moving to ports' security/openssl

YuryG

Well-Known Member

Reaction score: 26
Messages: 417

Is there a smooth way to move from base OpenSSL to ports' OpenSSL? As far as I can see, no simple option to find exact ports that were build using base OpenSSL that someone want to move to using ports' one.
 
OP
OP
Y

YuryG

Well-Known Member

Reaction score: 26
Messages: 417

Install security/openssl from ports.
Add DEFAULT_VERSIONS= ssl=openssl to /etc/make.conf
Rebuild any ports you want to use with it.
Done.
Isn't that clear from my first post? There's no (easy?) way to find ports that use OpenSSL. And if I have half of ports that use it from base, and the other half that use it from ports, and then not all autoconfigure's are good enough to use just what I say in make.conf options… I see a bunch of potentially bad-bad problems.
 

Alain De Vos

Well-Known Member

Reaction score: 55
Messages: 301

I don't see major issues beforehand. For GSSAPI I use HEIMDAL when possible.
 

richardtoohey2

Member

Reaction score: 13
Messages: 28

I think the OP means if you have 100 ports installed how do you know which of those 100 are linked to base OpenSSL? How can you easily find out that say, Apache, MySQL, and Python are linked to the base OpenSSL?

Once you are using ports you can do something like this
Code:
 % pkg info -r openssl
openssl-1.1.1d,1:
    python36-3.6.9_3
    php73-openssl-7.3.13
    php73-ftp-7.3.13
    apache24-2.4.41
    apr-1.7.0.1.6.1
    libzip-1.5.2
    vsftpd-ssl-3.0.3_1
    mysql56-server-5.6.46
    mysql56-client-5.6.46
    libevent-2.1.11
    libarchive-3.4.0,1
    curl-7.67.0
But how can you do the same thing if those ports were built WITHOUT the change to /etc/make.conf? I think that is the question.
 

obsigna

Daemon

Reaction score: 646
Messages: 1,054

I think the OP means if you have 100 ports installed how do you know which of those 100 are linked to base OpenSSL? ...
... I think that is the question.
Execute the following command:
find /usr/local/bin /usr/local/sbin /usr/local/libexec /usr/local/lib -type f | xargs -n1 file -F ' ' | grep ELF | cut -f1 -d' ' | xargs ldd -f '%A %o\n' | grep "libssl.so\|libcrypto.so" | cut -f1 -d' ' | sort -u | xargs -n1 pkg which | cut -f6 -d' ' | sort -u | tee ~/openssl_dependencies.txt

Be aware that this takes some time (45 min on my low end system). Here comes the result:
Code:
apache24-2.4.41
apr-1.7.0.1.6.1
cmake-3.15.5
curl-7.67.0
cyrus-sasl-2.1.27
dovecot-2.3.9.2
git-2.24.1
gnupg1-1.4.23_2
isc-dhcp44-server-4.4.1_4
ldns-1.7.1_1
libarchive-3.4.0,1
libevent-2.1.11
libzip-1.5.2
mpd5-5.8_10
mysql56-client-5.6.46
mysql56-server-5.6.46
netatalk3-3.1.12_2,1
p5-subversion-1.13.0
php72-curl-7.2.26
php72-openssl-7.2.26
php72-pdo_pgsql-7.2.26
php72-pgsql-7.2.26
php72-zip-7.2.26
pkg-1.12.0
postfix-sasl-3.4.8,1
postgresql96-client-9.6.16
postgresql96-contrib-9.6.16
postgresql96-server-9.6.16
py37-cryptography-2.6.1
python37-3.7.6
samba410-4.10.11
serf-1.3.9_4
squid-4.9
strongswan-5.8.2
subversion-1.13.0
trousers-0.3.14_2
Once you prepared everything for building with security/openssl you could rebuild the list of the ports using the following command:

portmaster `cat ~/openssl_dependencies.txt`

Note, that some ports insist on being build with openssl from base. For example the last time I tried this some years ago, curl didn’t like to being build with openssl from the ports.
 
Top