From owner-freebsd-security@FreeBSD.ORG Mon Jun 1 01:38:59 2015 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id F10F8644 for ; Mon, 1 Jun 2015 01:38:59 +0000 (UTC) (envelope-from truckman@FreeBSD.org) Received: from gw.catspoiler.org (cl-1657.chi-02.us.sixxs.net [IPv6:2001:4978:f:678::2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A08E11170 for ; Mon, 1 Jun 2015 01:38:59 +0000 (UTC) (envelope-from truckman@FreeBSD.org) Received: from FreeBSD.org (mousie.catspoiler.org [192.168.101.2]) by gw.catspoiler.org (8.13.3/8.13.3) with ESMTP id t511cp2P088983 for ; Sun, 31 May 2015 18:38:55 -0700 (PDT) (envelope-from truckman@FreeBSD.org) Message-Id: <201506010138.t511cp2P088983@gw.catspoiler.org> Date: Sun, 31 May 2015 17:21:49 -0700 (PDT) From: Don Lewis Subject: avoiding base openssl when building ports To: freebsd-security@FreeBSD.org MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Jun 2015 01:39:00 -0000 After all the noise about base openssl vs. ports openssl on this list a couple of weeks ago, I bit the bullet and tossed WITH_OPENSSL_PORT=yes in poudriere.d/*-make.conf and kicked off a poudriere run. It chugged for quite a while and rebuilt lots of ports. After it was done, I ran pkg upgrade and was dismayed when I discovered that ldd told me that quite a few executables were linked to openssl in base. The big culprit turned out to be ftp/curl. Even though WITH_OPENSSL_PORT=yes caused it to add the openssl port as a build and run dependency, it was silently getting linked to openssl from base. The cause of that problem is that the default GSSAPI_BASE option adds -L/usr/lib near the start of LDFLAGS, so the linker finds the base openssl libraries instead of the ones from the port. I worked around that problem by switching to GSSAPI_NONE, though I tested that the other GSSAPI_* options also work correctly. There is a sanity check in the Makefile that attempts to catch this conflict, but it does not work correctly. See . After another poudriere run, which rebuilt the curl package and everything that depended on it, things were looking much better. Of my ~1300 installed ports, I only found two other problematic ports: www/links1 and security/nmap The only remaining port that links to openssl in base is pkg, which I think is mandatory for chicken vs. egg reasons. I'm currently running with these updated ports and haven't run into any problems.