Compile GELI with OpenSSL from ports

equal

New Member


Messages: 4

FreeBSD 11.1 i386

I have compiled and installed openssl from ports, so there are:
a) /usr/bin/openssl (OpenSSL 1.0.2k-freebsd 26 Jan 2017) with /lib/libcrypto.so.8, /usr/lib/libssl.so.8
and
b) /usr/local/bin/openssl (OpenSSL 1.0.2n 7 Dec 2017) with /usr/local/lib/libcrypto.so.9, /usr/local/lib/libssl.so.9

And I want to compile base system with new version of openssl (for use in another project)
As GELI is one of files in base currently requiring libcrypto, I try to make /usr/src/sbin/geom with options:
/etc/make.conf:
DEFAULT_VERSIONS+=ssl=openssl # yes, it's for ports, not base
WITH_OPENSSL_PORT=YES
OPENSSL_PORT=security/openssl
### WITHOUT_OPENSSL= # in this case, geli doesn't compile at all

but with no success.
Code:
ldd /usr/src/sbin/geom/class/eli/geom_eli.so:
    libcrypto.so.8 => /lib/libcrypto.so.8 (0x2861b000)
Naturally, I can manually replace libcrypto.so.8 with libcrypto.so.9:
ln -sf /usr/local/bin/openssl /usr/bin/openssl
ln -sf /usr/local/lib/libcrypto.so.9 /lib
ln -sf /lib/libcrypto.so.9 /usr/lib/libcrypto.so
<and libssl, include files, ...>

But is there any legal opportunity to compile geli (base) with openssl (or libressl) from ports?
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 12,323
Messages: 38,841

GELI is part of the base OS. Nothing from the base OS can ever depend on a port.
 
OP
E

equal

New Member


Messages: 4

ok, replacing old openssl with a newer one is good for my purpose.

Will it be enough (if simplified) to replace /usr/src/crypto/openssl with downloaded and patched content of /usr/ports/security/openssl/work/openssl-1.0.2n - and all source files in base that require libcrypto or libssl, if compiled will be linked to newer openssl libraries? Well, keeping in mind the difference in paths - /usr/local/lib vs /usr/lib, of course.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 12,323
Messages: 38,841

ok, replacing old OpenSSL with a newer one is good for my purpose.
Exactly why do you want to do this anyway? The SSL version in the base may appear to be an older version, security issues are always backported.

I'm quite sure you will run into all sorts of compatibility issues, not just with GELI but with everything from the base OS that uses the OpenSSL libraries.
 
OP
E

equal

New Member


Messages: 4

Currently I have OpenSSL 1.0.2k (older) in base, and OpenSSL 1.0.2n (newer) in ports.

I am making custom tiny installation, and don't want to have some software (from base - like geli) compiled with older openssl (libcrypto.so.8, libssl.so.8), and other software (from ports) with newer (libcrypto.so.9, libssl.so.9). That's all.

Compile all with old version from base - not a good idea because of security issues. Carry both library versions - also, no way. Compile all with newer version - yesssss, but how???
 
Top