From owner-freebsd-ports@freebsd.org  Wed Nov 30 19:28:31 2016
Return-Path: <owner-freebsd-ports@freebsd.org>
Delivered-To: freebsd-ports@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id E65B3C5D1D4
 for <freebsd-ports@mailman.ysv.freebsd.org>;
 Wed, 30 Nov 2016 19:28:31 +0000 (UTC)
 (envelope-from truckman@FreeBSD.org)
Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org
 [IPv6:2001:1900:2254:206a::50:5])
 by mx1.freebsd.org (Postfix) with ESMTP id D5A3511BE
 for <freebsd-ports@freebsd.org>; Wed, 30 Nov 2016 19:28:31 +0000 (UTC)
 (envelope-from truckman@FreeBSD.org)
Received: by mailman.ysv.freebsd.org (Postfix)
 id D20B0C5D1D3; Wed, 30 Nov 2016 19:28:31 +0000 (UTC)
Delivered-To: ports@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id D1A8FC5D1D2
 for <ports@mailman.ysv.freebsd.org>; Wed, 30 Nov 2016 19:28:31 +0000 (UTC)
 (envelope-from truckman@FreeBSD.org)
Received: from gw.catspoiler.org (unknown [IPv6:2602:304:b010:ef20::f2])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "gw.catspoiler.org", Issuer "gw.catspoiler.org" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 9C92111BD
 for <ports@freebsd.org>; Wed, 30 Nov 2016 19:28:31 +0000 (UTC)
 (envelope-from truckman@FreeBSD.org)
Received: from FreeBSD.org (mousie.catspoiler.org [192.168.101.2])
 by gw.catspoiler.org (8.15.2/8.15.2) with ESMTP id uAUJSIsp021684;
 Wed, 30 Nov 2016 11:28:22 -0800 (PST)
 (envelope-from truckman@FreeBSD.org)
Message-Id: <201611301928.uAUJSIsp021684@gw.catspoiler.org>
Date: Wed, 30 Nov 2016 11:28:18 -0800 (PST)
From: Don Lewis <truckman@FreeBSD.org>
Subject: Re: Breaking SSL options:  Which to use to build 1000 ports?
To: jhs@berklix.com
cc: ports@freebsd.org
In-Reply-To: <201611301835.uAUIZbxF037904@fire.js.berklix.net>
MIME-Version: 1.0
Content-Type: TEXT/plain; charset=us-ascii
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports/>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Nov 2016 19:28:32 -0000

On 30 Nov, Julian H. Stacey wrote:
> Hi ports@freebsd.org
> Advice Please: 
> I need some SSL settings I can compile 1000 ports with.
> I dont care which SSL.  (Any of eg base from src/ or any from devel/ )
> I dont care if SSL fails to run on most ports.
> I need 1000 ports to compile & install, & stop wasting my time with SSL.
> SSL will not even be used in most cases,
> Here's a small subset of ever growing DUDS= fail to build because of SSL:
> 	arandr fetchmail fvwm2 xf86-input-keyboard xf86-input-mouse
> 	xf86-video-chips xf86-video-fbdev xf86-video-neomagic
> 	xf86-video-vesa xorg xorg-apps xorg-server
> 
> I make ports from sources, never packages, using ports/*/Makefile.local
> with SUBDIR+= ports_i_want
> 
> I purged some old old duplicate bins & libs, & now need to do eg
> 	cd /usr/ports ; make BERKLIX_CLIENT=YES BERKLIX_SERVER=YES install 
> Lots of ports fail to build, no matter which SSL options I try,
> currently (with make.conf below) I'm seeing a dependent port eg:
> 	cd /usr/ports/security/p5-GSSAPI ; make
> ===>  p5-GSSAPI-0.28_1 You are using OpenSSL from ports and have selected
> GSSAPI from base, please select another GSSAPI value.
> 
> I can't revert to src/ base as loads of ports want devel/openssl
> 	pkg delete openssl-1.0.2j_1,1 # Number of packages to be removed: 149
> 
> FreeBSD's SSL defaults seem a mess : complex, breaking on loads
> of ports, inadequately documented, insufficiently clear error messages.
> 
> My current /etc/make.conf:
> ----------------
> # GSSAPI: Generic Security Services Application Program Interface
> # http://en.wikipedia.org/wiki/Generic_Security_Services_Application_Program_Interface
> # /usr/ports/Mk/Uses/gssapi.mk:
> #       You are using OpenSSL from ports and have selected
> #       GSSAPI from base, please select another GSSAPI value.
> # cd /usr/ports/security/openssl; echo ../*ssl*
> # SSL_DEFAULT=base # Disapproved of by
> #       /usr/ports/Mk/bsd.default-versions.mk
> # which instead reccomends:
> #       DEFAULT_VERSIONS+=ssl=base
> #       DEFAULT_VERSIONS+=ssl=openssl
> #       Possible values: base, openssl, openssl-devel, libressl, libressl-devel
> # & also has:
> #       WITH_OPENSSL_*
> DEFAULT_VERSIONS+=ssl=openssl
> # WITH_OPENSSL="YES"
> # WITH_OPENSSL="openssl"
> # WITH_OPENSSL_PORT="YES"
> # WITH_OPENSSL_PORT="openssl"
> # SEE ALSO
> #       /etc/src.conf  (used only by src/),
> #                       whereas this make.conf used by both src/ & ports/.
> #       https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/openssl.html
> #               WITH_OPENSSL_PORT WITH_OPENSSL_BASE
> #       man 7 ports
> #       /usr/ports/Mk/Uses/gssapi.mk
> ----------------
> 
> Advice welcome, Thanks !

This is what I use in /etc/make.conf to build ports with openssl from
ports:

WITH_OPENSSL_PORT=yes
DEFAULT_VERSIONS+=ssl=openssl
OPTIONS_SET=GSSAPI_NONE KRB_NONE
OPTIONS_UNSET=GSSAPI_BASE KRB_BASE KERBEROS

The GSSAPI and KERBEROS adjustments are needed because openssl from
ports can't be combined with base gssapi / kerberos.  GSSAPI_HEIMDAL or
GSSAPI_MIT should also work, likewise KRB_HEIMDAL or KRB_MIT.