From owner-freebsd-stable@FreeBSD.ORG Mon Jul 30 21:18:32 2012 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 669A81065680 for ; Mon, 30 Jul 2012 21:18:32 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78]) by mx1.freebsd.org (Postfix) with ESMTP id B9B008FC16 for ; Mon, 30 Jul 2012 21:18:31 +0000 (UTC) Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk [81.187.76.163]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.5/8.14.5) with ESMTP id q6ULISkd092069 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Mon, 30 Jul 2012 22:18:28 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) X-DKIM: OpenDKIM Filter v2.5.2 smtp.infracaninophile.co.uk q6ULISkd092069 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=infracaninophile.co.uk; s=201001-infracaninophile; t=1343683108; bh=8GtU7f5tiOQRjAeYr6E1NclS+ibO10qWAK9k8ux6ZhA=; h=Date:From:To:CC:Subject:References:In-Reply-To:Content-Type: Message-ID:Mime-Version; b=CRvujS7A+vIR/IAMLOin2SasjeB3msY8BaZ9WvdexcB5pYXTizf1wDneiwdxwsVIa zpgOJM6gLFUKv7rm+L9xsBWGiTYAYaT7VDe5BhWFryIF8zQ0l1C4FhX0SrDs+iSikn naakl59wBen3wLEsBSHZiG37NkdYnoiNUwUBw/+o= Message-ID: <5016FA1C.6090003@infracaninophile.co.uk> Date: Mon, 30 Jul 2012 22:18:20 +0100 From: Matthew Seaman User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:14.0) Gecko/20120713 Thunderbird/14.0 MIME-Version: 1.0 To: Chuck Burns References: <5016CCBB.30603@beatsnet.com> <5016D443.9030105@zedat.fu-berlin.de> <5016DA03.7080304@beatsnet.com> <20120730153832.4303ab95.break19@gmail.com> In-Reply-To: <20120730153832.4303ab95.break19@gmail.com> X-Enigmail-Version: 1.4.3 OpenPGP: id=60AE908C Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigF876A9D9F80B8A74079FD83B" X-Virus-Scanned: clamav-milter 0.97.5 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-1.8 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00, DKIM_ADSP_ALL,DKIM_SIGNED,T_DKIM_INVALID autolearn=no version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on lucid-nonsense.infracaninophile.co.uk Cc: freebsd-stable@freebsd.org Subject: Re: OpenSSL from Ports X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Jul 2012 21:18:32 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigF876A9D9F80B8A74079FD83B Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 30/07/2012 21:38, Chuck Burns wrote: > On Mon, 30 Jul 2012 21:01:23 +0200 > Beat Siegenthaler wrote: >> It seems to be important to know, what "build from port" means. There = is >> still some tweaking necessary. > Is it possible that openssl in base is just left over from the > previous world? I don't think "build from ports" entails removing > something from the disk, just that it isn't rebuilt when buildworld is > issued. Arguments in this thread about which openssl binary is found first on $PATH are kind of missing the point. For pretty much all use cases, it's not the openssl binary itself which is important, but the shared libraries that come with it. WITH_OPENSSL_PORT=3Dyes means that any ports you build which use SSL functions will be linked against the shlibs from the openssl port rather than those from the base. Like so: % ldd /usr/local/sbin/opendkim /usr/local/sbin/opendkim: libopendkim.so.6 =3D> /usr/local/lib/libopendkim.so.6 (0x800839000) libar.so.2 =3D> /usr/local/lib/libar.so.2 (0x800a55000) libmilter.so.4 =3D> /usr/local/lib/libmilter.so.4 (0x800c5b000) **--> libssl.so.8 =3D> /usr/local/lib/libssl.so.8 (0x800e6b000) **--> libcrypto.so.8 =3D> /usr/local/lib/libcrypto.so.8 (0x8010ce000) libthr.so.3 =3D> /lib/libthr.so.3 (0x80148e000) libc.so.7 =3D> /lib/libc.so.7 (0x8016b0000) You can see that it is finding the libs it needs in /usr/local/lib completely automatically. No fiddling with paths or manual tweaking of ldconfig required -- that's all handled within the ports at build/install time. Of course, after setting WITH_OPENSSL_PORT=3Dyes you will need to reinstall all your ports that use SSL functionality to get the benefit. However, the bits of the base system that use SSL will still use the version of openssl from the base: % ldd /usr/sbin/named /usr/sbin/named: **--> libcrypto.so.6 =3D> /lib/libcrypto.so.6 (0x800a1c000) libthr.so.3 =3D> /lib/libthr.so.3 (0x800db9000) libgcc_s.so.1 =3D> /lib/libgcc_s.so.1 (0x800fdb000) libc.so.7 =3D> /lib/libc.so.7 (0x8011e8000) If you disable building openssl in src.conf, then you stop any of the utilities in the base being able to use crypto, which is on the whole a very bad thing for security. Not recommended. If you're concerned that the version of openssl in the base (0.9.8x for stable/9) appears outdated, don't be. While this isn't the highest available version from the openssl project, it still has all of the security fixes applied to it. Head has been upgraded to openssl-1.0.1c, which will be in the FreeBSD 10.x release series. Upgrading earlier FreeBSD versions like that would break the ABI stability rules, so it's not going to happen. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matthew@infracaninophile.co.uk Kent, CT11 9PW --------------enigF876A9D9F80B8A74079FD83B Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlAW+iMACgkQ8Mjk52CukIyKaQCfYXDjsMSSq+hVwyL3swBiciqR K2wAnigr2nsOG9i/INDI/f7KMVzpqB1j =wQLP -----END PGP SIGNATURE----- --------------enigF876A9D9F80B8A74079FD83B--