Date: Thu, 27 Feb 2020 22:11:09 +0100 From: Willem Jan Withagen <wjw@digiware.nl> To: Mathieu Arnold <mat@FreeBSD.org>, Freddie Cash <fjwcash@gmail.com> Cc: "ports@freebsd.org" <ports@freebsd.org>, Pete Wright <pete@nomadlogic.org>, Miroslav Lachman <000.fbsd@quip.cz> Subject: Re: About protocols in openssl Message-ID: <638102ef-14c6-125c-20f5-b706ed45a382@digiware.nl> In-Reply-To: <20200227205328.dxpnwqcekdotnz4j@atuin.in.mat.cc> References: <f7d98734-20dd-5ee7-b8b9-6ebc69603cb7@digiware.nl> <d7673dcd-467a-25ce-bca7-21cd74bf1777@quip.cz> <75330ed3-5f85-ea63-b8df-c73b5426b5a8@digiware.nl> <be596e5a-c136-cd3f-d634-f19558ac25ff@nomadlogic.org> <0104ac5e-8d50-4a7e-ee6e-20c3a0167700@digiware.nl> <CAOjFWZ5XFPK7tyj8DTtOOm_pRRA_YWUS50o=tPhc5cuFoUQeTA@mail.gmail.com> <20200227205328.dxpnwqcekdotnz4j@atuin.in.mat.cc>
next in thread | previous in thread | raw e-mail | index | archive | help
On 27-2-2020 21:53, Mathieu Arnold wrote: > On Thu, Feb 27, 2020 at 12:45:51PM -0800, Freddie Cash wrote: >> On Thu, Feb 27, 2020, 12:37 PM Willem Jan Withagen, <wjw@digiware.nl> wrote: >> >>> Interesting, but not quite what I want.... >>> It is not for personal usage, but for ports that I have commited to the >>> ports collection, and want to upgrade. >>> And yes, fixing openssl works for this problem, but it is not only my >>> problem. >>> >>> I maintain these Ceph ports, and now upstream uses a python module that >>> expects SSlv3 to be available in the openssl that encounters on the system. >>> And the question is how to accommodate that? >>> Short of embedding my own openssl libs with the ceph-libs, thus creating >>> a huge maintenance problem. >>> >>> I could also argue that switching of SSLv3 in a generic library is sort >>> of impractical, even if it is a protocol that we want to erradicate. >>> But I guess that the maintainers of openssl have decided that this is >>> the smart thing to do. >>> And I'm in peace with that, but now require an escape from this catch-22. >>> >>> --WjW >>> >> There's no mechanism in the ports tree framework for port X to depend on >> feature Y being enabled in port Z. >> >> All you can do is add a pkg-message alert to your ceph port saying the use >> needs to compile the openssl port with SSLv3 enabled. >> >> You could create a slave port for openssl that has that option enabled, >> then depend on that slave port. But that might create dependency issues >> elsewhere. > You can do it, but nobody will commit that kind of change. The choice > of which OpenSSL version to use is a user facing change, and it is done > globally. > > As a side note, SSLv3 is going away, anything done right now that needs > it is doomed. I wholehartedly agree, SSLv3 is a pain that should go. I've excluded it on webservers already for ages. And TLS1 and TLS1.1 going down the same path. But none the less I run into this problem that a python module does not want to load because the includes .so is looking for SSLv3 stuff during. Adding a openssl port with SSLv3 enabled would be an option, and as long a it builds on the regular openssl port it would be a compatible library. I only fear for the tantrum that `pkg install` is going to throw, when install openssl-sslv3 is going to override openssl. Nothing but matching paths. Doubt if that is going to be workable? --WjW
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?638102ef-14c6-125c-20f5-b706ed45a382>