Date: Sun, 27 Dec 2020 15:49:10 -0800 (PST) From: "Dan Mahoney (Gushi)" <freebsd@gushi.org> To: freebsd-ports@freebsd.org Subject: Re-enabling old ciphers in openssl Message-ID: <7d31329e-aed5-3b24-a66e-43ef7d3dcbfa@prime.gushi.org>
next in thread | raw e-mail | index | archive | help
Hey there all. This is a "don't try this at home" question. This is not something I'm asking how to do in the general case, but I'd like to know. It seems recently (since 1.1.1, OpenSSL has deprecated a number of ciphers, and made them a compile-time default disable.) WHat this means is that any app that you want to use those with, is also unable to use them. And sure, if that app is "Firefox for day to day browsing", that's fine. As a sysadmin, I have a need to connect to older dell iDracs. I have a need to be able to use Nagios plugins linked against libssl and lbcrypto, like check_http. I have a need to be able to use openssl s_client -connect. I occasionally need to ssh in to cisco switches or APC PDU's that support older ciphers or shorter ssl key lengths (like RSA 768). Sometimes, to manage these things, I need old versions of Java and even Flash. I need to tell browsers that self-signed certs are "okay". I need to use VM's with IE6 because my job is dumb. (This isn't a ports problem, just a way of life descripter). I just this year retired my last Windows 95 machine, which was running a door-control system for building access cards. Sysadmins occasionally work with shoestring budgets and are often forced to retrocompute. These systems are protected by ACLs and VPNs, and the best certs they can take. They are not world-facing. Ergo, I am wondering what the best way forward is to get a reasonably patched version of openssl that has old ciphers turned on (since it is still possible at compile-time, the code hasn't been outright removed), that I can build *some* subset of ports against. Here are the questions I can't seem to answer: 1) There's no make.conf entry to override the openssl ciphers. This needs to be done at the port level. (Probably reasonable, I don't think there should be an insecure "flavor") But in the interest of making things reproducible, is there a "Standard" way to keep this consistent without running "make config" every time, or echo'ing options into /var/db/ports/security-openssl/options? 2) I'm unclear as to what to put in make.conf to tell ONE PORT to use the openssl from ports, while I want all the others to use base. I know this is in some cases askign for trouble, but the nagios plugins are standalone binaries. Is there some method in make.conf or on the port command line to tell ONE PORT to use a defaults+=ssl-openssl without making it the default for ALL PORTS? 3) If I do all that, ports seems to lack a standard way to build static binaries, which is what I'd really like. Is there an easy way to do this, or is it best to work outside the ports system at that point? -Dan -- --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC FB: fb.com/DanielMahoneyIV LI: linkedin.com/in/gushi Site: http://www.gushi.org ---------------------------
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7d31329e-aed5-3b24-a66e-43ef7d3dcbfa>