Replace OpenSSL with LibreSSL


Aspiring Daemon

Reaction score: 451
Messages: 735

I have installed LibreSSL with no problems on RELEASE-10.0 to /usr/local/bin. But the „old“ openssl gets the execution

 # which openssl

# openssl version
OpenSSL 1.0.1e-freebsd 11 Feb 2013

# /usr/local/bin/openssl version
LibreSSL 2.0
What is the best practise method to disable/remove a by default installed application (not a package or port) which comes with the system installation?



Reaction score: 11
Messages: 62

Try a symlink:

mv /usr/bin/openssl /usr/bin/openssl.old

cd /usr/bin

ln -s /usr/local/bin/openssl


New Member

Messages: 1

/etc/libmap.conf could also be useful for remapping existing binaries that are linked against the base OpenSSL shared libs.


Well-Known Member

Reaction score: 133
Messages: 457

The same thing happens with the ports version of security/openssl which I've run for years. Installed ports software usually automatically links against this version rather than the version in the base but the command line tool is after the base version in the PATH. To get around this I always just alias openssl to /usr/local/bin/openssl in my .bashrc with something like this:

alias openssl="/usr/local/bin/openssl"
Obviously if you're using a different shell then aliasing is going to work differently. Probably need to add appropriate commands into .profile. Alternatively you could change the PATH environment variable to place /usr/local/bin in front of /usr/bin.

On another note I'm not sure this whole LibreSSL thing is a good idea or not yet. I would have personally rather had them contribute their patches upstream to OpenSSL instead for the benefit of everyone. Now things are going to be fractured.


Beastie Himself

Reaction score: 3,679
Messages: 13,851

Of course. Those applications are looking for OpenSSL. They would have to be rebuilt, assuming that LibreSSL provides exact binary compatibility, which, at present, it does not.

At this stage, only developers should be experimenting with LibreSSL.


Well-Known Member

Reaction score: 118
Messages: 282

So I'd better restrict my LibreSSL experiments to my development server then.
Is there a way to batch-rebuild all ports requiring OpenSSL with LibreSSL? I tried it for a few ports but I'm sure I missed some.


Beastie Himself

Reaction score: 3,679
Messages: 13,851

We may both regret this, but portmaster -o security/libressl openssl followed by portmaster -r libressl. I think, untested.


Well-Known Member

Reaction score: 79
Messages: 390

The way I read ${PORTSDIR}/Mk/, setting WITH_OPENSSL_PORT=YES and OPENSSL_PORT=security/libressl in make.conf(5) would not only cause the installation of libressl from ports, but also the linking of any libssl/libcrypto consumer against libressl on top of that, which is more important than the monolithic binary anyway (because it's the ssl consumers that are attackable via network, rather than a non-server binary used mostly for testing and shell scripting).

Also, the libressl port installs a binary called openssl into ${PREFIX}/bin, which should be in PATH and prefered over the system paths, so you don't need to make symlinks or the like.


New Member

Messages: 7

To use LibreSSL, you need to set OPENSSL_SHLIBVER=30 as well (besides WITH_OPENSSL_PORT and OPENSSL_PORT).

Otherwise it will use the default (which is 8 for the openssl port) and try to reinstall libressl for everyport that uses OpenSSL.



Reaction score: 671
Messages: 1,089

Is LibreSSL going to replace OpenSSL in the near future on FreeBSD?
I would be really interested by an official answer about this as well.
The todays forums post A look at the upcoming features for 10.1.2 reveals:
We’ve made the switchover to convert our ports to use LibreSSL by default instead of the base systems OpenSSL ...
Hopefully, I will be able to stay with OpenSSL without experiencing major hassles.


Staff member

Reaction score: 8,953
Messages: 33,384

IF (a big IF) OpenSSL is going to be replaced by LibreSSL it's going to be with 12.0-RELEASE. Not before, as that would break the ABI/API. For ports you can already switch by setting DEFAULT_VERSIONS.