From owner-freebsd-ports@freebsd.org  Sun Dec 27 23:49:17 2020
Return-Path: <owner-freebsd-ports@freebsd.org>
Delivered-To: freebsd-ports@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 63F274CB329
 for <freebsd-ports@mailman.nyi.freebsd.org>;
 Sun, 27 Dec 2020 23:49:17 +0000 (UTC)
 (envelope-from danm@prime.gushi.org)
Received: from prime.gushi.org (prime.gushi.org [IPv6:2620:137:6000:10::142])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
 bits))
 (Client CN "prime.gushi.org", Issuer "RapidSSL RSA CA 2018" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4D3y7w19scz3txp
 for <freebsd-ports@freebsd.org>; Sun, 27 Dec 2020 23:49:15 +0000 (UTC)
 (envelope-from danm@prime.gushi.org)
Received: from prime.gushi.org (localhost [127.0.0.1])
 by prime.gushi.org (8.16.1/8.16.1) with ESMTPS id 0BRNnA3f073169
 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
 for <freebsd-ports@freebsd.org>; Sun, 27 Dec 2020 15:49:12 -0800 (PST)
 (envelope-from danm@prime.gushi.org)
DKIM-Filter: OpenDKIM Filter v2.10.3 prime.gushi.org 0BRNnA3f073169
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gushi.org;
 s=prime2014; t=1609112952;
 bh=JEdMlrg642dS/V8u+f8YIVx5oczBkwO9qO0kXbXRsRY=;
 h=Date:From:To:Subject;
 z=Date:=20Sun,=2027=20Dec=202020=2015:49:10=20-0800=20(PST)|From:=2
 0"Dan=20Mahoney=20(Gushi)"=20<freebsd@gushi.org>|To:=20freebsd-por
 ts@freebsd.org|Subject:=20Re-enabling=20old=20ciphers=20in=20opens
 sl;
 b=VfY/LMVOgMEG/QQjNNW7pb9PTtGlnAFWDJ38GMdLPx4WEewlMTKKuShwF1ACeY9pi
 Hsf5dsYw+Cbr1YU3uvC+EFHN98hXcYdTiN3uO3bR0GWe/IFSOsSaqhaOtnxaECGu0Y
 xGhKpSWanbOn48nrxJzJ1GNegs7lQIxzlE+oqRoDynty/oRz2ijCOe+d2VpodeZ5nW
 vwysavTbyp3uW21RpNrRw70iibZ/ffzmfotPRoRP/Za7HJucuMOU+Rj0JSWsxcg8y9
 8hCKU5FysPfs8PtbJjlT380UCUqVgxy4Awllze568N/k8hOmAHA9sPPgzfQHafAznk
 lo+Ijy1MgQnzQ==
Received: (from danm@localhost)
 by prime.gushi.org (8.16.1/8.16.1/Submit) id 0BRNnAU3073168;
 Sun, 27 Dec 2020 15:49:10 -0800 (PST) (envelope-from danm)
Date: Sun, 27 Dec 2020 15:49:10 -0800 (PST)
From: "Dan Mahoney (Gushi)" <freebsd@gushi.org>
To: freebsd-ports@freebsd.org
Subject: Re-enabling old ciphers in openssl
Message-ID: <7d31329e-aed5-3b24-a66e-43ef7d3dcbfa@prime.gushi.org>
X-OpenPGP-Key-ID: 0x624BB249
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset=US-ASCII
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.2
 (prime.gushi.org [0.0.0.0]); Sun, 27 Dec 2020 23:49:12 +0000 (UTC)
X-Rspamd-Queue-Id: 4D3y7w19scz3txp
X-Spamd-Bar: ------
Authentication-Results: mx1.freebsd.org;
 dkim=pass header.d=gushi.org header.s=prime2014 header.b=VfY/LMVO;
 dmarc=pass (policy=none) header.from=gushi.org;
 spf=pass (mx1.freebsd.org: domain of danm@prime.gushi.org designates
 2620:137:6000:10::142 as permitted sender) smtp.mailfrom=danm@prime.gushi.org
X-Spamd-Result: default: False [-6.40 / 15.00]; R_SPF_ALLOW(-0.20)[+a];
 TO_DN_NONE(0.00)[]; RCVD_DKIM_ARC_DNSWL_MED(-0.50)[];
 RCVD_IN_DNSWL_MED(-0.20)[2620:137:6000:10::142:from];
 DKIM_TRACE(0.00)[gushi.org:+];
 DMARC_POLICY_ALLOW(-0.50)[gushi.org,none];
 NEURAL_HAM_SHORT(-1.00)[-1.000];
 FORGED_SENDER(0.30)[freebsd@gushi.org,danm@prime.gushi.org];
 MIME_TRACE(0.00)[0:+];
 RBL_DBL_DONT_QUERY_IPS(0.00)[2620:137:6000:10::142:from];
 ASN(0.00)[asn:393507, ipnet:2620:137:6000::/44, country:US];
 FROM_NEQ_ENVFROM(0.00)[freebsd@gushi.org,danm@prime.gushi.org];
 ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000];
 R_DKIM_ALLOW(-0.20)[gushi.org:s=prime2014];
 FROM_HAS_DN(0.00)[]; DWL_DNSWL_MED(-2.00)[gushi.org:dkim];
 TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000];
 MIME_GOOD(-0.10)[text/plain];
 PREVIOUSLY_DELIVERED(0.00)[freebsd-ports@freebsd.org];
 RCPT_COUNT_ONE(0.00)[1];
 SPAMHAUS_ZRD(0.00)[2620:137:6000:10::142:from:127.0.2.255];
 RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[];
 MAILMAN_DEST(0.00)[freebsd-ports]
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports/>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 27 Dec 2020 23:49:17 -0000

Hey there all.

This is a "don't try this at home" question.  This is not something I'm 
asking how to do in the general case, but I'd like to know.

It seems recently (since 1.1.1, OpenSSL has deprecated a number of 
ciphers, and made them a compile-time default disable.)

WHat this means is that any app that you want to use those with, is also 
unable to use them.

And sure, if that app is "Firefox for day to day browsing", that's fine.

As a sysadmin, I have a need to connect to older dell iDracs.  I have a 
need to be able to use Nagios plugins linked against libssl and lbcrypto, 
like check_http.  I have a need to be able to use openssl s_client 
-connect.  I occasionally need to ssh in to cisco switches or APC PDU's 
that support older ciphers or shorter ssl key lengths (like RSA 768).

Sometimes, to manage these things, I need old versions of Java and even 
Flash.  I need to tell browsers that self-signed certs are "okay".  I need 
to use VM's with IE6 because my job is dumb.  (This isn't a ports problem, 
just a way of life descripter).  I just this year retired my last Windows 
95 machine, which was running a door-control system for building access 
cards.  Sysadmins occasionally work with shoestring budgets and are often 
forced to retrocompute.

These systems are protected by ACLs and VPNs, and the best certs they can 
take.  They are not world-facing.

Ergo, I am wondering what the best way forward is to get a reasonably 
patched version of openssl that has old ciphers turned on (since it is 
still possible at compile-time, the code hasn't been outright removed), 
that I can build *some* subset of ports against.

Here are the questions I can't seem to answer:

1) There's no make.conf entry to override the openssl ciphers.  This needs 
to be done at the port level.  (Probably reasonable, I don't think there 
should be an insecure "flavor")  But in the interest of making things 
reproducible, is there a "Standard" way to keep this consistent without 
running "make config" every time, or echo'ing options into 
/var/db/ports/security-openssl/options?

2) I'm unclear as to what to put in make.conf to tell ONE PORT to use the 
openssl from ports, while I want all the others to use base.  I know this 
is in some cases askign for trouble, but the nagios plugins are standalone 
binaries.  Is there some method in make.conf or on the port command line 
to tell ONE PORT to use a defaults+=ssl-openssl without making it the 
default for ALL PORTS?

3) If I do all that, ports seems to lack a standard way to build static 
binaries, which is what I'd really like.  Is there an easy way to do this, 
or is it best to work outside the ports system at that point?

-Dan

-- 

--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
FB:  fb.com/DanielMahoneyIV
LI:   linkedin.com/in/gushi
Site:  http://www.gushi.org
---------------------------