From owner-freebsd-current@freebsd.org Sat Oct 13 00:00:18 2018 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0056010CF9BF for ; Sat, 13 Oct 2018 00:00:18 +0000 (UTC) (envelope-from truckman@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id ADF897CAE8; Sat, 13 Oct 2018 00:00:17 +0000 (UTC) (envelope-from truckman@FreeBSD.org) Received: from mousie.catspoiler.org (unknown [76.212.85.177]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) (Authenticated sender: truckman) by smtp.freebsd.org (Postfix) with ESMTPSA id 2C34621CEB; Sat, 13 Oct 2018 00:00:17 +0000 (UTC) (envelope-from truckman@FreeBSD.org) Date: Fri, 12 Oct 2018 17:00:16 -0700 (PDT) From: Don Lewis Subject: Re: HEADS-UP: OpenSSL 1.1.1 in 12.0 To: freebsd.current@clogic.com.ua cc: Michael Butler , freebsd-current@freebsd.org In-Reply-To: Message-ID: References: <20181009213425.GG61558@FreeBSD.org> <346b8805-f4d3-dc90-c882-d72f640b6a5c@protected-networks.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=us-ascii Content-Disposition: INLINE X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Oct 2018 00:00:18 -0000 On 11 Oct, Don Lewis wrote: > On 11 Oct, Don Lewis wrote: >> On 11 Oct, freebsd.current@clogic.com.ua wrote: >>> On 2018-10-10 06:14, Michael Butler wrote: >>>> On 10/9/18 5:34 PM, Glen Barber wrote: >>>>> OpenSSL has been updated to version 1.1.1 as of r339270. >>>>> >>>>> It is important to rebuild third-party packages before running: >>>>> >>>>> # make -C /usr/src delete-old && make -C /usr/src delete-old-libs >>>>> >>>>> Thank you for your patience while this work was in progress, and thank >>>>> you to all involved for their hard work in getting things ready for >>>>> this >>>>> update. >>>> >>>> So far, I've found two ports that will no longer build. They are: >>>> >>>> net-mgmt/net-snmp >>>> security/opencryptoki >>>> >>>> I simply chose those that were linked to /usr/lib/libssl.so.8 where the >>>> openssl update creates libssl.so.9. There may be more I haven't found >>>> yet, >>>> >>>> imb >>> >>> You always can add DEFAULT_VERSIONS+=ssl=openssl to /etc/make.conf to >>> use openssl from ports. >>> Anyway, I think apps from ports need to use openssl from ports. >> >> I've been doing this for a long time, but I still see a fair amount of >> breakage with the new base OpenSSL. I suspect that some ports are >> incorrectly stumbling across the new bits in base even though they >> shouldn't be looking there. > > security/p5-Net-SSLeay is hardwired to use base OpenSSL, so changing the > default version can't be done to unbreak p5-IO-Socket-SSL. > > devel/libsoup appears to allow the OpenSSL version to be set, but doesn't > have an option for GSSAPI, so it attempts to use base GSSAPI with ports > OpenSSL which is not a valid combo. > > emulators/virtualbox-ose is hardwired to use base OpenSSL. I now think the problem with virtualbox-ose is not the port. Rather it is the fact that that the base libssl.so and the libssl.so installed by the security/openssl have the same shared library version number even though they are radically different OpenSSL versions.