From owner-freebsd-ports@freebsd.org Thu Feb 27 21:11:17 2020 Return-Path: Delivered-To: freebsd-ports@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 93A2624ECBA for ; Thu, 27 Feb 2020 21:11:17 +0000 (UTC) (envelope-from wjw@digiware.nl) Received: from mailman.nyi.freebsd.org (mailman.nyi.freebsd.org [IPv6:2610:1c1:1:606c::50:13]) by mx1.freebsd.org (Postfix) with ESMTP id 48T51w4ddHz3PDm for ; Thu, 27 Feb 2020 21:11:16 +0000 (UTC) (envelope-from wjw@digiware.nl) Received: by mailman.nyi.freebsd.org (Postfix) id 87EDD24ECB9; Thu, 27 Feb 2020 21:11:16 +0000 (UTC) Delivered-To: ports@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 86EF524ECB8 for ; Thu, 27 Feb 2020 21:11:16 +0000 (UTC) (envelope-from wjw@digiware.nl) Received: from smtp.digiware.nl (smtp.digiware.nl [IPv6:2001:4cb8:90:ffff::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 48T51w14wzz3PDb; Thu, 27 Feb 2020 21:11:16 +0000 (UTC) (envelope-from wjw@digiware.nl) Received: from router.digiware.nl (localhost.digiware.nl [127.0.0.1]) by smtp.digiware.nl (Postfix) with ESMTP id 8201D7DDA; Thu, 27 Feb 2020 22:11:11 +0100 (CET) X-Virus-Scanned: amavisd-new at digiware.com Received: from smtp.digiware.nl ([127.0.0.1]) by router.digiware.nl (router.digiware.nl [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sfBM7IHH1uno; Thu, 27 Feb 2020 22:11:10 +0100 (CET) Received: from [192.168.10.9] (vaio [192.168.10.9]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by smtp.digiware.nl (Postfix) with ESMTPSA id CCA997DD9; Thu, 27 Feb 2020 22:11:10 +0100 (CET) Subject: Re: About protocols in openssl To: Mathieu Arnold , Freddie Cash Cc: "ports@freebsd.org" , Pete Wright , Miroslav Lachman <000.fbsd@quip.cz> References: <75330ed3-5f85-ea63-b8df-c73b5426b5a8@digiware.nl> <0104ac5e-8d50-4a7e-ee6e-20c3a0167700@digiware.nl> <20200227205328.dxpnwqcekdotnz4j@atuin.in.mat.cc> From: Willem Jan Withagen Message-ID: <638102ef-14c6-125c-20f5-b706ed45a382@digiware.nl> Date: Thu, 27 Feb 2020 22:11:09 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Firefox/68.0 Thunderbird/68.5.0 MIME-Version: 1.0 In-Reply-To: <20200227205328.dxpnwqcekdotnz4j@atuin.in.mat.cc> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit Content-Language: nl X-Rspamd-Queue-Id: 48T51w14wzz3PDb X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-6.00 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-0.998,0]; REPLY(-4.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Feb 2020 21:11:17 -0000 On 27-2-2020 21:53, Mathieu Arnold wrote: > On Thu, Feb 27, 2020 at 12:45:51PM -0800, Freddie Cash wrote: >> On Thu, Feb 27, 2020, 12:37 PM Willem Jan Withagen, wrote: >> >>> Interesting, but not quite what I want.... >>> It is not for personal usage, but for ports that I have commited to the >>> ports collection, and want to upgrade. >>> And yes, fixing openssl works for this problem, but it is not only my >>> problem. >>> >>> I maintain these Ceph ports, and now upstream uses a python module that >>> expects SSlv3 to be available in the openssl that encounters on the system. >>> And the question is how to accommodate that? >>> Short of embedding my own openssl libs with the ceph-libs, thus creating >>> a huge maintenance problem. >>> >>> I could also argue that switching of SSLv3 in a generic library is sort >>> of impractical, even if it is a protocol that we want to erradicate. >>> But I guess that the maintainers of openssl have decided that this is >>> the smart thing to do. >>> And I'm in peace with that, but now require an escape from this catch-22. >>> >>> --WjW >>> >> There's no mechanism in the ports tree framework for port X to depend on >> feature Y being enabled in port Z. >> >> All you can do is add a pkg-message alert to your ceph port saying the use >> needs to compile the openssl port with SSLv3 enabled. >> >> You could create a slave port for openssl that has that option enabled, >> then depend on that slave port. But that might create dependency issues >> elsewhere. > You can do it, but nobody will commit that kind of change. The choice > of which OpenSSL version to use is a user facing change, and it is done > globally. > > As a side note, SSLv3 is going away, anything done right now that needs > it is doomed. I wholehartedly agree, SSLv3 is a pain that should go. I've excluded it on webservers already for ages. And TLS1 and TLS1.1 going down the same path. But none the less I run into this problem that a python module does not want to load because the includes .so is looking for SSLv3 stuff during. Adding a openssl port with SSLv3 enabled would be an option, and as long a it builds on the regular openssl port it would be a compatible library. I only fear for the tantrum that `pkg install` is going to throw, when install openssl-sslv3 is going to override openssl. Nothing but matching paths. Doubt if that is going to be workable? --WjW