Replace OpenSSL with LibreSSL

getopt

Aspiring Daemon

Reaction score: 411
Messages: 609

I have installed LibreSSL http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/ with no problems on RELEASE-10.0 to /usr/local/bin. But the „old“ openssl gets the execution

Code:
 # which openssl
/usr/bin/openssl

# openssl version
OpenSSL 1.0.1e-freebsd 11 Feb 2013

# /usr/local/bin/openssl version
LibreSSL 2.0
What is the best practise method to disable/remove a by default installed application (not a package or port) which comes with the system installation?
 

fulano

Member

Reaction score: 11
Messages: 60

Try a symlink:

mv /usr/bin/openssl /usr/bin/openssl.old

cd /usr/bin

ln -s /usr/local/bin/openssl
 

AnSar

New Member


Messages: 1

/etc/libmap.conf could also be useful for remapping existing binaries that are linked against the base OpenSSL shared libs.
 

xtaz

Well-Known Member

Reaction score: 115
Messages: 428

The same thing happens with the ports version of security/openssl which I've run for years. Installed ports software usually automatically links against this version rather than the version in the base but the command line tool is after the base version in the PATH. To get around this I always just alias openssl to /usr/local/bin/openssl in my .bashrc with something like this:

Code:
alias openssl="/usr/local/bin/openssl"
Obviously if you're using a different shell then aliasing is going to work differently. Probably need to add appropriate commands into .profile. Alternatively you could change the PATH environment variable to place /usr/local/bin in front of /usr/bin.

On another note I'm not sure this whole LibreSSL thing is a good idea or not yet. I would have personally rather had them contribute their patches upstream to OpenSSL instead for the benefit of everyone. Now things are going to be fractured.
 

wblock@

Beastie Himself
Developer

Reaction score: 3,648
Messages: 13,850

Of course. Those applications are looking for OpenSSL. They would have to be rebuilt, assuming that LibreSSL provides exact binary compatibility, which, at present, it does not.

At this stage, only developers should be experimenting with LibreSSL.
 

Cthulhux

Well-Known Member

Reaction score: 97
Messages: 261

So I'd better restrict my LibreSSL experiments to my development server then.
Is there a way to batch-rebuild all ports requiring OpenSSL with LibreSSL? I tried it for a few ports but I'm sure I missed some.
 

wblock@

Beastie Himself
Developer

Reaction score: 3,648
Messages: 13,850

We may both regret this, but portmaster -o security/libressl openssl followed by portmaster -r libressl. I think, untested.
 

xibo

Well-Known Member

Reaction score: 78
Messages: 390

The way I read ${PORTSDIR}/Mk/bsd.openssl.mk, setting WITH_OPENSSL_PORT=YES and OPENSSL_PORT=security/libressl in make.conf(5) would not only cause the installation of libressl from ports, but also the linking of any libssl/libcrypto consumer against libressl on top of that, which is more important than the monolithic binary anyway (because it's the ssl consumers that are attackable via network, rather than a non-server binary used mostly for testing and shell scripting).

Also, the libressl port installs a binary called openssl into ${PREFIX}/bin, which should be in PATH and prefered over the system paths, so you don't need to make symlinks or the like.
 

RalfvdEnden

New Member


Messages: 7

To use LibreSSL, you need to set OPENSSL_SHLIBVER=30 as well (besides WITH_OPENSSL_PORT and OPENSSL_PORT).

Otherwise it will use the default (which is 8 for the openssl port) and try to reinstall libressl for everyport that uses OpenSSL.
 

obsigna

Aspiring Daemon

Reaction score: 593
Messages: 989

Is LibreSSL going to replace OpenSSL in the near future on FreeBSD?
I would be really interested by an official answer about this as well.
The todays forums post A look at the upcoming features for 10.1.2 reveals:
We’ve made the switchover to convert our ports to use LibreSSL by default instead of the base systems OpenSSL ...
Hopefully, I will be able to stay with OpenSSL without experiencing major hassles.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,875
Messages: 31,140

IF (a big IF) OpenSSL is going to be replaced by LibreSSL it's going to be with 12.0-RELEASE. Not before, as that would break the ABI/API. For ports you can already switch by setting DEFAULT_VERSIONS.
 
Top