From owner-freebsd-ports@freebsd.org  Thu Dec  1 01:37:36 2016
Return-Path: <owner-freebsd-ports@freebsd.org>
Delivered-To: freebsd-ports@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 131C8C5E194
 for <freebsd-ports@mailman.ysv.freebsd.org>;
 Thu,  1 Dec 2016 01:37:36 +0000 (UTC) (envelope-from jhs@berklix.com)
Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org
 [IPv6:2001:1900:2254:206a::50:5])
 by mx1.freebsd.org (Postfix) with ESMTP id F0E6A1D08
 for <freebsd-ports@freebsd.org>; Thu,  1 Dec 2016 01:37:35 +0000 (UTC)
 (envelope-from jhs@berklix.com)
Received: by mailman.ysv.freebsd.org (Postfix)
 id F0367C5E193; Thu,  1 Dec 2016 01:37:35 +0000 (UTC)
Delivered-To: ports@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id EFD4DC5E192
 for <ports@mailman.ysv.freebsd.org>; Thu,  1 Dec 2016 01:37:35 +0000 (UTC)
 (envelope-from jhs@berklix.com)
Received: from land.berklix.org (land.berklix.org [144.76.10.75])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 8813A1D07;
 Thu,  1 Dec 2016 01:37:34 +0000 (UTC) (envelope-from jhs@berklix.com)
Received: from mart.js.berklix.net (p5B22651C.dip0.t-ipconnect.de
 [91.34.101.28]) (authenticated bits=128)
 by land.berklix.org (8.15.2/8.15.2) with ESMTPA id uB11bPng004216;
 Thu, 1 Dec 2016 01:37:25 GMT (envelope-from jhs@berklix.com)
Received: from fire.js.berklix.net (fire.js.berklix.net [192.168.91.41])
 by mart.js.berklix.net (8.14.3/8.14.3) with ESMTP id uB11bJgW082428;
 Thu, 1 Dec 2016 02:37:19 +0100 (CET) (envelope-from jhs@berklix.com)
Received: from fire.js.berklix.net (localhost [127.0.0.1])
 by fire.js.berklix.net (8.14.7/8.14.7) with ESMTP id uB11b7qL064699;
 Thu, 1 Dec 2016 02:37:19 +0100 (CET) (envelope-from jhs@berklix.com)
Message-Id: <201612010137.uB11b7qL064699@fire.js.berklix.net>
To: ports@FreeBSD.org
cc: Don Lewis <truckman@FreeBSD.org>, Mathieu Arnold <mat@FreeBSD.org>
Subject: Re: Breaking SSL options: Which to use to build 1000 ports?
From: "Julian H. Stacey" <jhs@berklix.com>
Organization: http://berklix.eu BSD Unix Linux Consultants, Munich Germany
User-agent: EXMH on FreeBSD http://berklix.eu/free/
X-From: http://www.berklix.eu/~jhs/
In-reply-to: Your message "Wed, 30 Nov 2016 11:28:18 -0800."
 <201611301928.uAUJSIsp021684@gw.catspoiler.org>
Date: Thu, 01 Dec 2016 02:37:07 +0100
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports/>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Dec 2016 01:37:36 -0000

Don Lewis wrote:
> On 30 Nov, Julian H. Stacey wrote:
> > Hi ports@freebsd.org
> > Advice Please: 
> > I need some SSL settings I can compile 1000 ports with.
> > I dont care which SSL.  (Any of eg base from src/ or any from devel/ )
> > I dont care if SSL fails to run on most ports.
> > I need 1000 ports to compile & install, & stop wasting my time with SSL.
> > SSL will not even be used in most cases,
> > Here's a small subset of ever growing DUDS= fail to build because of SSL:
> > 	arandr fetchmail fvwm2 xf86-input-keyboard xf86-input-mouse
> > 	xf86-video-chips xf86-video-fbdev xf86-video-neomagic
> > 	xf86-video-vesa xorg xorg-apps xorg-server
> > 
> > I make ports from sources, never packages, using ports/*/Makefile.local
> > with SUBDIR+= ports_i_want
> > 
> > I purged some old old duplicate bins & libs, & now need to do eg
> > 	cd /usr/ports ; make BERKLIX_CLIENT=YES BERKLIX_SERVER=YES install 
> > Lots of ports fail to build, no matter which SSL options I try,
> > currently (with make.conf below) I'm seeing a dependent port eg:
> > 	cd /usr/ports/security/p5-GSSAPI ; make
> > ===>  p5-GSSAPI-0.28_1 You are using OpenSSL from ports and have selected
> > GSSAPI from base, please select another GSSAPI value.
> > 
> > I can't revert to src/ base as loads of ports want devel/openssl
> > 	pkg delete openssl-1.0.2j_1,1 # Number of packages to be removed: 149
> > 
> > FreeBSD's SSL defaults seem a mess : complex, breaking on loads
> > of ports, inadequately documented, insufficiently clear error messages.
> > 
> > My current /etc/make.conf:
> > ----------------
> > # GSSAPI: Generic Security Services Application Program Interface
> > # http://en.wikipedia.org/wiki/Generic_Security_Services_Application_Program_Interface
> > # /usr/ports/Mk/Uses/gssapi.mk:
> > #       You are using OpenSSL from ports and have selected
> > #       GSSAPI from base, please select another GSSAPI value.
> > # cd /usr/ports/security/openssl; echo ../*ssl*
> > # SSL_DEFAULT=base # Disapproved of by
> > #       /usr/ports/Mk/bsd.default-versions.mk
> > # which instead reccomends:
> > #       DEFAULT_VERSIONS+=ssl=base
> > #       DEFAULT_VERSIONS+=ssl=openssl
> > #       Possible values: base, openssl, openssl-devel, libressl, libressl-devel
> > # & also has:
> > #       WITH_OPENSSL_*
> > DEFAULT_VERSIONS+=ssl=openssl
> > # WITH_OPENSSL="YES"
> > # WITH_OPENSSL="openssl"
> > # WITH_OPENSSL_PORT="YES"
> > # WITH_OPENSSL_PORT="openssl"
> > # SEE ALSO
> > #       /etc/src.conf  (used only by src/),
> > #                       whereas this make.conf used by both src/ & ports/.
> > #       https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/openssl.html
> > #               WITH_OPENSSL_PORT WITH_OPENSSL_BASE
> > #       man 7 ports
> > #       /usr/ports/Mk/Uses/gssapi.mk
> > ----------------
> > 
> > Advice welcome, Thanks !
> 
> This is what I use in /etc/make.conf to build ports with openssl from
> ports:
> 
> WITH_OPENSSL_PORT=yes
> DEFAULT_VERSIONS+=ssl=openssl
> OPTIONS_SET=GSSAPI_NONE KRB_NONE
> OPTIONS_UNSET=GSSAPI_BASE KRB_BASE KERBEROS
> 
> The GSSAPI and KERBEROS adjustments are needed because openssl from
> ports can't be combined with base gssapi / kerberos.  GSSAPI_HEIMDAL or
> GSSAPI_MIT should also work, likewise KRB_HEIMDAL or KRB_MIT.

Valuable magic ! Saved me lots of time, Thanks Don !
I also added WITHOUT_KERBEROS="TRUE" to /etc/src.conf & removed 
/usr/lib/
  libgssapi.a             libgssapi_ntlm.so.10    libkrb5.so.11
  libgssapi.so            libgssapi_ntlm_p.a      libkrb5_p.a
  libgssapi.so.10         libgssapi_p.a           librpcsec_gss.a
  libgssapi_krb5.a        libgssapi_spnego.a      librpcsec_gss.so
  libgssapi_krb5.so       libgssapi_spnego.so     librpcsec_gss.so.1
  libgssapi_krb5.so.10    libgssapi_spnego.so.10  pam_krb5.so
  libgssapi_krb5_p.a      libgssapi_spnego_p.a    pam_krb5.so.6
  libgssapi_ntlm.a        libkrb5.a
  libgssapi_ntlm.so       libkrb5.so
/usr/include/
  krb5/           krb5-protos.h   krb5.h          krb5_ccapi.h    openssl/
  krb5-private.h  krb5-types.h    krb5_asn1.h     krb5_err.h
& ldconfig -R
I seem to be making some progress now, Thanks :-)

Maybe we could have a handbook section for it starting from the above to
help people, without arousing the ire of people Mathieu Arnold referred to ?

Cheers,
Julian
--
Julian Stacey, BSD Linux Unix Sys Eng Consultant Munich
 Reply below, Prefix '> '. Plain text, No .doc, base64, HTML, quoted-printable.
 http://berklix.eu/brexit/#stolen_votes