From owner-freebsd-questions@FreeBSD.ORG Tue Oct 14 06:37:10 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8E0BF16A4B3 for ; Tue, 14 Oct 2003 06:37:10 -0700 (PDT) Received: from lv.raad.tartu.ee (lv.raad.tartu.ee [194.126.106.110]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3C2AF43FEA for ; Tue, 14 Oct 2003 06:37:07 -0700 (PDT) (envelope-from toomas.aas@raad.tartu.ee) Received: Message by Barricade lv.raad.tartu.ee with ESMTP id h9EDb32p017988 for ; Tue, 14 Oct 2003 16:37:03 +0300 Message-Id: <200310141337.h9EDb32p017988@lv.raad.tartu.ee> Received: from INFO/SpoolDir by raad.tartu.ee (Mercury 1.48); 14 Oct 03 16:37:20 +0300 Received: from SpoolDir by INFO (Mercury 1.48); 14 Oct 03 16:37:19 +0300 From: "Toomas Aas" Organization: Tartu City Government To: freebsd-questions@freebsd.org Date: Tue, 14 Oct 2003 16:37:10 +0300 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Priority: normal Subject: ignoring openssl port X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Oct 2003 13:37:10 -0000 Hello! On Mon, 4 Aug 2003 14:48:38 +0300, I wrote: > Some of my machines were running RELENG_4_7 when I installed ports such > as apache13_modssl and cyrus-imapd on them. Since that version of > FreeBSD had OpenSSL 0.9.6 in the base system and these ports required > 0.9.7, I ended up with openssl port installed on these systems. > Now that I'm upgrading to RELENG_4_8, which includes OpenSSL 0.9.7, I > want to get rid of the port. It would just feel cleaner to not have > multiple versions of same libraries in /usr/lib and /usr/local/lib. Among several recommendations of how to get rid of the port, the best one seemed to be from Matthew Seaman: define WITH_OPENSSL_BASE=yes, rebuild the dependent ports (make build while the old port is still running), and then "make install" the port. Then remove the OpenSSL port. Back then I decided that I can live with both base and port version of OpenSSL installed, and I decided not to spend time on following this advice. Now, in light of recent OpenSSL security advisories, something needs to be done. I have upgraded the base system to 4.8-RELEASE-p13, so the base OpenSSL should be safe. I have two options right now: (1) upgrade the port (2) get rid of the port, leaving only the base system OpenSSL installed (what I wanted to do back in August) I'd like to use option (2), so I tried to follow Matthew Seaman's advice. I put WITH_OPENSSL_BASE=yes into /etc/make.conf and tried to run 'make build' in /usr/ports/www/apache13-modssl. This resulted in the following message: This port wants the OpenSSL library from the FreeBSD base system. You can't build against it, while a newer Version is installed by a port. Please deinstall the port or undefine WITH_OPENSSL_BASE. I found the place which causes this message in /usr/ports/Mk/bsd.port.mk: .if exists(${LOCALBASE}/lib/libcrypto.so) .BEGIN: @${ECHO_CMD} "This port wants the OpenSSL library from the FreeBSD" @${ECHO_CMD} "base system. You can't build against it, while a newer" @${ECHO_CMD} "Version is installed by a port." @${ECHO_CMD} "Please deinstall the port or undefine WITH_OPENSSL_BASE." @${FALSE} .endif Looking at this while not being a Makefile guru, it seems to me that this merely checks if /usr/local/lib/libcrypto.so exists and if it does then the port build process is halted with the message. But this would mean that WITH_OPENSSL_BASE cannot be used at all if the port is installed. If that were true, there wouldn't be any point in having this variable in the first place, so I must be overlooking something. Anyway, I tried commenting out the above passage in /usr/ports/Mk/bsd.port.mk and rebuilding another port which depends on OpenSSL, namely /usr/ports/ftp/wget. I checked with ldd /usr/local/bin/wget before and after installing and this showed that now I indeed have wget linked against /usr/lib/libssl.so.3, whereas before it was linked against /usr/local/lib/libssl.so.3. Before I try the same with apache13-modssl port, I just wanted to verify if commenting out the above passage in /usr/ports/Mk/bsd.port.mk can cause any unforeseen damage. Sorry for the long message. When I started out I didn't realise that it takes so many keystrokes to word such a simple question ;-) -- Toomas Aas | toomas.aas@raad.tartu.ee | http://www.raad.tartu.ee/~toomas/ * Key ring - a handy little gadget that allows you to lose all your keys at once.