From owner-freebsd-questions@freebsd.org Tue Sep 15 17:01:03 2015 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 62635A02A2A for ; Tue, 15 Sep 2015 17:01:03 +0000 (UTC) (envelope-from matthew@freebsd.org) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "infracaninophile.co.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 09A8410B3 for ; Tue, 15 Sep 2015 17:01:02 +0000 (UTC) (envelope-from matthew@freebsd.org) Received: from ox-dell39.ox.adestra.com (no-reverse-dns.metronet-uk.com [85.199.232.226] (may be forged)) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.15.2/8.15.2) with ESMTPSA id t8FH0oND022708 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for ; Tue, 15 Sep 2015 18:00:51 +0100 (BST) (envelope-from matthew@freebsd.org) Authentication-Results: smtp.infracaninophile.co.uk; dmarc=none header.from=freebsd.org DKIM-Filter: OpenDKIM Filter v2.10.3 smtp.infracaninophile.co.uk t8FH0oND022708 Authentication-Results: smtp.infracaninophile.co.uk/t8FH0oND022708; dkim=none; dkim-atps=neutral X-Authentication-Warning: lucid-nonsense.infracaninophile.co.uk: Host no-reverse-dns.metronet-uk.com [85.199.232.226] (may be forged) claimed to be ox-dell39.ox.adestra.com Subject: Re: Forcing use of newer version of OpenSSL To: freebsd-questions@freebsd.org References: <20150915123306.55760c0d@seibercom.net> From: Matthew Seaman X-Enigmail-Draft-Status: N1110 Message-ID: <55F84EC1.3090908@freebsd.org> Date: Tue, 15 Sep 2015 18:00:49 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 MIME-Version: 1.0 In-Reply-To: <20150915123306.55760c0d@seibercom.net> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="ngL4tWUCJql15i8r7QJRoJ0XXfGwLlGWt" X-Virus-Scanned: clamav-milter 0.98.7 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.8 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on lucid-nonsense.infracaninophile.co.uk X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Sep 2015 17:01:03 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --ngL4tWUCJql15i8r7QJRoJ0XXfGwLlGWt Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 09/15/15 17:33, Jerry wrote: > I have both OpenSSL 1.0.1l-freebsd 15 Jan 2015 {located in /usr/bin} an= d > OpenSSL 1.0.2d 9 Jul 2015 {located in /usr/local/bin} residing on my sy= stem. > Now, I want to use and hopefully link programs against the "port", ie, = newer > version. If I adjust the path to use "/usr/local/bin" first, some progr= ams > fail to build. I discovered this a few months ago and received that bit= of > knowledge on this forum. I therefore changed the path so "/usr/bin" goe= s > before "/usr/local/bin". That has the effect of causing the older versi= on of > OpenSSL being used. >=20 > Other than permanently changing the path, and then changing it back whe= n a > build fails, how can I permanently fix this problem. IMHO, the newer ve= rsion > should permanently overwrite the older version. I don't need or want t= o > versions. Since the older version comes with the base system, I am hesi= tant > to try and remove it. In a perfect world, the base system would be upda= ted, > but I guess that is not going to happen anytime soon. For anything you want to compile from ports, just add: WITH_OPENSSL_PORT=3D yes to /etc/make.conf (or /usr/local/etc/poudriere.d/make.conf if you're using poudriere) Additionally you have to be careful of some ports that have GSSAPI options -- don't enable GSSAPI support from the base system, or you'll end up with a binary linked against two different versions of OpenSSL libraries. Apart from that, the ports openssl is pretty much a drop-in replacement. For stuff you're compiling yourself, outside of ports, you need to force your compilation to use the appropriate -I (for include files) and -L (for libraries) search paths when compiling C code. How to do this is specific to the compilation system used by whatever code your trying to compile. It's not feasible to remove openssl from base -- too much stuff in base needs it -- nor is it feasible to overwrite the base openssl with the ports version -- the ABIs have changed between the two versions. I believe the ultimate plan is to make the base version of openssl a private library and require all ported software to use the ports version of openssl, but that is for future implementation. Cheers, Matthew =09 --ngL4tWUCJql15i8r7QJRoJ0XXfGwLlGWt Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJV+E7CAAoJEABRPxDgqeTngwYP/i+VKcwoo2IiHRV++IVJLEBg /hiO8xCfRempCULSMb6DYiJpCHMlLs5cPazOntFikvasEOxaMdZxSe15r3cxOmi5 BOZ2n/3pxN+2oN2TIhyO7fmahSsdVVOz9J/Uavub9v1AWlGp400CQjBoNgK8I7Qd qcVKIObn73ytArVdLVJX40tpT9hG/jEd/jno4udWVZOxZsAjQgYY/Q8U8BGN971c QGXjsA3GCvjlwTjGT++FR7L1y0lrLSpWRCBqBQXE3nA3toHw5ETJExsovsmzCcxQ xtr4hJ9o+7WLbzkEDhtSJQriJF0WKtLXJb1BSU4E1EzeuAWRPD+fY/D/I52RuJ2D D27771g+4fbR8cq9D16VyYPxARb5wePqR8bmvWYhvootewJCXRKorKKPJZ+zvLrs O9IlnfBDHIyFihd0qo3ZMQfWAZeP5McRsGNTYH5480LK3QaI42YcPJv+PZInPT6c t+ukfkeUbn1gr1/K0rMGHFJoBzi87OAWbpEHbtFsJBAKh3a7JRzYywH+gOZQvVPa O8f/jONfuiYQH67AlY7Vxkiav9ZGyXZqScnU4ZKvWOMXR09JI5J4np+csAq+JNWq ML1V+7Ioxfr7MxwsusUvHvIeayNyYwlRDy8UBKOTaCz7KSi1di4bfM1uCG7pp7Ic VKbXum3rkx7tUf/T3B9g =B+Cq -----END PGP SIGNATURE----- --ngL4tWUCJql15i8r7QJRoJ0XXfGwLlGWt--