moving to ports' security/openssl

[YuryG]

Is there a smooth way to move from base OpenSSL to ports' OpenSSL? As far as I can see, no simple option to find exact ports that were build using base OpenSSL that someone want to move to using ports' one.

 

[drhowarddrfine]

Install security/openssl from ports.
Add DEFAULT_VERSIONS= ssl=openssl to /etc/make.conf
Rebuild any ports you want to use with it.
Done.

 

[YuryG]

Install security/openssl from ports.
Add DEFAULT_VERSIONS= ssl=openssl to /etc/make.conf
Rebuild any ports you want to use with it.
Done.

Isn't that clear from my first post? There's no (easy?) way to find ports that use OpenSSL. And if I have half of ports that use it from base, and the other half that use it from ports, and then not all autoconfigure's are good enough to use just what I say in make.conf options… I see a bunch of potentially bad-bad problems.

 

[Alain De Vos]

I don't see major issues beforehand. For GSSAPI I use HEIMDAL when possible.

 

[drhowarddrfine]

YuryG All ports use the base port unless you change it in make.conf as I showed.

 

[richardtoohey2]

I think the OP means if you have 100 ports installed how do you know which of those 100 are linked to base OpenSSL? How can you easily find out that say, Apache, MySQL, and Python are linked to the base OpenSSL?

Once you are using ports you can do something like this

 % pkg info -r openssl
openssl-1.1.1d,1:
    python36-3.6.9_3
    php73-openssl-7.3.13
    php73-ftp-7.3.13
    apache24-2.4.41
    apr-1.7.0.1.6.1
    libzip-1.5.2
    vsftpd-ssl-3.0.3_1
    mysql56-server-5.6.46
    mysql56-client-5.6.46
    libevent-2.1.11
    libarchive-3.4.0,1
    curl-7.67.0

But how can you do the same thing if those ports were built WITHOUT the change to /etc/make.conf? I think that is the question.

 

[Alain De Vos]

Rebuilt every port, of find out a .so file is missing.

 

[obsigna]

I think the OP means if you have 100 ports installed how do you know which of those 100 are linked to base OpenSSL? ...
... I think that is the question.

Execute the following command:
find /usr/local/bin /usr/local/sbin /usr/local/libexec /usr/local/lib -type f | xargs -n1 file -F ' ' | grep ELF | cut -f1 -d' ' | xargs ldd -f '%A %o\n' | grep "libssl.so\|libcrypto.so" | cut -f1 -d' ' | sort -u | xargs -n1 pkg which | cut -f6 -d' ' | sort -u | tee ~/openssl_dependencies.txt

Be aware that this takes some time (45 min on my low end system). Here comes the result:

apache24-2.4.41
apr-1.7.0.1.6.1
cmake-3.15.5
curl-7.67.0
cyrus-sasl-2.1.27
dovecot-2.3.9.2
git-2.24.1
gnupg1-1.4.23_2
isc-dhcp44-server-4.4.1_4
ldns-1.7.1_1
libarchive-3.4.0,1
libevent-2.1.11
libzip-1.5.2
mpd5-5.8_10
mysql56-client-5.6.46
mysql56-server-5.6.46
netatalk3-3.1.12_2,1
p5-subversion-1.13.0
php72-curl-7.2.26
php72-openssl-7.2.26
php72-pdo_pgsql-7.2.26
php72-pgsql-7.2.26
php72-zip-7.2.26
pkg-1.12.0
postfix-sasl-3.4.8,1
postgresql96-client-9.6.16
postgresql96-contrib-9.6.16
postgresql96-server-9.6.16
py37-cryptography-2.6.1
python37-3.7.6
samba410-4.10.11
serf-1.3.9_4
squid-4.9
strongswan-5.8.2
subversion-1.13.0
trousers-0.3.14_2

Once you prepared everything for building with security/openssl you could rebuild the list of the ports using the following command:

portmaster `cat ~/openssl_dependencies.txt`

Note, that some ports insist on being build with openssl from base. For example the last time I tried this some years ago, curl didn’t like to being build with openssl from the ports.