Date: Fri, 02 May 2014 08:24:38 +0200 From: Uwe Doering <gemini@geminix.org> To: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>, "freebsd-ports@freebsd.org" <freebsd-ports@freebsd.org> Subject: Re: ports requiring OpenSSL not honouring OpenSSL from ports Message-ID: <53633A26.3010701@geminix.org> In-Reply-To: <AC9A6B25-3AEE-4140-9338-4D21A26AA8B4@odo.in-berlin.de> References: <201404271508.s3RF8sMA014085@catnip.dyslexicfish.net> <CACdU%2Bf_Wo6VDcJkn6tmF8MTU49=rnJM7SB6XxofGZVdukSarHA@mail.gmail.com> <201404272250.s3RMo2NZ095771@catnip.dyslexicfish.net> <445CDD31-5A11-4F5E-92DE-CB11A10E9BDE@odo.in-berlin.de> <5361896C.7010703@bluerosetech.com> <53621BE0.4040704@geminix.org> <15864901-C372-43A8-A6E6-BF0AF73F2EC6@vpnc.org> <536267A0.9010403@geminix.org> <5362725B.6010109@geminix.org> <AC9A6B25-3AEE-4140-9338-4D21A26AA8B4@odo.in-berlin.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On 01.05.14 22:24, Michael Grimm wrote: > On 01.05.2014, at 18:12, Uwe Doering <gemini@geminix.org> wrote: > [...] >> And it is also not mentioned there that it is, to >> my knowledge, considered good practice to have that setting in >> "/etc/make.conf" in order to avoid any confusion about which port is >> linked with what version of OpenSSL. > > Here's my question: Which knobs are considered good practice? Is it experience, is it gut feeling, religion, ...? I would love to see a documentation covering the pro and cons about every "knob" ... I do not complain, I know, that is hard work and hard to accomplish. > > But any links to documents -besides the ones already mentioned- are highly appreciated. Well, links to documents I cannot provide, but for years I at least have only these settings in "/etc/make.conf": KERNCONF=ESCAPEBOX WITH_OPENSSL_PORT=yes NO_WARNING_PKG_INSTALL_EOL=yes Or rather, the last line I added only recently because I haven't switched to the "pkg" port, yet. And the first line is only relevant if you compile your own modified kernel, like I do. There can be other things in it like compiler switches, but I'm rather conservative in this regard and try to keep defaults wherever I can, because these mainstream settings are usually the best tested ones. I need my servers to just run and do their job. In fact, I do not have the time for surprises due to unnecessary experiments. > E.g: excuse my ignorance, but should I stay with ... > > | www-jail> ldd `which nginx` > | /usr/local/sbin/nginx: > | libcrypt.so.5 => /lib/libcrypt.so.5 (0x8008aa000) > > ..., or would there be an alternative in ports? libgcrypt? or? (All my relevant services are run being compiled from ports, and within jails.) Don't mix up "libcrypt" with "libcrypto". Only the latter has to do with OpenSSL. If you install OpenSSL from ports you actually have two sets of similarly named libs. One in "/lib", the other in "/usr/local/lib". In my case (FreeBSD 8.4): /lib/libcrypto.so.6 /usr/local/lib/libcrypto.so.8 And while I don't have Nginx installed, here is the relevant "ldd" line for Apache's "mod_ssl": libcrypto.so.8 => /usr/local/lib/libcrypto.so.8 (0x800d66000) I would think that if you haven't had the "WITH_OPENSSL_PORT" directive in "/etc/make.conf" so far it would be best to make sure that you have the latest version of OpenSSL from ports installed and then reinstall all packages that depend on OpenSSL. "portmaster", for instance, has the "-r" option to do this automatically in one go. Best regards, Uwe -- Uwe Doering | EscapeBox - IT Consulting gemini@geminix.org | http://www.escapebox.net
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?53633A26.3010701>