter.so.4 => /usr/local/lib/libmilter.so.4 (0x800c5b000)
**-->	libssl.so.8 => /usr/local/lib/libssl.so.8 (0x800e6b000)
**-->	libcrypto.so.8 => /usr/local/lib/libcrypto.so.8 (0x8010ce000)
	libthr.so.3 => /lib/libthr.so.3 (0x80148e000)
	libc.so.7 => /lib/libc.so.7 (0x8016b0000)

You can see that it is finding the libs it needs in /usr/local/lib
completely automatically.  No fiddling with paths or manual tweaking of
ldconfig required -- that's all handled within the ports at
build/install time.

Of course, after setting WITH_OPENSSL_PORT=yes you will need to
reinstall all your ports that use SSL functionality to get the benefit.

However, the bits of the base system that use SSL will still use the
version of openssl from the base:

% ldd /usr/sbin/named
/usr/sbin/named:
**-->	libcrypto.so.6 => /lib/libcrypto.so.6 (0x800a1c000)
	libthr.so.3 => /lib/libthr.so.3 (0x800db9000)
	libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x800fdb000)
	libc.so.7 => /lib/libc.so.7 (0x8011e8000)

If you disable building openssl in src.conf, then you stop any of the
utilities in the base being able to use crypto, which is on the whole a
very bad thing for security.  Not recommended.

If you're concerned that the version of openssl in the base (0.9.8x for
stable/9) appears outdated, don't be.  While this isn't the highest
available version from the openssl project, it still has all of the
security fixes applied to it.

Head has been upgraded to openssl-1.0.1c, which will be in the FreeBSD
10.x release series.  Upgrading earlier FreeBSD versions like that would
break the ABI stability rules, so it's not going to happen.

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
JID: matthew at infracaninophile.co.uk               Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 267 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20120730/22a2631d/signature.pgp

More information about the freebsd-stable mailing list