Date: Tue, 14 Oct 2003 16:37:10 +0300 From: "Toomas Aas" <toomas.aas@raad.tartu.ee> To: freebsd-questions@freebsd.org Subject: ignoring openssl port Message-ID: <200310141337.h9EDb32p017988@lv.raad.tartu.ee>
next in thread | raw e-mail | index | archive | help
Hello! On Mon, 4 Aug 2003 14:48:38 +0300, I wrote: > Some of my machines were running RELENG_4_7 when I installed ports such > as apache13_modssl and cyrus-imapd on them. Since that version of > FreeBSD had OpenSSL 0.9.6 in the base system and these ports required > 0.9.7, I ended up with openssl port installed on these systems. > Now that I'm upgrading to RELENG_4_8, which includes OpenSSL 0.9.7, I > want to get rid of the port. It would just feel cleaner to not have > multiple versions of same libraries in /usr/lib and /usr/local/lib. Among several recommendations of how to get rid of the port, the best one seemed to be from Matthew Seaman: define WITH_OPENSSL_BASE=yes, rebuild the dependent ports (make build while the old port is still running), and then "make install" the port. Then remove the OpenSSL port. Back then I decided that I can live with both base and port version of OpenSSL installed, and I decided not to spend time on following this advice. Now, in light of recent OpenSSL security advisories, something needs to be done. I have upgraded the base system to 4.8-RELEASE-p13, so the base OpenSSL should be safe. I have two options right now: (1) upgrade the port (2) get rid of the port, leaving only the base system OpenSSL installed (what I wanted to do back in August) I'd like to use option (2), so I tried to follow Matthew Seaman's advice. I put WITH_OPENSSL_BASE=yes into /etc/make.conf and tried to run 'make build' in /usr/ports/www/apache13-modssl. This resulted in the following message: This port wants the OpenSSL library from the FreeBSD base system. You can't build against it, while a newer Version is installed by a port. Please deinstall the port or undefine WITH_OPENSSL_BASE. I found the place which causes this message in /usr/ports/Mk/bsd.port.mk: .if exists(${LOCALBASE}/lib/libcrypto.so) .BEGIN: @${ECHO_CMD} "This port wants the OpenSSL library from the FreeBSD" @${ECHO_CMD} "base system. You can't build against it, while a newer" @${ECHO_CMD} "Version is installed by a port." @${ECHO_CMD} "Please deinstall the port or undefine WITH_OPENSSL_BASE." @${FALSE} .endif Looking at this while not being a Makefile guru, it seems to me that this merely checks if /usr/local/lib/libcrypto.so exists and if it does then the port build process is halted with the message. But this would mean that WITH_OPENSSL_BASE cannot be used at all if the port is installed. If that were true, there wouldn't be any point in having this variable in the first place, so I must be overlooking something. Anyway, I tried commenting out the above passage in /usr/ports/Mk/bsd.port.mk and rebuilding another port which depends on OpenSSL, namely /usr/ports/ftp/wget. I checked with ldd /usr/local/bin/wget before and after installing and this showed that now I indeed have wget linked against /usr/lib/libssl.so.3, whereas before it was linked against /usr/local/lib/libssl.so.3. Before I try the same with apache13-modssl port, I just wanted to verify if commenting out the above passage in /usr/ports/Mk/bsd.port.mk can cause any unforeseen damage. Sorry for the long message. When I started out I didn't realise that it takes so many keystrokes to word such a simple question ;-) -- Toomas Aas | toomas.aas@raad.tartu.ee | http://www.raad.tartu.ee/~toomas/ * Key ring - a handy little gadget that allows you to lose all your keys at once.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200310141337.h9EDb32p017988>