Re: security/heimdal generates openssl conflict [was - Re: Installing openssl from ports]
On 26/03/2013 11:53, Shane Ambler wrote: Either the man pages list is incorrect or heimdal installs a duplicate copy of the openssl man pages - maybe this could be disabled if openssl from ports is used. For reference - heimdal includes source for libhcrypto which it uses if openssl is not present. While it doesn't install libhcrypto it still installs the man pages which conflicts with the openssl port man pages. I have submitted a patch to fix this - http://www.freebsd.org/cgi/query-pr.cgi?pr=177397 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: security/heimdal generates openssl conflict [was - Re: Installing openssl from ports]
On 26/03/2013 00:42, Jim Ballantine wrote: Hi I had removed the port, but it was reinstalled as a dependency of other ports. I have WITH_OPENSSL_PORT=yes in /etc/make.conf, and after I do a pkg delete -f heimdal openssl installs fine, but when I try to install heimdal from ports (with DISABLE_CONFLICTS= openssl-1.0.1_8 in the Makefile) the installs ends with: snip Stop in /usr/ports/security/heimdal. So I must be doing something wrong, but what?? Your not doing anything wrong, that's why I cc'd the last email to the heimdal maintainer. I might look at making a patch to fix it today and submit a PR as it appears the maintainer didn't respond to a previous PR From what I see heimdal includes the openssl man pages in it's list of files it installs, the new pkg system is picking up the same files installed by openssl and heimdal and preventing the conflict, while the old install system overlooked it. Either the man pages list is incorrect or heimdal installs a duplicate copy of the openssl man pages - maybe this could be disabled if openssl from ports is used. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Installing openssl from ports
On 22/03/2013 04:36, Jim Ballantine wrote: But when I attempt to install the latest openssl for the port system, it fails with a conflict (installs file in the same place) with heimdal. Take a close look at the message and what happens before. openssl only gives a conflict message if the base version is newer than the port. Heimdal conflicts with krb4 krb5 and srp Any other conflicts will be from dependencies, you'll need to check what port brings in a dependency that generates the conflict. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Installing openssl from ports
The port is newer than the base version: port is 1.0.1_8 and the base is 0.9.2 Both openssl and heimdal install fine from the base system src, it's only when I try to install openssl from the ports, with heimdal installed by the base system that I get the error. When I run make install, what I get before the conflict message is: === Compressing manual pages for openssl-1.0.1_8zopenssl-1.0.1_8 === Running ldconfig /sbin/ldconfig -m /usr/local/lib Installing openssl-1.0.1_8...pkg: openssl-1.0.1_8 conflicts with heimdal-1.5.2_4 (installs files into the same place). Problematic files: /usr/local/man/man3/DH_generate_key.3.gz *** [fale-pkg] Error code 70 On Fri, Mar 22, 2013 at 8:09 AM, Shane Ambler free...@shaneware.biz wrote: On 22/03/2013 04:36, Jim Ballantine wrote: But when I attempt to install the latest openssl for the port system, it fails with a conflict (installs file in the same place) with heimdal. Take a close look at the message and what happens before. openssl only gives a conflict message if the base version is newer than the port. Heimdal conflicts with krb4 krb5 and srp Any other conflicts will be from dependencies, you'll need to check what port brings in a dependency that generates the conflict. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Installing openssl from ports
Hi, I understand that heimdal and openssl are both port of the base system and both install fine with a system build/install. But when I attempt to install the latest openssl for the port system, it fails with a conflict (installs file in the same place) with heimdal. I've search the web for an answer but haven't found one and asked the port owner. So my question is short of editing the Make file to remove the installation of the file in conflict, what do I need to do to install the openssl port? Thanks Jim Ballantine ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Installing openssl from ports
On Thu, 21 Mar 2013 14:06:52 -0400 Jim Ballantine articulated: Hi, I understand that heimdal and openssl are both port of the base system and both install fine with a system build/install. But when I attempt to install the latest openssl for the port system, it fails with a conflict (installs file in the same place) with heimdal. I've search the web for an answer but haven't found one and asked the port owner. So my question is short of editing the Make file to remove the installation of the file in conflict, what do I need to do to install the openssl port? I have the port version installed also. You need to put this in your /etc/make.conf file sans quotations marks: WITH_OPENSSL_PORT=yes and then build the port. Be sure to run make config in the port prior to actually building it and that is about it. If you are building it manually, you might want to run make clean in the port prior to attempting to build it though. -- Jerry ♔ Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: openssl from ports
On Fri, 02 Mar 2012 23:43:32 + Matthew Seaman articulated: Stable/9, but this hasn't changed in 9.0-RELEASE: worm:~:# /usr/bin/openssl version OpenSSL 0.9.8q 2 Dec 2010 Matthew, why does FreeBSD continue to use an older version of OPENSSL for the base system when a newer version is available? While I could understand, even if not fully approve the use of an older version in the same major version, its continues use as the de facto standard in an entirely new major version release is counter productive. There have been many improvements in the 1.x release of OPENSSL so I fail to see the logical use of the older version. If anything, they (the FreeBSD developers) could keep this older version available in the ports system and use the newer version as the default in the base system. -- Jerry ♔ Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __ signature.asc Description: PGP signature
Re: openssl from ports
On 03/03/2012 12:19, Jerry wrote: On Fri, 02 Mar 2012 23:43:32 + Matthew Seaman articulated: Stable/9, but this hasn't changed in 9.0-RELEASE: worm:~:# /usr/bin/openssl version OpenSSL 0.9.8q 2 Dec 2010 Matthew, why does FreeBSD continue to use an older version of OPENSSL for the base system when a newer version is available? While I could understand, even if not fully approve the use of an older version in the same major version, its continues use as the de facto standard in an entirely new major version release is counter productive. There have been many improvements in the 1.x release of OPENSSL so I fail to see the logical use of the older version. If anything, they (the FreeBSD developers) could keep this older version available in the ports system and use the newer version as the default in the base system. Unfortunately I can't answer that. I'm not in any position to decide such things. However I can hazard a guess at some of the possible reasons: * openssl API changes between 0.9.x and 1.0.0 mean updating the shlibs is not a trivial operation, and it was judged that the benefits obtained from updating did not justify the effort. * no one had any time to import the new version. There's plenty of security-critical stuff depending on openssl, and making sure all of that didn't suffer from any regressions is not a trivial job. * simply that no one thought of doing the upgrade. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: openssl from ports
Matthew Seaman wrote: Stable/9, but this hasn't changed in 9.0-RELEASE: worm:~:# /usr/bin/openssl version OpenSSL 0.9.8q 2 Dec 2010 Matthew, why does FreeBSD continue to use an older version of OPENSSL for the base system when a newer version is available? While I could understand, even if not fully approve the use of an older version in the same major version, its continues use as the de facto standard in an entirely new major version release is counter productive. There have been many improvements in the 1.x release of OPENSSL so I fail to see the logical use of the older version. If anything, they (the FreeBSD developers) could keep this older version available in the ports system and use the newer version as the default in the base system. Unfortunately I can't answer that. I'm not in any position to decide such things. However I can hazard a guess at some of the possible reasons: * openssl API changes between 0.9.x and 1.0.0 mean updating the shlibs is not a trivial operation, and it was judged that the benefits obtained from updating did not justify the effort. * no one had any time to import the new version. There's plenty of security-critical stuff depending on openssl, and making sure all of that didn't suffer from any regressions is not a trivial job. * simply that no one thought of doing the upgrade. Actually there is something weird about openssl maintenance: http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/163951 I asked in the lists, bugged different persons and still can't get clear answer about this vulnerability. You know I'm just not feeling safe with ECDSA keys... -- Sphinx of black quartz judge my vow. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: openssl from ports
On Sat, 03 Mar 2012 12:49:18 + Matthew Seaman articulated: Unfortunately I can't answer that. I'm not in any position to decide such things. However I can hazard a guess at some of the possible reasons: * openssl API changes between 0.9.x and 1.0.0 mean updating the shlibs is not a trivial operation, and it was judged that the benefits obtained from updating did not justify the effort. * no one had any time to import the new version. There's plenty of security-critical stuff depending on openssl, and making sure all of that didn't suffer from any regressions is not a trivial job. * simply that no one thought of doing the upgrade. Thanks Matthew. Personally, I have my own take on the matter. Regarding your first two possibility, I believe the problem can be directly traced to procrastination. At some point in time, there will come the need to update the base system's OPENSSL version. Procrastination only doubles the work you have to do tomorrow. It reminds me of what a college professor once told me, There is never enough time to do it right, but there is always enough time to do it over. Sad but true. As to your third possibility, the need to update the port has been mentioned several times on this forum over the past year. I find it extremely improbable that no one considered the possibility that the existing application might not be up-to-date. Yet, as has been stated numerous times, if you always expect the worst in people you will never be disappointed. -- Jerry ♔ Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: openssl from ports
On Sat, 3 Mar 2012 08:31:41 -0500 Jerry wrote: On Sat, 03 Mar 2012 12:49:18 + Matthew Seaman articulated: Unfortunately I can't answer that. I'm not in any position to decide such things. However I can hazard a guess at some of the possible reasons: * openssl API changes between 0.9.x and 1.0.0 mean updating the shlibs is not a trivial operation, and it was judged that the benefits obtained from updating did not justify the effort. * no one had any time to import the new version. There's plenty of security-critical stuff depending on openssl, and making sure all of that didn't suffer from any regressions is not a trivial job. Thanks Matthew. Personally, I have my own take on the matter. Regarding your first two possibility, I believe the problem can be directly traced to procrastination. At some point in time, there will come the need to update the base system's OPENSSL version. Procrastination only doubles the work you have to do tomorrow. In general skipping versions and letting the more gung-ho linux distributions knock the bugs out doesn't double the work. It reminds me of what a college professor once told me, There is never enough time to do it right, but there is always enough time to do it over. Sad but true. I would interpret this in completely the opposite way. This is an argument for using mature software, keeping it well patched and updating only when the case for updating justifies the effort of doing it properly. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: openssl from ports
On Sat, Mar 3, 2012 at 8:31 AM, Jerry je...@seibercom.net wrote: On Sat, 03 Mar 2012 12:49:18 + Matthew Seaman articulated: Unfortunately I can't answer that. I'm not in any position to decide such things. However I can hazard a guess at some of the possible reasons: * openssl API changes between 0.9.x and 1.0.0 mean updating the shlibs is not a trivial operation, and it was judged that the benefits obtained from updating did not justify the effort. * no one had any time to import the new version. There's plenty of security-critical stuff depending on openssl, and making sure all of that didn't suffer from any regressions is not a trivial job. * simply that no one thought of doing the upgrade. Thanks Matthew. Personally, I have my own take on the matter. Regarding your first two possibility, I believe the problem can be directly traced to procrastination. At some point in time, there will come the need to update the base system's OPENSSL version. Procrastination only doubles the work you have to do tomorrow. It reminds me of what a college professor once told me, There is never enough time to do it right, but there is always enough time to do it over. Sad but true. As to your third possibility, the need to update the port has been mentioned several times on this forum over the past year. I find it extremely improbable that no one considered the possibility that the existing application might not be up-to-date. Yet, as has been stated numerous times, if you always expect the worst in people you will never be disappointed. I'm replying off-list. No need to reply this back onto the list. Please don't accuse a volunteer project of procrastination. If there is not enough manpower to make a change to the operating system, then roll up your sleeves and contribute. Throwing non-constructive insults at the project when you yourself are not contributing to the effort that you're complaining about achieves nothing. I've seen this type of attitude many times over the years in free software projects from users, and it shouldn't continue. Also, please don't feel insulted. We both like FreeBSD. Just make your contributions constructive. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: openssl from ports
One more thing. An easy contribution that could be made is to replace the old version of openssl with the new in the src tree of CURRENT. Then build world and see what breaks. Try to fix what has broken. Contribute patches up to the point that you don't understand the next step or you have build world working without errors. Then you will have warm and fuzzies. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: openssl from ports
Oops. Sorry, my mail reader must have recently changed the behavior of the reply button to always reply all. I meant that to be off-list. I apologize. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: openssl from ports
On Sat, 3 Mar 2012 16:41:13 -0500 Robert Simmons articulated: Oops. Sorry, my mail reader must have recently changed the behavior of the reply button to always reply all. I meant that to be off-list. Thanks Robert, there aren't many things I appreciate more than advice and criticism from someone who cannot figure out how to use an MUA. When you do that, you can come back and talk to me; however, do it on list -- something you are quite good at. -- Jerry ♔ Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: openssl from ports
On Sat, Mar 3, 2012 at 5:11 PM, Jerry je...@seibercom.net wrote: On Sat, 3 Mar 2012 16:41:13 -0500 Robert Simmons articulated: Oops. Sorry, my mail reader must have recently changed the behavior of the reply button to always reply all. I meant that to be off-list. Thanks Robert, there aren't many things I appreciate more than advice and criticism from someone who cannot figure out how to use an MUA. When you do that, you can come back and talk to me; however, do it on list -- something you are quite good at. Your insults have no effect on me. Why don't you focus your energy on making valuable contributions to the project rather than hurling insults? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: openssl from ports
On 03/04/12 08:50, Robert Simmons wrote: On Sat, Mar 3, 2012 at 5:11 PM, Jerryje...@seibercom.net wrote: On Sat, 3 Mar 2012 16:41:13 -0500 Robert Simmons articulated: Oops. Sorry, my mail reader must have recently changed the behavior of the reply button to always reply all. I meant that to be off-list. Thanks Robert, there aren't many things I appreciate more than advice and criticism from someone who cannot figure out how to use an MUA. When you do that, you can come back and talk to me; however, do it on list -- something you are quite good at. Your insults have no effect on me. Why don't you focus your energy on making valuable contributions to the project rather than hurling insults? Actually, Jerry's got this little trick up his sleeve where every reply to him goes straight back to this list: reply-to: freebsd-questions@freebsd.org So if you want to reply privately you need reply all and delete the other addresses. There's nothing wrong with your use of an MUA, just unexpected behavior is all. Not unusual for him really... :) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: openssl from ports
Robert == Robert Simmons rsimmo...@gmail.com writes: Robert I'm replying off-list. No need to reply this back onto the Robert list. Eh? -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 mer...@stonehenge.com URL:http://www.stonehenge.com/merlyn/ Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc. See http://methodsandmessages.posterous.com/ for Smalltalk discussion ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
openssl from ports
I know openssl is in the core, but the version in FreeBSD 8.2 is vulnerable to some recent attacks. (Hmm, I wonder why there hasn't been an 8.2 update then...) I installed the version from ports, which was recently updated, but now I'm not sure how to get my other ports to use that port instead of the core libraries. Is it sufficient to restart the apps (apache in particular), or do I need to recompile things? -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 mer...@stonehenge.com URL:http://www.stonehenge.com/merlyn/ Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc. See http://methodsandmessages.posterous.com/ for Smalltalk discussion ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: openssl from ports
On Fri, Mar 2, 2012 at 5:00 PM, Randal L. Schwartz mer...@stonehenge.com wrote: I know openssl is in the core, but the version in FreeBSD 8.2 is vulnerable to some recent attacks. (Hmm, I wonder why there hasn't been an 8.2 update then...) Which attacks are you referring to? I installed the version from ports, which was recently updated, but now I'm not sure how to get my other ports to use that port instead of the core libraries. Is it sufficient to restart the apps (apache in particular), or do I need to recompile things? You will need to recompile ports that depend on OpenSSL, passing WITH_OPENSSL_PORT= flag to make. My preferred way to do this is to install ports-mgmt/portconf and use something like this for /usr/local/etc/ports.conf: *: WITHOUT_IPV6 | WITHOUT_NLS | WITHOUT_X11 | WITHOUT_GTK | WITH_OPENSSL_PORT - Max ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: openssl from ports
Maxim == Maxim Khitrov m...@mxcrypt.com writes: Maxim On Fri, Mar 2, 2012 at 5:00 PM, Randal L. Schwartz Maxim mer...@stonehenge.com wrote: I know openssl is in the core, but the version in FreeBSD 8.2 is vulnerable to some recent attacks. (Hmm, I wonder why there hasn't been an 8.2 update then...) Maxim Which attacks are you referring to? http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4109 Theoretically, this should have triggered a FreeBSD 8.2 security update, now that I keep thinking about it. Did I miss an announcement in the past few days? I installed the version from ports, which was recently updated, but now I'm not sure how to get my other ports to use that port instead of the core libraries. Is it sufficient to restart the apps (apache in particular), or do I need to recompile things? Maxim You will need to recompile ports that depend on OpenSSL, passing Maxim WITH_OPENSSL_PORT= flag to make. My preferred way to do this is to Maxim install ports-mgmt/portconf and use something like this for Maxim /usr/local/etc/ports.conf: Maxim *: WITHOUT_IPV6 | WITHOUT_NLS | WITHOUT_X11 | WITHOUT_GTK | WITH_OPENSSL_PORT Is that the same as setting it in /etc/make.conf ? That's where I have WITHOUT_X11=yes. And you're gonna regret that WITHOUT_IPV6 in a couple of months. :) (Googling a bit..) Oh, it makes it easier to make it non-universal. Cool. -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 mer...@stonehenge.com URL:http://www.stonehenge.com/merlyn/ Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc. See http://methodsandmessages.posterous.com/ for Smalltalk discussion ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: openssl from ports
On Fri, 02 Mar 2012 14:00:06 -0800 Randal L. Schwartz articulated: I know openssl is in the core, but the version in FreeBSD 8.2 is vulnerable to some recent attacks. (Hmm, I wonder why there hasn't been an 8.2 update then...) I installed the version from ports, which was recently updated, but now I'm not sure how to get my other ports to use that port instead of the core libraries. Is it sufficient to restart the apps (apache in particular), or do I need to recompile things? I have used the port's version for quite some time now. I am not sure if it is still required; however, I placed the following in the /etc/make.conf file: WITH_OPENSSL_PORT=yes I then rebuilt all of the ports that require OpenSSL. Perhaps someone else has an easier solution. BTW, if you find a port that does not build with the port's version, file a PR against it. I found several that had to be fixed before they built correctly. Maybe they have all been fixed by now. That was over two years ago. -- Jerry ♔ Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: openssl from ports
Jerry == Jerry je...@seibercom.net writes: Jerry I have used the port's version for quite some time now. I am not sure Jerry if it is still required; however, I placed the following in the Jerry /etc/make.conf file: Jerry WITH_OPENSSL_PORT=yes Jerry I then rebuilt all of the ports that require OpenSSL. Perhaps someone Jerry else has an easier solution. Ahh, according to my read of /usr/ports/Mk/bsd.openssl.mk, it looks like: # if no preference was set, check for an installed base version # but give an installed port preference over it. .if !defined(WITH_OPENSSL_BASE) \ !defined(WITH_OPENSSL_PORT) \ !exists(${DESTDIR}/${LOCALBASE}/lib/libcrypto.so) \ exists(${DESTDIR}/usr/include/openssl/opensslv.h) WITH_OPENSSL_BASE=yes .endif and later .if exists(${LOCALBASE}/lib/libcrypto.so) check-depends:: @${ECHO_CMD} Dependency error: this port wants the OpenSSL library from the FreeBSD @${ECHO_CMD} base system. You can't build against it, while a newer @${ECHO_CMD} version is installed by a port. @${ECHO_CMD} Please deinstall the port or undefine WITH_OPENSSL_BASE. @${FALSE} .endif So it looks like modern FreeBSD will Do The Right Thing if I just recompile the apache22 port. Once I knew what to look for, I found it with a bit of grepping. Thanks! -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 mer...@stonehenge.com URL:http://www.stonehenge.com/merlyn/ Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc. See http://methodsandmessages.posterous.com/ for Smalltalk discussion ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: openssl from ports
On Fri, 02 Mar 2012 14:27:23 -0800 Randal L. Schwartz articulated: So it looks like modern FreeBSD will Do The Right Thing if I just recompile the apache22 port. Once I knew what to look for, I found it with a bit of grepping. On a FreeBSD-8.2 STABLE system, I have this as the OPENSSL versions: ~ $ /usr/bin/openssl version OpenSSL 0.9.8q 2 Dec 2010 ~ $ /usr/local/bin/openssl version OpenSSL 1.0.0g 18 Jan 2012 I am not sure why the base system lags so far behind the ports version, but it does. What is the base version in the FreeBSD-9.0 release? -- Jerry ♔ Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: openssl from ports
On 02/03/2012 23:21, Jerry wrote: I am not sure why the base system lags so far behind the ports version, but it does. What is the base version in the FreeBSD-9.0 release? Stable/9, but this hasn't changed in 9.0-RELEASE: worm:~:# /usr/bin/openssl version OpenSSL 0.9.8q 2 Dec 2010 Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: openssl from ports
On 02/03/2012 22:27, Randal L. Schwartz wrote: Ahh, according to my read of /usr/ports/Mk/bsd.openssl.mk, it looks like: # if no preference was set, check for an installed base version # but give an installed port preference over it. .if !defined(WITH_OPENSSL_BASE) \ !defined(WITH_OPENSSL_PORT) \ !exists(${DESTDIR}/${LOCALBASE}/lib/libcrypto.so) \ exists(${DESTDIR}/usr/include/openssl/opensslv.h) WITH_OPENSSL_BASE=yes .endif and later .if exists(${LOCALBASE}/lib/libcrypto.so) check-depends:: @${ECHO_CMD} Dependency error: this port wants the OpenSSL library from the FreeBSD @${ECHO_CMD} base system. You can't build against it, while a newer @${ECHO_CMD} version is installed by a port. @${ECHO_CMD} Please deinstall the port or undefine WITH_OPENSSL_BASE. @${FALSE} .endif So it looks like modern FreeBSD will Do The Right Thing if I just recompile the apache22 port. Once I knew what to look for, I found it with a bit of grepping. You do need WITH_OPENSSL_PORT=yes in /etc/make.conf or equivalent; just installing security/openssl alone will cause any port that links against openssl shlibs to emit rude messages. Also, beware of any apache modules that might link against openssl in their own right which should also be rebuild to use the ports version -- the classic example here is php5-openssl loaded via mod_php -- but there are many ways of doing this. Trying to load two different OpenSSL shlibs into the same execution image causes instant crash and burn. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: Disabling openssl from ports
On 3 Feb 2010, at 03:36, Olivier Nicole wrote: I have one port, namely /usr/ports/www/pound that needs the version of openssl from the ports (/usr/ports/security/openssl). But others ports works way better with the stock openssl from the system. Personally, I've been using the ports version of openssl on a number of machines, and I haven't run into the sort of problems you claim. There is not a lot between the ports of the base system, especially if you're running a recent version of FreeBSD -- it's another port to manage, but you get access to various bits of new functionality. Is there a configuration somewhere that could be used to say that no-one except pound should use openssl from the ports? The only way I see is to put includes and libarries of openssl in some obscure place and have pound point to them. OK, this /should/ work. Add the following to /etc/make.conf: WITH_OPENSSL_BASE= yes .if ${.CURDIR:M*/www/pound} WITH_OPENSSL_PORT= yes .endif Test SSL-using executables with ldd(1) to see which copy of libcrypto they link against. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Disabling openssl from ports
OK, this /should/ work. Add the following to /etc/make.conf: WITH_OPENSSL_BASE= yes .if ${.CURDIR:M*/www/pound} WITH_OPENSSL_PORT= yes .endif No, it won't -- at least, if you leave it in make.conf after building www/pound, it wil break all subsequent rebuilds of all other ports that depend upon the base system openssl. Matthew, you ought to know better ... From bsd.openssl.mk: .if defined(WITH_OPENSSL_BASE) ... .if exists(${LOCALBASE}/lib/libcrypto.so) check-depends:: @${ECHO_CMD} Dependency error: this port wants the OpenSSL library from the FreeBSD @${ECHO_CMD} base system. You can't build against it, while a newer @${ECHO_CMD} version is installed by a port. @${ECHO_CMD} Please deinstall the port or undefine WITH_OPENSSL_BASE. @${FALSE} .endif Mixing and matching the different openssl versions can lead to problems (for one thing, there are too many sloppy LDFLAGS=-L${LOCALBASE}/lib floating around in different ports), and you'll have to hack port Makefiles and use ldd(1) or other tools to verify that your changes work. You're probably better off just using one or the other. If you still want to try it, then I suggest installing security/openssl in non-default PREFIX, then patching the www/pound Makefile so that it doesn't use USE_OPENSSL, and then adding whatever variables are needed by it's configure script to locate and link with security/openssl to CONFIGURE_ENV and/or MAKE_ENV, as well as the proper LIB_DEPENDS on security/openssl. After doing this and installing www/pound, if rtld(1) is still loading the base system openssl when www/pound binaries are executed, or can't find the security/openssl libraries off in their non-default location, then use libmap.conf(5) to point (only) the www/pound binaries to the security/openssl libraries. You'll have to ensure that your changes to www/pound's Makefile aren't wiped out by subsequent updates to your Ports tree, of course. b. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Disabling openssl from ports
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/02/2010 12:57, b. f. wrote: OK, this /should/ work. Add the following to /etc/make.conf: WITH_OPENSSL_BASE= yes .if ${.CURDIR:M*/www/pound} WITH_OPENSSL_PORT= yes .endif No, it won't -- at least, if you leave it in make.conf after building www/pound, it wil break all subsequent rebuilds of all other ports that depend upon the base system openssl. Matthew, you ought to know better ... That's what I get for not testing. In fact, it doesn't work at all -- pound gets linked against the base system openssl. That's because 'WITH_OPENSSL_BASE' is defined, and that takes precedence over 'WITH_OPENSSL_PORT'. If I fix that, then, yes, you can't install any ports subsequently that link against the base OpenSSL. Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktpiL8ACgkQ8Mjk52CukIw1awCgg4zuEIwkgyHunvykfmAwAofr phwAninofTbkasi39SoHMIlu7Hr2M4qc =qz7n -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Disabling openssl from ports
Hi, I have one port, namely /usr/ports/www/pound that needs the version of openssl from the ports (/usr/ports/security/openssl). But others ports works way better with the stock openssl from the system. Is there a configuration somewhere that could be used to say that no-one except pound should use openssl from the ports? The only way I see is to put includes and libarries of openssl in some obscure place and have pound point to them. Best regards, Olivier ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Installing OpenSSL from ports, how to remove base-openssl?
Frederique Rijsdijk frederi...@isafeelin.org writes: For a certain customer that wants to use a later version of OpenSSL (base is at 'e' while ports is at 'j') I installed /usr/ports/security/openssl. This is all fine, but now I have two sets binaries and libraries of OpenSSL on that system. To build you ports with the openssl version in /usr/ports: # echo WITH_OPENSSL_PORT=yes /etc/make.conf What is the proper way to remove the base openssl? I looked with sysinstall distributions but it's not listed there as something that you can add or remove. # echo WITHOUT_OPENSSL=yes /etc/src.conf # cd /usr/src make check-old # make delete-old # make delete-old-libs Read src.conf(5). - Herbert ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Installing OpenSSL from ports, how to remove base-openssl?
For a certain customer that wants to use a later version of OpenSSL (base is at 'e' while ports is at 'j') I installed /usr/ports/security/openssl. This is all fine, but now I have two sets binaries and libraries of OpenSSL on that system. What is the proper way to remove the base openssl? I looked with sysinstall distributions but it's not listed there as something that you can add or remove. -- Frederique ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Using OpenSSL from ports
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 White Hat wrote: Is there any real advantage to installing 'openssl' from ports rather than using the version installed in the base system? Other than the fact that the port version is slightly newer, is there any other major difference? For RELENG_6 and earlier, you will need the ports version of openssl in order to use rsa-sha256. Some ported software needs that (eg. mail/dkim-milter). Otherwise there isn't any great advantage either way. RELENG_7 and above are close to up-to-date already (version 0.9.8e rather than 0.9.8f) and support all the latest ciphers. Also, if I did install the port version, how would I insure that applications would use it as opposed to to the version in the base system? Put: WITH_OPENSSL_PORT= yes into /etc/make.conf Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.4 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHHt/58Mjk52CukIwRCNdOAJ9SOnjo27xBh9i0mUglDx465gvSDACeMrnx URkoYyIavOWzDkXNYvBj/UM= =qPbX -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Using OpenSSL from ports
Is there any real advantage to installing 'openssl' from ports rather than using the version installed in the base system? Other than the fact that the port version is slightly newer, is there any other major difference? Also, if I did install the port version, how would I insure that applications would use it as opposed to to the version in the base system? Thanks! -- White Hat [EMAIL PROTECTED] __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
using openssl from ports
Hi All, I installed openssl from the ports collection. However, there is also an openssl native in freebsd. How can i set things to use the openssl from the ports as default instead of the system openssl? Bye, Mipam. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]