From owner-freebsd-questions@FreeBSD.ORG Wed Jun 17 07:07:23 2009 Return-Path: Delivered-To: freebsd-questions@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5FB011065670 for ; Wed, 17 Jun 2009 07:07:23 +0000 (UTC) (envelope-from bf1783@googlemail.com) Received: from yw-out-2324.google.com (yw-out-2324.google.com [74.125.46.31]) by mx1.freebsd.org (Postfix) with ESMTP id A5D1D8FC1A for ; Wed, 17 Jun 2009 07:07:21 +0000 (UTC) (envelope-from bf1783@googlemail.com) Received: by yw-out-2324.google.com with SMTP id 9so63915ywe.13 for ; Wed, 17 Jun 2009 00:07:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:cc:content-type:content-transfer-encoding; bh=DbMmlWp9qPCFKpPdlt5p9IGHog9EynefVWoe4joUm5M=; b=BwSZlZUTxaqI+1g2psCUWSTk7oMowSmT2jA2MaFliRB8pLqBuMzP0MWqY8C7rCtcDE ZLiA+JWXvln4O4bUx7qzF4iDCQ+Ue8i23EJISD5xGkEEa40JVE8ueyJlm4RlzedbxH6O L8e30NcMXTSs92RYRUW896dgJEqA3+GJOPfto= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; b=hlfQqw/6yhD1skjBoMlHtYy7h2lG0iz+UuOEtxWcfreEsO5Cz9C908PijAnfT7lsUu hLoyc2u5x51WHlwvVmIW7yNmKwQIoiPR/eUS2jENa9NX7jWqAnuQetj+A8eGvGyxYmsu zVTo0/lPrGFRySZZdZ6OxwJuW6g/tWi1fYYTg= MIME-Version: 1.0 Received: by 10.231.14.131 with SMTP id g3mr3211052iba.54.1245222441122; Wed, 17 Jun 2009 00:07:21 -0700 (PDT) Date: Wed, 17 Jun 2009 00:07:21 -0700 Message-ID: From: "b. f." To: freebsd-questions@FreeBSD.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: drew@mykitchentable.net Subject: Re: OpenSSL Base vs. OpenSSL Port? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Jun 2009 07:07:23 -0000 >I had been running 6.2 with openssl base for quite a while. Then I >attempted to implement the dkim-filter port which required using openssl >to generate keys. That's when I noticed that openssl is broken on my >machine. See this example: ># openssl genrsa -out rsa.private 1024 >Error configuring OpenSSL >28086:error:260AB089:engine routines:ENGINE_ctrl_cmd_string:invalid cmd >name:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/engine/eng_ctrl.c:318: >28086:error:0E07406D:configuration file >routines:CONF_modules_load:module initialization >error:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto >/conf/conf_mod.c:234:module=engines, >value=openssl_engines, retcode=-1 >So I thought rebuilding world might fix it and while I was at it, I >upgraded to 6.4 but still have the same problem. I'm not familiar with this problem. If you have the a supported version of 6.X installed, and you've read the documentation, and are convinced that the error is due to some problem with the openssl in base, then you should submit a PR: http://www.freebsd.org/support/bugreports.html >Next I tried installing openssl from ports. This openssl seems to work: ># /usr/local/bin/openssl genrsa -out rsa.private 1024 >Generating RSA private key, 1024 bit long modulus >..............................................................++++++ >..............++++++ >e is 65537 (0x10001) >But now I am unclear as to what state my system is in. What is the >preferred method for using openssl from ports vs. using openssl base. I >don't really care which I use but want to avoid trouble with multiple >versions of openssl and/or ports compiled against the wrong version. >I've been Googling all day but can not find a clear guide. No need to waste time googling -- just go straight to the code, the port makefiles on your system that actually _do_ the work -- in this case /usr/ports/Mk/bsd.openssl.mk (or substitute the value of PORTSDIR for /usr/ports if you've got your Ports tree in some nondefault location). There you will see some comments and the actual code governing the use of the variables. >Specifically, what should I have in my /etc/make.conf and what >portupgrade command should I use to ensure things are build against the >correct openssl? I've seen things like OPENSSL_OVERWRITE_BASE=yes, >NO_OPENSSL=yes, WITH_OPENSSL_PORT=yes, WITH_OPENSSL_BETA=yes, and >portupgrade -rf openssl but remain confused. Put WITH_OPENSSL_PORT=yes in your build environment -- /etc/make.conf is a good way -- and then rebuild all ports that depend on openssl. There are many different ways to do this -- you could use: pkgdb -L && portupgrade -fur openssl-* (The first command may not be necessary, but I find that the dependencies of some ports on openssl are sometimes missing from the pkgdb, and need to be added.) or portmaster -t -r openssl-* for example. Note that this will only ensure that ports that correctly use USE_OPENSSL are linked to the proper version of openssl -- some ports may not have been constructed properly, and may still end up being linked to the base openssl. You can check if there are any such ports by using ldd(1) or the sysutils/libchk port. b.