Date: Mon, 30 Jul 2012 22:18:20 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Chuck Burns <break19@gmail.com> Cc: freebsd-stable@freebsd.org Subject: Re: OpenSSL from Ports Message-ID: <5016FA1C.6090003@infracaninophile.co.uk> In-Reply-To: <20120730153832.4303ab95.break19@gmail.com> References: <5016CCBB.30603@beatsnet.com> <5016D443.9030105@zedat.fu-berlin.de> <5016DA03.7080304@beatsnet.com> <20120730153832.4303ab95.break19@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigF876A9D9F80B8A74079FD83B
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
On 30/07/2012 21:38, Chuck Burns wrote:
> On Mon, 30 Jul 2012 21:01:23 +0200
> Beat Siegenthaler <beat.siegenthaler@beatsnet.com> wrote:
>> It seems to be important to know, what "build from port" means. There =
is
>> still some tweaking necessary.
> Is it possible that openssl in base is just left over from the
> previous world? I don't think "build from ports" entails removing
> something from the disk, just that it isn't rebuilt when buildworld is
> issued.
Arguments in this thread about which openssl binary is found first on
$PATH are kind of missing the point. For pretty much all use cases,
it's not the openssl binary itself which is important, but the shared
libraries that come with it.
WITH_OPENSSL_PORT=3Dyes means that any ports you build which use SSL
functions will be linked against the shlibs from the openssl port rather
than those from the base. Like so:
% ldd /usr/local/sbin/opendkim
/usr/local/sbin/opendkim:
libopendkim.so.6 =3D> /usr/local/lib/libopendkim.so.6 (0x800839000)
libar.so.2 =3D> /usr/local/lib/libar.so.2 (0x800a55000)
libmilter.so.4 =3D> /usr/local/lib/libmilter.so.4 (0x800c5b000)
**--> libssl.so.8 =3D> /usr/local/lib/libssl.so.8 (0x800e6b000)
**--> libcrypto.so.8 =3D> /usr/local/lib/libcrypto.so.8 (0x8010ce000)
libthr.so.3 =3D> /lib/libthr.so.3 (0x80148e000)
libc.so.7 =3D> /lib/libc.so.7 (0x8016b0000)
You can see that it is finding the libs it needs in /usr/local/lib
completely automatically. No fiddling with paths or manual tweaking of
ldconfig required -- that's all handled within the ports at
build/install time.
Of course, after setting WITH_OPENSSL_PORT=3Dyes you will need to
reinstall all your ports that use SSL functionality to get the benefit.
However, the bits of the base system that use SSL will still use the
version of openssl from the base:
% ldd /usr/sbin/named
/usr/sbin/named:
**--> libcrypto.so.6 =3D> /lib/libcrypto.so.6 (0x800a1c000)
libthr.so.3 =3D> /lib/libthr.so.3 (0x800db9000)
libgcc_s.so.1 =3D> /lib/libgcc_s.so.1 (0x800fdb000)
libc.so.7 =3D> /lib/libc.so.7 (0x8011e8000)
If you disable building openssl in src.conf, then you stop any of the
utilities in the base being able to use crypto, which is on the whole a
very bad thing for security. Not recommended.
If you're concerned that the version of openssl in the base (0.9.8x for
stable/9) appears outdated, don't be. While this isn't the highest
available version from the openssl project, it still has all of the
security fixes applied to it.
Head has been upgraded to openssl-1.0.1c, which will be in the FreeBSD
10.x release series. Upgrading earlier FreeBSD versions like that would
break the ABI stability rules, so it's not going to happen.
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matthew@infracaninophile.co.uk Kent, CT11 9PW
--------------enigF876A9D9F80B8A74079FD83B
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAlAW+iMACgkQ8Mjk52CukIyKaQCfYXDjsMSSq+hVwyL3swBiciqR
K2wAnigr2nsOG9i/INDI/f7KMVzpqB1j
=wQLP
-----END PGP SIGNATURE-----
--------------enigF876A9D9F80B8A74079FD83B--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5016FA1C.6090003>