From owner-freebsd-ports@freebsd.org Mon Dec 28 00:58:53 2020 Return-Path: Delivered-To: freebsd-ports@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 519E04CCE16 for ; Mon, 28 Dec 2020 00:58:53 +0000 (UTC) (envelope-from rcarter@pinyon.org) Received: from h2.pinyon.org (h2.pinyon.org [65.101.20.170]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4D3zhD0qTDz4TZl for ; Mon, 28 Dec 2020 00:58:51 +0000 (UTC) (envelope-from rcarter@pinyon.org) Received: from [10.0.10.15] (unknown [10.0.10.15]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by h2.pinyon.org (Postfix) with ESMTPSA id 8ABE034998 for ; Sun, 27 Dec 2020 17:58:45 -0700 (MST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pinyon.org; s=dkim; t=1609117125; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=n0x7NpqT3+MPPK57AgBMUbhYdECtU1xEzqVen52tl1M=; b=P+9Vm5iT20r5m8etLVB+EXKxkx0K3Wwgy/2/cscd3qHEFjy9kqoH3B8I2AgUAcf9q07T4R 3gcW71IwqJmMzVHFXqdFVcytFpvVnJXDwQpxhvzDOstvc2vuDiDfbrYyZNKFWFhQK6YG1A 5gOf5rBL6qRReouOwU2s3ZUo9fJe0zA= Subject: Re: Re-enabling old ciphers in openssl To: freebsd-ports@freebsd.org References: <7d31329e-aed5-3b24-a66e-43ef7d3dcbfa@prime.gushi.org> From: "Russell L. Carter" Message-ID: <6204eddd-d4c2-b7db-4690-e70c92170682@pinyon.org> Date: Sun, 27 Dec 2020 17:58:44 -0700 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:78.0) Gecko/20100101 Firefox/78.0 Thunderbird/78.6.0 MIME-Version: 1.0 In-Reply-To: <7d31329e-aed5-3b24-a66e-43ef7d3dcbfa@prime.gushi.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-6.01 X-Rspamd-Server: h2 X-Rspamd-Queue-Id: 4D3zhD0qTDz4TZl X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=pass header.d=pinyon.org header.s=dkim header.b=P+9Vm5iT; dmarc=none; spf=pass (mx1.freebsd.org: domain of rcarter@pinyon.org designates 65.101.20.170 as permitted sender) smtp.mailfrom=rcarter@pinyon.org X-Spamd-Result: default: False [-1.50 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[pinyon.org:s=dkim]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-ports@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[65.101.20.170:from:127.0.2.255]; DMARC_NA(0.00)[pinyon.org]; NEURAL_SPAM_SHORT(1.00)[1.000]; DKIM_TRACE(0.00)[pinyon.org:+]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RBL_DBL_DONT_QUERY_IPS(0.00)[65.101.20.170:from]; ASN(0.00)[asn:209, ipnet:65.101.0.0/18, country:US]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-ports]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Dec 2020 00:58:53 -0000 On 12/27/20 4:49 PM, Dan Mahoney (Gushi) wrote: > Hey there all. [...] > Here are the questions I can't seem to answer: > > 1) There's no make.conf entry to override the openssl ciphers.  This > needs to be done at the port level.  (Probably reasonable, I don't think > there should be an insecure "flavor")  But in the interest of making > things reproducible, is there a "Standard" way to keep this consistent > without running "make config" every time, or echo'ing options into > /var/db/ports/security-openssl/options? > > 2) I'm unclear as to what to put in make.conf to tell ONE PORT to use > the openssl from ports, while I want all the others to use base.  I know > this is in some cases askign for trouble, but the nagios plugins are > standalone binaries.  Is there some method in make.conf or on the port > command line to tell ONE PORT to use a defaults+=ssl-openssl without > making it the default for ALL PORTS? > > 3) If I do all that, ports seems to lack a standard way to build static > binaries, which is what I'd really like.  Is there an easy way to do > this, or is it best to work outside the ports system at that point? > > -Dan > Not judging. I am always in some sort of disagreement with the otherwise world-class ports+poudriere system of FreeBSD package management. Like, now, texlive. And I locally maintain a fluctuating group that occasionally has members migrate back into mainstream ports because my disagreement is no longer material. If I was in your situation, I would start with whatever version of openssl works best for the obsolete packages you want to link/plugin against. Stuff the source down into /usr/local/pkg/repo/openssl1, write some 15 liner shell scripts to configure, build, and install it to /usr/local/pkg/lib. In my experience one needs to fixup PREFIX and occasionally rpaths. Other hacks go into a git branch in the repo. Setup your path for your obsolete packages user account and off you go. (Could be some dependency hell in your future, I would keep it simple.) *or* Install an ancien version of FreeBSD that does what you want in a vm. No idea how to deal with the packages for that system, maybe it's trivial. This method is how I deal with Unifi software (on old debian versions) after battling the outdated "*" problem for years. Works great with bhyve. If I want a current version of something that doesn't work great in the obsolete version and is orthogonal to the support task at hand I generally just try to configure, build, and install it to... /usr/local/pkg in the vm Compared to dealing with this before, now my life is awesome. OMG I forgot FreeBSD => jails. I don't use jails but that would be the quickest route here I'm guessing. I am assuming here that you don't need any big frameworks, because then I doubt it would make sense at all to battle the problem this way. Good luck! Russell