Date: Wed, 17 Jun 2009 00:07:21 -0700 From: "b. f." <bf1783@googlemail.com> To: freebsd-questions@FreeBSD.org Cc: drew@mykitchentable.net Subject: Re: OpenSSL Base vs. OpenSSL Port? Message-ID: <d873d5be0906170007i65e569a3xe54fea7635b15f03@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
>I had been running 6.2 with openssl base for quite a while. Then I >attempted to implement the dkim-filter port which required using openssl >to generate keys. That's when I noticed that openssl is broken on my >machine. See this example: ># openssl genrsa -out rsa.private 1024 >Error configuring OpenSSL >28086:error:260AB089:engine routines:ENGINE_ctrl_cmd_string:invalid cmd >name:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/engine/eng_ctrl.c:318: >28086:error:0E07406D:configuration file >routines:CONF_modules_load:module initialization >error:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto >/conf/conf_mod.c:234:module=engines, >value=openssl_engines, retcode=-1 >So I thought rebuilding world might fix it and while I was at it, I >upgraded to 6.4 but still have the same problem. I'm not familiar with this problem. If you have the a supported version of 6.X installed, and you've read the documentation, and are convinced that the error is due to some problem with the openssl in base, then you should submit a PR: http://www.freebsd.org/support/bugreports.html >Next I tried installing openssl from ports. This openssl seems to work: ># /usr/local/bin/openssl genrsa -out rsa.private 1024 >Generating RSA private key, 1024 bit long modulus >..............................................................++++++ >..............++++++ >e is 65537 (0x10001) >But now I am unclear as to what state my system is in. What is the >preferred method for using openssl from ports vs. using openssl base. I >don't really care which I use but want to avoid trouble with multiple >versions of openssl and/or ports compiled against the wrong version. >I've been Googling all day but can not find a clear guide. No need to waste time googling -- just go straight to the code, the port makefiles on your system that actually _do_ the work -- in this case /usr/ports/Mk/bsd.openssl.mk (or substitute the value of PORTSDIR for /usr/ports if you've got your Ports tree in some nondefault location). There you will see some comments and the actual code governing the use of the variables. >Specifically, what should I have in my /etc/make.conf and what >portupgrade command should I use to ensure things are build against the >correct openssl? I've seen things like OPENSSL_OVERWRITE_BASE=yes, >NO_OPENSSL=yes, WITH_OPENSSL_PORT=yes, WITH_OPENSSL_BETA=yes, and >portupgrade -rf openssl but remain confused. Put WITH_OPENSSL_PORT=yes in your build environment -- /etc/make.conf is a good way -- and then rebuild all ports that depend on openssl. There are many different ways to do this -- you could use: pkgdb -L && portupgrade -fur openssl-* (The first command may not be necessary, but I find that the dependencies of some ports on openssl are sometimes missing from the pkgdb, and need to be added.) or portmaster -t -r openssl-* for example. Note that this will only ensure that ports that correctly use USE_OPENSSL are linked to the proper version of openssl -- some ports may not have been constructed properly, and may still end up being linked to the base openssl. You can check if there are any such ports by using ldd(1) or the sysutils/libchk port. b.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d873d5be0906170007i65e569a3xe54fea7635b15f03>