From owner-freebsd-security@freebsd.org  Fri Dec 18 12:56:05 2015
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3D43CA4AEE9
 for <freebsd-security@mailman.ysv.freebsd.org>;
 Fri, 18 Dec 2015 12:56:05 +0000 (UTC) (envelope-from dan@obluda.cz)
Received: from smtp1.ms.mff.cuni.cz (smtp1.ms.mff.cuni.cz
 [IPv6:2001:718:1e03:801::4])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id D0A25181D
 for <freebsd-security@freebsd.org>; Fri, 18 Dec 2015 12:56:04 +0000 (UTC)
 (envelope-from dan@obluda.cz)
X-SubmittedBy: id 100000045929 subject
 /DC=org/DC=terena/DC=tcs/C=CZ/O=Charles+20University+20in+20Prague/CN=Dan+20Lukes+20100000045929+20332603
 issued by
 /C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA+20eScience+20Personal+20CA+203
 auth type TLS.MFF
Received: from [10.20.12.2] ([194.108.204.138]) (authenticated)
 by smtp1.ms.mff.cuni.cz (8.14.9/8.14.9) with ESMTP id tBICtxEV060579
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=OK)
 for <freebsd-security@freebsd.org>; Fri, 18 Dec 2015 13:56:00 +0100 (CET)
 (envelope-from dan@obluda.cz)
Subject: Re: [OpenSSL] /etc/ssl/cert.pem not honoured by default
To: freebsd-security <freebsd-security@freebsd.org>
References: <loom.20151218T123930-865@post.gmane.org>
 <5673FB3B.2010201@freebsd.org>
From: Dan Lukes <dan@obluda.cz>
Message-ID: <56740260.1010308@obluda.cz>
Date: Fri, 18 Dec 2015 13:56:00 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:42.0) Gecko/20100101
 Firefox/42.0 SeaMonkey/2.39
MIME-Version: 1.0
In-Reply-To: <5673FB3B.2010201@freebsd.org>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Dec 2015 12:56:05 -0000

On 18.12.2015 13:25, Matthew Seaman wrote:
> Generally I find that setting 'WITH_OPENSSL_PORT=yes' is the route to crypto happiness in the ports.

Definitely. But beware of applications using system Kerberos libraries 
(it use system's OpenSSL).

If an application import library A that depend on system's OpenSSL and 
library B that depend on port's OpenSSL the troubles are imminent.

Dan