From owner-freebsd-ports@FreeBSD.ORG Fri Mar 22 10:51:45 2013 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 508744D2 for ; Fri, 22 Mar 2013 10:51:45 +0000 (UTC) (envelope-from bw.mail.lists@gmail.com) Received: from mail-ee0-f54.google.com (mail-ee0-f54.google.com [74.125.83.54]) by mx1.freebsd.org (Postfix) with ESMTP id E1AA0ABA for ; Fri, 22 Mar 2013 10:51:44 +0000 (UTC) Received: by mail-ee0-f54.google.com with SMTP id c41so2229722eek.13 for ; Fri, 22 Mar 2013 03:51:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; bh=5U2whmRhaGttVQOYWDDPy5EgvG7sN/0xiBo9bNuojk8=; b=xpjDJzx5+n17RGVN9VEabzcCjjEKwXdQajeWCu+nI5mcVLSDGJSUxlqjwfnUPtXyEZ LnEQPYnMztFMspAdnq/1WLvC0eT/s6sbUT4YTywUirKKciqVN5HcukB3YDO1nKlzDjdQ f+AFMvYsGQPzF4yqYpiK2UOAF+kiZ4Hb2N8U7LOxsCmISP93ChwY827NKoKHBDreanjs qsOVDE+/9no/LK2fiEDk54xYVPUMVf6Ua3eQ+tXYjhfTiIdmaFxh+HwqdZTOO1ZUFg9A OCqPDWkYoPIjieyNxC31t4Tf+mjWJ774aSIDLHnbIBXXoqQ1pMofZRywtyMNJmRcGbrc ihPQ== X-Received: by 10.15.21.4 with SMTP id c4mr3833293eeu.34.1363949498315; Fri, 22 Mar 2013 03:51:38 -0700 (PDT) Received: from [172.28.21.100] ([87.213.55.2]) by mx.google.com with ESMTPS id d47sm2239806eem.9.2013.03.22.03.51.37 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 22 Mar 2013 03:51:37 -0700 (PDT) Message-ID: <514C37B4.1040207@gmail.com> Date: Fri, 22 Mar 2013 11:51:32 +0100 From: bw User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130308 Thunderbird/17.0.4 MIME-Version: 1.0 To: freebsd-ports@freebsd.org Subject: poudriere and WITH_OPENSSL_PORTS=YES Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Mar 2013 10:51:45 -0000 what's the proper way to do it? As far as I understand from googling around, and please correct me if I'm wrong, the way to compile ports with openssl is, first install openssl from ports, then add WITH_OPENSSL_PORTS=YES to make.conf, then compile everything that uses openssl. That is, with something like portmaster, not poudriere. I tried adding WITH_OPENSSL_PORTS=YES to poudriere's make.conf, but it doesn't pull in openssl as a dependency. I suppose that is because it has to be already installed for the ports to see it at compile time and use that one instead of base. Which, I suppose, means that I should install openssl in poudriere's jail first and remember to upgrade it in that jail if needed before compiling stuff when it gets updated. Is that correct? Is there a better way? The way I thought it was going to work is add WITH_OPENSSL_PORTS=YES to poudriere's make.conf then openssl will be considered a dependency for any port that uses it and treated as such by poudriere. On a side note, might be totally unrelated but I don't have a better place to ask about it anyway, the reason I need to do this is because I have Nginx as a loadbalancing proxy talking to Apache backends over https. Apache is compiled with openssl from ports, while Nginx is compiled with base. The problem is that when I try to load one of the https websites, I get a 502 Bad Gateway in Nginx and the following error in nginx-error.log: [error] 13004#0: *7 SSL_do_handshake() failed (SSL: error:1408E0F4:SSL routines:SSL3_GET_MESSAGE:unexpected message) while SSL handshaking to upstream, client: XXX.XXX.XXX.XXX, server: ssl.enabled.site.example.com, request: "GET /favicon.ico HTTP/1.1", upstream: "https://YYY.YYY.YYY.YYY:443/favicon.ico", host: "ssl.enabled.site.example.com" There's another set of Nginx' that are compiled with openssl from ports, just like Apache, and I don't get the error there. The 'workaround' I found (http://code.google.com/p/googleappengine/issues/detail?id=5075) is to add proxy_ssl_session_reuse off; to Nginx. This works, but I'd still like to know what is going on and why it works w/o that line on the Nginx servers compiled with the same version of openssl as Apache. I can't see anything in Apache's logs, the load balancing is done through ip_hash, which means that I should talk to the same Apache server every time, and it happens even if all backends except one are marked as down in Nginx conf. The config files on all Nginx servers are identical.