Date: Thu, 27 Feb 2020 11:52:06 -0800 From: Pete Wright <pete@nomadlogic.org> To: Willem Jan Withagen <wjw@digiware.nl>, Miroslav Lachman <000.fbsd@quip.cz>, "ports@freebsd.org" <ports@freebsd.org> Subject: Re: About protocols in openssl Message-ID: <be596e5a-c136-cd3f-d634-f19558ac25ff@nomadlogic.org> In-Reply-To: <75330ed3-5f85-ea63-b8df-c73b5426b5a8@digiware.nl> References: <f7d98734-20dd-5ee7-b8b9-6ebc69603cb7@digiware.nl> <d7673dcd-467a-25ce-bca7-21cd74bf1777@quip.cz> <75330ed3-5f85-ea63-b8df-c73b5426b5a8@digiware.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2020-02-27 11:42, Willem Jan Withagen wrote: > On 27-2-2020 20:25, Miroslav Lachman wrote: >> Willem Jan Withagen wrote on 2020/02/27 20:00: >>> Hi, >>> >>> My ceph ports uses all kinds of python stuff, and now the trouble is >>> that I'm getting >>> an error on missing: >>> SSLv3_client_method >>> >>> Which i guess, is because in the current openssl libs SSLv3 is >>> disabled. >>> And I sort of get this, SSLv3 is unsafe. >>> >>> But I need it to be able to run parts of the ceph port. >>> >>> So how do I get a openssl lib dependancy that has SSLv3 enabled. >> >> You can build OpenSSL 1.1.1 from the ports where you can enable SSLv3 >> in the options dialog. >> >> https://www.freshports.org/security/openssl/ >> >> The defaults are: >> ====> Protocol Support >> NEXTPROTONEG=on: Next Protocol Negotiation (SPDY) >> SCTP=on: SCTP (Stream Control Transmission) >> SSL3=off: SSLv3 (unsafe) >> TLS1=on: TLSv1.0 (requires TLS1_1, TLS1_2) >> TLS1_1=on: TLSv1.1 (requires TLS1_2) >> TLS1_2=on: TLSv1.2 > > Yup, this is what I did, and that works. > But how do I do that for a port? And the make sure that the installer > of the ceph-package gets an openssl that had SSLv3 It may be best to build an internal package with the options you need configured accordingly. I do this via poudriere for some of my internal software. For example I have this file on my package builder: /usr/local/etc/poudriere.d/make.conf which contains the following: x11-servers_xorg-server_SET=FIXDRM I think this matches the same format of make.conf you would use if building the ports tree locally. -pete -- Pete Wright pete@nomadlogic.org @nomadlogicLA
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?be596e5a-c136-cd3f-d634-f19558ac25ff>