From owner-freebsd-ports@freebsd.org Thu Feb 27 19:52:18 2020 Return-Path: Delivered-To: freebsd-ports@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C7B5624C738 for ; Thu, 27 Feb 2020 19:52:18 +0000 (UTC) (envelope-from pete@nomadlogic.org) Received: from mailman.nyi.freebsd.org (mailman.nyi.freebsd.org [IPv6:2610:1c1:1:606c::50:13]) by mx1.freebsd.org (Postfix) with ESMTP id 48T3Gn42xyz3DnJ for ; Thu, 27 Feb 2020 19:52:17 +0000 (UTC) (envelope-from pete@nomadlogic.org) Received: by mailman.nyi.freebsd.org (Postfix) id 7371824C736; Thu, 27 Feb 2020 19:52:17 +0000 (UTC) Delivered-To: ports@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 55BFA24C735 for ; Thu, 27 Feb 2020 19:52:17 +0000 (UTC) (envelope-from pete@nomadlogic.org) Received: from mail.nomadlogic.org (mail.nomadlogic.org [174.136.98.114]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mail.nomadlogic.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48T3Gk1Pd2z3Dkl for ; Thu, 27 Feb 2020 19:52:13 +0000 (UTC) (envelope-from pete@nomadlogic.org) Received: from [192.168.1.141] (76-214-71-45.lightspeed.irvnca.sbcglobal.net [76.214.71.45]) by mail.nomadlogic.org (OpenSMTPD) with ESMTPSA id 42564720 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Thu, 27 Feb 2020 19:52:06 +0000 (UTC) Subject: Re: About protocols in openssl To: Willem Jan Withagen , Miroslav Lachman <000.fbsd@quip.cz>, "ports@freebsd.org" References: <75330ed3-5f85-ea63-b8df-c73b5426b5a8@digiware.nl> From: Pete Wright Message-ID: Date: Thu, 27 Feb 2020 11:52:06 -0800 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:68.0) Gecko/20100101 Thunderbird/68.5.0 MIME-Version: 1.0 In-Reply-To: <75330ed3-5f85-ea63-b8df-c73b5426b5a8@digiware.nl> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US X-Rspamd-Queue-Id: 48T3Gk1Pd2z3Dkl X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of pete@nomadlogic.org designates 174.136.98.114 as permitted sender) smtp.mailfrom=pete@nomadlogic.org X-Spamd-Result: default: False [-5.05 / 15.00]; ARC_NA(0.00)[]; TO_DN_EQ_ADDR_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; R_SPF_ALLOW(-0.20)[+mx]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[nomadlogic.org]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; IP_SCORE(-2.75)[ip: (-9.29), ipnet: 174.136.96.0/20(-4.04), asn: 25795(-0.39), country: US(-0.05)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:25795, ipnet:174.136.96.0/20, country:US]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Feb 2020 19:52:18 -0000 On 2020-02-27 11:42, Willem Jan Withagen wrote: > On 27-2-2020 20:25, Miroslav Lachman wrote: >> Willem Jan Withagen wrote on 2020/02/27 20:00: >>> Hi, >>> >>> My ceph ports uses all kinds of python stuff, and now the trouble is >>> that I'm getting >>> an error on missing: >>>      SSLv3_client_method >>> >>> Which i guess, is because in the current openssl libs SSLv3 is >>> disabled. >>> And I sort of get this, SSLv3 is unsafe. >>> >>> But I need it to be able to run parts of the ceph port. >>> >>> So how do I get a openssl lib dependancy that has SSLv3 enabled. >> >> You can build OpenSSL 1.1.1 from the ports where you can enable SSLv3 >> in the options dialog. >> >> https://www.freshports.org/security/openssl/ >> >> The defaults are: >> ====> Protocol Support >> NEXTPROTONEG=on: Next Protocol Negotiation (SPDY) >> SCTP=on: SCTP (Stream Control Transmission) >> SSL3=off: SSLv3 (unsafe) >> TLS1=on: TLSv1.0 (requires TLS1_1, TLS1_2) >> TLS1_1=on: TLSv1.1 (requires TLS1_2) >> TLS1_2=on: TLSv1.2 > > Yup, this is what I did, and that works. > But how do I do that for a port? And the make sure that the installer > of the ceph-package gets an openssl that had SSLv3 It may be best to build an internal package with the options you need configured accordingly.  I do this via poudriere for some of my internal software.  For example I have this file on my package builder: /usr/local/etc/poudriere.d/make.conf which contains the following: x11-servers_xorg-server_SET=FIXDRM I think this matches the same format of make.conf you would use if building the ports tree locally. -pete -- Pete Wright pete@nomadlogic.org @nomadlogicLA