From owner-freebsd-current Sat Feb 19 6:42:18 2000 Delivered-To: freebsd-current@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 24A4D37BCA3; Sat, 19 Feb 2000 06:41:59 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id JAA00742; Sat, 19 Feb 2000 09:42:53 -0500 (EST) (envelope-from robert@cyrus.watson.org) Date: Sat, 19 Feb 2000 09:42:53 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Kris Kennaway Cc: freebsd-current@FreeBSD.org Subject: Re: Supported ways to do RSA/OpenSSL on 4.0? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Fri, 18 Feb 2000, Kris Kennaway wrote: > All of the ports which explicitly depend on openssl should be working on > all supported versions of FreeBSD, modulo screwups :) Jim Bloom has been > putting a lot of work into getting these working - I have a couple of > patches to commit, but they mostly seem to work fine as far as I've > heard. > > However, Jordan mailed me this morning about a build problem with openssh > on a fresh installation which looks very strange - it's like the test for > a RSA-enabled openssl is falsely passing, which causes the build to die. > This may be the problem you're seeing - as yet I don't have any real clues > about why. Could you send me a build log from one of the failing ports as > well as the output of 'nm /usr/lib/libcrypto.a | grep RSA_free'? Is this a > fresh installation, i.e. with no older cruft possibly lying around? Here's the build dying: cumin# pwd /usr/ports/security/openssh cumin# make ===> Patching for OpenSSH-1.2.2 ===> Applying FreeBSD patches for OpenSSH-1.2.2 ===> Configuring for OpenSSH-1.2.2 ===> Building for OpenSSH-1.2.2 ===> lib Warning: Object directory not changed from original /usr/ports/security/openssh/ work/ssh/lib cc -O -pipe -I/usr/ports/security/openssh/work/ssh/lib/.. -I/usr/include -DINET6 -I/usr/ports/security/openssh/work/ssh/lib/.. -I/usr/local/usr/include -c /usr/ ports/security/openssh/work/ssh/lib/../authfd.c -o authfd.o In file included from /usr/ports/security/openssh/work/ssh/lib/../ssh.h:21, from /usr/ports/security/openssh/work/ssh/lib/../authfd.c:19: /usr/ports/security/openssh/work/ssh/lib/../rsa.h:22: openssl/rsa.h: No such fil e or directory /usr/ports/security/openssh/work/ssh/lib/../authfd.c:27: openssl/rsa.h: No such file or directory In file included from /usr/ports/security/openssh/work/ssh/lib/../ssh.h:21, from /usr/ports/security/openssh/work/ssh/lib/../authfd.c:19: /usr/ports/security/openssh/work/ssh/lib/../rsa.h:25: syntax error before `*' /usr/ports/security/openssh/work/ssh/lib/../rsa.h:35: syntax error before `RSA' /usr/ports/security/openssh/work/ssh/lib/../rsa.h:36: syntax error before `RSA' In file included from /usr/ports/security/openssh/work/ssh/lib/../authfd.c:19: /usr/ports/security/openssh/work/ssh/lib/../ssh.h:299: syntax error before `RSA' /usr/ports/security/openssh/work/ssh/lib/../ssh.h:416: syntax error before `RSA' /usr/ports/security/openssh/work/ssh/lib/../ssh.h:425: syntax error before `RSA' /usr/ports/security/openssh/work/ssh/lib/../ssh.h:437: syntax error before `RSA' In file included from /usr/ports/security/openssh/work/ssh/lib/../authfd.c:21: /usr/ports/security/openssh/work/ssh/lib/../authfd.h:99: syntax error before `RS A' /usr/ports/security/openssh/work/ssh/lib/../authfd.h:107: syntax error before `R SA' /usr/ports/security/openssh/work/ssh/lib/../authfd.c:343: syntax error before `R SA' /usr/ports/security/openssh/work/ssh/lib/../authfd.c: In function `ssh_add_ident ity': /usr/ports/security/openssh/work/ssh/lib/../authfd.c:352: `key' undeclared (firs t use in this function) /usr/ports/security/openssh/work/ssh/lib/../authfd.c:352: (Each undeclared ident ifier is reported only once /usr/ports/security/openssh/work/ssh/lib/../authfd.c:352: for each function it a ppears in.) /usr/ports/security/openssh/work/ssh/lib/../authfd.c:360: `comment' undeclared ( first use in this function) /usr/ports/security/openssh/work/ssh/lib/../authfd.c:367: `auth' undeclared (fir st use in this function) /usr/ports/security/openssh/work/ssh/lib/../authfd.c: At top level: /usr/ports/security/openssh/work/ssh/lib/../authfd.c:430: syntax error before `R SA' /usr/ports/security/openssh/work/ssh/lib/../authfd.c: In function `ssh_remove_id entity': /usr/ports/security/openssh/work/ssh/lib/../authfd.c:439: `key' undeclared (firs t use in this function) /usr/ports/security/openssh/work/ssh/lib/../authfd.c:448: `auth' undeclared (fir st use in this function) *** Error code 1 Stop in /usr/ports/security/openssh/work/ssh/lib. *** Error code 1 Stop in /usr/ports/security/openssh/work/ssh. *** Error code 1 Stop in /usr/ports/security/openssh. *** Error code 1 Stop in /usr/ports/security/openssh. *** Error code 1 Stop in /usr/ports/security/openssh. cumin# Here's the output of nm on the default installed /usr/lib/libcrypto.a: cumin# nm /usr/lib/libcrypto.a | grep RSA_free cumin# This was installed from the 02-14-2000 snapshot a day or two ago, and I have not upgraded world since then. > > Do we plan to provide a consistent and documented way for users of > > FreeBSD to go from the RSA-disabled base library set to the > > RSA-enabled set, and in a way that provides adequate instruction? I > > get rather uninformative errors when trying to compile > > See chapter 6.5 in the handbook. The handbook appears not to have been installed as part of the ``Novice'' install that I selected. This suggests that the documentation is not sufficiently accessible. However, I did find the following: The OpenSSL package with RSAREF support for USA users which you can get from ftp.FreeBSD.org. Note: Be sure to read the license before installing! This is NOT licensed for general-purpose use! The OpenSSL package for International (non-USA) users. This is not legal for general use in the USA, but international users should use this version because the RSA implementation is faster and more flexible. It is available from ftp.internat.FreeBSD.org. I was unable to build the OpenSSL port, and installing the RSAref port didn't fix these build problems. Also, these directions are pretty non-specific--could you throw in URLs? Also, as I mentioned for auto-install, either building this into sysinstall as a specific install stage would be a good idea. Is the intent that we install the OpenSSL package into /usr/local/lib, or will this stuff be dumped in /usr/lib? Having two different instances of OpenSSL with different degrees of breakage will be pretty confusing for developers and porters of SSL applications, suggesting that the logical target is /usr/lib. It also might be good to have a /usr/include/openssl/README that says ``Looking for rsa.h? You need to read section 6.5 of the handbook''. Also, I note that we don't include an OpenSSL man page: cumin# man openssl No manual entry for openssl cumin# man ssl No manual entry for ssl cumin# man crypto No manual entry for crypto These logical sounding potential manpages would probably be a good place to mirror the handbook information. Are there OpenSSL man pages installed somewhere in the base system? > > OpenSSH, SSLproxy, and Apache13-modssl, none of which is discovered by the > > ports mechanism, rather the application makefiles. While I understand > > that you are not the maintainer for these ports,... :-) > > > > It might be nice, for example, to have a stage in sysinstall for > > crypto-configuration--it would also be accessible post-install, and would > > provide easy access to install via package the underlying RSA libraries, > > with appropriate documentation of licensing issues and confirmation of > > location, etc. Presumably one could back-end this onto a set of ports or > > packages, so there would be more scalable command line/scriptable > > interface. > > The packages already exist and are described in the handbook, except they > haven't yet made it onto the ftp site. You can pick them up from > http://www.freebsd.org/~kris/openssl in the meantime. Sysinstall support > is something I'd definitely like to see, but not something I have time (or > knowledge) to do right now. Is this an export-friendly location for non-USA folks? Any chance Jordan or someone wants to hack up an install stage? I think this is important--especially having it automated, as the automated one-step install of crypto-based applications is important. If we're willing to pause the install to ask about X desktops, this sounds like a good candidate also. It also sounds like a good time to generate an initial value for USA_RESIDENT in make.conf. > I'll be adding some instructions to the release notes this weekend, and it > should be giving a helpful error message if you try and install a port > which requires RSA and you have a non-RSA library: > > .if ${USE_OPENSSL} == RSA > _HASRSA= "`/usr/bin/nm /usr/lib/libcrypto.a | /usr/bin/grep RSA_free`" > .if empty(_HASRSA) > .BEGIN: > @${ECHO} "This port requires RSA crypto, which is not present in > your" > @${ECHO} "version of OpenSSL. Please see Chapter 6.5 in the > handbook" > @${ECHO} "for a description of the problem and alternative > solutions." > @${FALSE} > .endif > .endif Sounds like a step in the right direction, but currently a no-start due to lack of handbook in the install. Although it's more work, I'd rather see an OpenSSL manpage that includes this information, a sure-fire way to check to see what's installed, a sysinstall-phase, etc. Thanks! Looks like all this will be great once it's working! Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message