Re: OpenSSL Base vs. OpenSSL Port?
I had been running 6.2 with openssl base for quite a while. Then I attempted to implement the dkim-filter port which required using openssl to generate keys. That's when I noticed that openssl is broken on my machine. See this example: # openssl genrsa -out rsa.private 1024 Error configuring OpenSSL 28086:error:260AB089:engine routines:ENGINE_ctrl_cmd_string:invalid cmd name:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/engine/eng_ctrl.c:318: 28086:error:0E07406D:configuration file routines:CONF_modules_load:module initialization error:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto /conf/conf_mod.c:234:module=engines, value=openssl_engines, retcode=-1 So I thought rebuilding world might fix it and while I was at it, I upgraded to 6.4 but still have the same problem. I'm not familiar with this problem. If you have the a supported version of 6.X installed, and you've read the documentation, and are convinced that the error is due to some problem with the openssl in base, then you should submit a PR: http://www.freebsd.org/support/bugreports.html Next I tried installing openssl from ports. This openssl seems to work: # /usr/local/bin/openssl genrsa -out rsa.private 1024 Generating RSA private key, 1024 bit long modulus ..++ ..++ e is 65537 (0x10001) But now I am unclear as to what state my system is in. What is the preferred method for using openssl from ports vs. using openssl base. I don't really care which I use but want to avoid trouble with multiple versions of openssl and/or ports compiled against the wrong version. I've been Googling all day but can not find a clear guide. No need to waste time googling -- just go straight to the code, the port makefiles on your system that actually _do_ the work -- in this case /usr/ports/Mk/bsd.openssl.mk (or substitute the value of PORTSDIR for /usr/ports if you've got your Ports tree in some nondefault location). There you will see some comments and the actual code governing the use of the variables. Specifically, what should I have in my /etc/make.conf and what portupgrade command should I use to ensure things are build against the correct openssl? I've seen things like OPENSSL_OVERWRITE_BASE=yes, NO_OPENSSL=yes, WITH_OPENSSL_PORT=yes, WITH_OPENSSL_BETA=yes, and portupgrade -rf openssl but remain confused. Put WITH_OPENSSL_PORT=yes in your build environment -- /etc/make.conf is a good way -- and then rebuild all ports that depend on openssl. There are many different ways to do this -- you could use: pkgdb -L portupgrade -fur openssl-* (The first command may not be necessary, but I find that the dependencies of some ports on openssl are sometimes missing from the pkgdb, and need to be added.) or portmaster -t -r openssl-* for example. Note that this will only ensure that ports that correctly use USE_OPENSSL are linked to the proper version of openssl -- some ports may not have been constructed properly, and may still end up being linked to the base openssl. You can check if there are any such ports by using ldd(1) or the sysutils/libchk port. b. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: OpenSSL Base vs. OpenSSL Port?
On 6/17/09, b. f. bf1...@googlemail.com wrote: Put WITH_OPENSSL_PORT=yes in your build environment -- /etc/make.conf is a good way -- and then rebuild all ports that depend on openssl. There are many different ways to do this -- you could use: pkgdb -L portupgrade -fur openssl-* (The first command may not be necessary, but I find that the dependencies of some ports on openssl are sometimes missing from the pkgdb, and need to be added.) or portmaster -t -r openssl-* I should mention that if you are switching from using the base openssl to using the openssl from the port, and you intend to use portupgrade, then you will definitely need to to run pkgdb -L pkgdb -F before running portupgrade, because otherwise no ports will be listed as being dependent upon the openssl port. I'm not sure if portmaster will do this properly, as it uses the existing /var/db/pkg in many cases, which will not contain the correct dependency information. You may need to get a list of ports that USE_OPENSSL, and then update those ports and the ports that depend upon them. For example, you could first install the openssl port, and then use: pkg_info -aoq | xargs -I % make -C /usr/ports/% -V USE_OPENSSL -V PKGNAME | sed -n '/[yY][eE][sS]/{n;p;}' | xargs portmaster -t -r or something like that. b. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: OpenSSL Base vs. OpenSSL Port?
On 6/17/09, b. f. bf1...@googlemail.com wrote: On 6/17/09, b. f. bf1...@googlemail.com wrote: Put WITH_OPENSSL_PORT=yes in your build environment -- /etc/make.conf is a good way -- and then rebuild all ports that depend on openssl. There are many different ways to do this -- you could use: pkgdb -L portupgrade -fur openssl-* (The first command may not be necessary, but I find that the dependencies of some ports on openssl are sometimes missing from the pkgdb, and need to be added.) or portmaster -t -r openssl-* I should mention that if you are switching from using the base openssl to using the openssl from the port, and you intend to use portupgrade, then you will definitely need to to run pkgdb -L pkgdb -F before running portupgrade, because otherwise no ports will be listed as being dependent upon the openssl port. I'm not sure if portmaster will do this properly, as it uses the existing /var/db/pkg in many cases, which will not contain the correct dependency information. You may need to get a list of ports that USE_OPENSSL, and then update those ports and the ports that depend upon them. For example, you could first install the openssl port, and then use: pkg_info -aoq | xargs -I % make -C /usr/ports/% -V USE_OPENSSL -V PKGNAME | sed -n '/[yY][eE][sS]/{n;p;}' | xargs portmaster -t -r or something like that. b. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: OpenSSL Base vs. OpenSSL Port?
On 6/17/09, b. f. bf1...@googlemail.com wrote: On 6/17/09, b. f. bf1...@googlemail.com wrote: Put WITH_OPENSSL_PORT=yes in your build environment -- /etc/make.conf is a good way -- and then rebuild all ports that depend on openssl. There are many different ways to do this -- you could use: pkgdb -L portupgrade -fur openssl-* (The first command may not be necessary, but I find that the dependencies of some ports on openssl are sometimes missing from the pkgdb, and need to be added.) or portmaster -t -r openssl-* I should mention that if you are switching from using the base openssl to using the openssl from the port, and you intend to use portupgrade, then you will definitely need to to run pkgdb -L pkgdb -F before running portupgrade, because otherwise no ports will be listed as being dependent upon the openssl port. I'm not sure if portmaster will do this properly, as it uses the existing /var/db/pkg in many cases, which will not contain the correct dependency information. You may need to get a list of ports that USE_OPENSSL, and then update those ports and the ports that depend upon them. For example, you could first install the openssl port, and then use: pkg_info -aoq | xargs -I % make -C /usr/ports/% -V USE_OPENSSL -V PKGNAME | sed -n '/[yY][eE][sS]/{n;p;}' | xargs portmaster -t -r or something like that. b. Argh. Sorry about the last (non-)message. I meant to say: Or rather, since (portmaster -r only accepts a single port as an argument -- _sigh_ ) : pkg_info -aoq | xargs -I % make -C /usr/ports/% -V USE_OPENSSL -V PKGNAME | sed -n '/[yY][eE][sS]/{n;p;}' | xargs portmaster -f which is thorough, but overkill. I'd stick with portupgrade or manual 'make deinstall clean install make clean' for this task. b. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
OpenSSL Base vs. OpenSSL Port?
I had been running 6.2 with openssl base for quite a while. Then I attempted to implement the dkim-filter port which required using openssl to generate keys. That's when I noticed that openssl is broken on my machine. See this example: # openssl genrsa -out rsa.private 1024 Error configuring OpenSSL 28086:error:260AB089:engine routines:ENGINE_ctrl_cmd_string:invalid cmd name:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/engine/eng_ctrl.c:318: 28086:error:0E07406D:configuration file routines:CONF_modules_load:module initialization error:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/conf/conf_mod.c:234:module=engines, value=openssl_engines, retcode=-1 So I thought rebuilding world might fix it and while I was at it, I upgraded to 6.4 but still have the same problem. Next I tried installing openssl from ports. This openssl seems to work: # /usr/local/bin/openssl genrsa -out rsa.private 1024 Generating RSA private key, 1024 bit long modulus ..++ ..++ e is 65537 (0x10001) But now I am unclear as to what state my system is in. What is the preferred method for using openssl from ports vs. using openssl base. I don't really care which I use but want to avoid trouble with multiple versions of openssl and/or ports compiled against the wrong version. I've been Googling all day but can not find a clear guide. Specifically, what should I have in my /etc/make.conf and what portupgrade command should I use to ensure things are build against the correct openssl? I've seen things like OPENSSL_OVERWRITE_BASE=yes, NO_OPENSSL=yes, WITH_OPENSSL_PORT=yes, WITH_OPENSSL_BETA=yes, and portupgrade -rf openssl but remain confused. Thanks, Drew -- Be a Great Magician! Visit The Alchemist's Warehouse http://www.alchemistswarehouse.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org