From owner-freebsd-ports@freebsd.org Wed Nov 30 19:28:31 2016 Return-Path: Delivered-To: freebsd-ports@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E65B3C5D1D4 for ; Wed, 30 Nov 2016 19:28:31 +0000 (UTC) (envelope-from truckman@FreeBSD.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id D5A3511BE for ; Wed, 30 Nov 2016 19:28:31 +0000 (UTC) (envelope-from truckman@FreeBSD.org) Received: by mailman.ysv.freebsd.org (Postfix) id D20B0C5D1D3; Wed, 30 Nov 2016 19:28:31 +0000 (UTC) Delivered-To: ports@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D1A8FC5D1D2 for ; Wed, 30 Nov 2016 19:28:31 +0000 (UTC) (envelope-from truckman@FreeBSD.org) Received: from gw.catspoiler.org (unknown [IPv6:2602:304:b010:ef20::f2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gw.catspoiler.org", Issuer "gw.catspoiler.org" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 9C92111BD for ; Wed, 30 Nov 2016 19:28:31 +0000 (UTC) (envelope-from truckman@FreeBSD.org) Received: from FreeBSD.org (mousie.catspoiler.org [192.168.101.2]) by gw.catspoiler.org (8.15.2/8.15.2) with ESMTP id uAUJSIsp021684; Wed, 30 Nov 2016 11:28:22 -0800 (PST) (envelope-from truckman@FreeBSD.org) Message-Id: <201611301928.uAUJSIsp021684@gw.catspoiler.org> Date: Wed, 30 Nov 2016 11:28:18 -0800 (PST) From: Don Lewis Subject: Re: Breaking SSL options: Which to use to build 1000 ports? To: jhs@berklix.com cc: ports@freebsd.org In-Reply-To: <201611301835.uAUIZbxF037904@fire.js.berklix.net> MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Nov 2016 19:28:32 -0000 On 30 Nov, Julian H. Stacey wrote: > Hi ports@freebsd.org > Advice Please: > I need some SSL settings I can compile 1000 ports with. > I dont care which SSL. (Any of eg base from src/ or any from devel/ ) > I dont care if SSL fails to run on most ports. > I need 1000 ports to compile & install, & stop wasting my time with SSL. > SSL will not even be used in most cases, > Here's a small subset of ever growing DUDS= fail to build because of SSL: > arandr fetchmail fvwm2 xf86-input-keyboard xf86-input-mouse > xf86-video-chips xf86-video-fbdev xf86-video-neomagic > xf86-video-vesa xorg xorg-apps xorg-server > > I make ports from sources, never packages, using ports/*/Makefile.local > with SUBDIR+= ports_i_want > > I purged some old old duplicate bins & libs, & now need to do eg > cd /usr/ports ; make BERKLIX_CLIENT=YES BERKLIX_SERVER=YES install > Lots of ports fail to build, no matter which SSL options I try, > currently (with make.conf below) I'm seeing a dependent port eg: > cd /usr/ports/security/p5-GSSAPI ; make > ===> p5-GSSAPI-0.28_1 You are using OpenSSL from ports and have selected > GSSAPI from base, please select another GSSAPI value. > > I can't revert to src/ base as loads of ports want devel/openssl > pkg delete openssl-1.0.2j_1,1 # Number of packages to be removed: 149 > > FreeBSD's SSL defaults seem a mess : complex, breaking on loads > of ports, inadequately documented, insufficiently clear error messages. > > My current /etc/make.conf: > ---------------- > # GSSAPI: Generic Security Services Application Program Interface > # http://en.wikipedia.org/wiki/Generic_Security_Services_Application_Program_Interface > # /usr/ports/Mk/Uses/gssapi.mk: > # You are using OpenSSL from ports and have selected > # GSSAPI from base, please select another GSSAPI value. > # cd /usr/ports/security/openssl; echo ../*ssl* > # SSL_DEFAULT=base # Disapproved of by > # /usr/ports/Mk/bsd.default-versions.mk > # which instead reccomends: > # DEFAULT_VERSIONS+=ssl=base > # DEFAULT_VERSIONS+=ssl=openssl > # Possible values: base, openssl, openssl-devel, libressl, libressl-devel > # & also has: > # WITH_OPENSSL_* > DEFAULT_VERSIONS+=ssl=openssl > # WITH_OPENSSL="YES" > # WITH_OPENSSL="openssl" > # WITH_OPENSSL_PORT="YES" > # WITH_OPENSSL_PORT="openssl" > # SEE ALSO > # /etc/src.conf (used only by src/), > # whereas this make.conf used by both src/ & ports/. > # https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/openssl.html > # WITH_OPENSSL_PORT WITH_OPENSSL_BASE > # man 7 ports > # /usr/ports/Mk/Uses/gssapi.mk > ---------------- > > Advice welcome, Thanks ! This is what I use in /etc/make.conf to build ports with openssl from ports: WITH_OPENSSL_PORT=yes DEFAULT_VERSIONS+=ssl=openssl OPTIONS_SET=GSSAPI_NONE KRB_NONE OPTIONS_UNSET=GSSAPI_BASE KRB_BASE KERBEROS The GSSAPI and KERBEROS adjustments are needed because openssl from ports can't be combined with base gssapi / kerberos. GSSAPI_HEIMDAL or GSSAPI_MIT should also work, likewise KRB_HEIMDAL or KRB_MIT.