Upgrade OpenSSL 1.0.2 > 1.1.1

You don't until the individual port maintainers set their ports to use the new version. That's not just a simple flick of the switch because OpenSSL 1.1.1 has a different API than the current 1.0.2. It's going to be both an upstream and port maintainer issue for the ports involved.
 
How will I know when all my ports that depend on security/openssl are ready to be upgraded to the latest version of OpenSSL?
Code: 
$ pkg info -r security/openssl
openssl-1.0.2p_1,1:
        ldns-1.7.0_1
        cclient-2007f_3,1
        apr-1.6.3.1.6.1_1
        nmap-7.70
        wget-1.19.5
        libzip-1.5.1
        unbound-1.7.3
        postfix-3.3.1_1,1
        python36-3.6.6_1
        nginx-1.14.0_11,2
        mysql56-client-5.6.41
        mysql56-server-5.6.41
        php71-openssl-7.1.21
        php71-imap-7.1.21
        php71-ftp-7.1.21
        dovecot-2.3.2.1_1
        libevent-2.1.8_2
        curl-7.61.1
        opendkim-2.10.3_8
 
They will probably be updated 'alone' during the regular updates, until the point a pkg autoremove will get rid of the old openssl package.
 
I occasionally get the same issue with libressl-devel versions. What I do is periodically change the default SSL version in make.conf and let poudriere (or synth in your case) try and build all of my packages. If any fail then I know it's still not ready and I revert to what I had before.

I've never tried to use openssl111 though, but I assume you would set DEFAULT_VERSIONS+=ssl=openssl111 in the make.conf that synth uses.

Which according to the documentation is /usr/local/etc/synth/[profile]-make.conf where [profile] is LiveSystem if you've never customised it.

If you change that and run a synth prepare-system then you should see it rebuild all packages that depend on openssl. If any fail then remove that line and rebuild it again. If all is successful then you can pkg upgrade it.
 
xtaz said:
If you change that and run a synth prepare-system then you should see it rebuild all packages that depend on openssl. If any fail then remove that line and rebuild it again. If all is successful then you can pkg upgrade it.
Click to expand...

Thank you, I'll try that this afternoon and see what happens.
 
You will need to set a general DEFAULT_VERSIONS+= ( if you do not want to use the Base one by default ), and one per port you want to use a different version. However I don't remember the exactly syntax right now, but it is something a long lines with cat_port_DEFAULT_VERSIONS+=.

[EDIT]

See bsd.default-versions.mk.
 
I can't seem to get this to work correctly. All synth wants to do is build security/openssl111 - and not rebuild any ports that depend on it.
Code: 
$ sudo synth status
Querying system about current package installations.
Stand by, comparing installed packages against the ports tree.
Scanning existing packages.
These are the ports that would be built ([N]ew, [R]ebuild, [U]pgrade):
  N => security/openssl111
Total packages that would be built: 1

/usr/local/etc/synth/LiveSystem-make.conf :
Code: 
OPTIONS_UNSET = X11 CUPS

DEFAULT_VERSIONS+=ssl=openssl111 php=7.1 mysql=5.6
 
Hrm. Poudriere does this correctly. It detects that a dependency wants to be changed and invalidates all the packages that depend on it. One way around it might be to to pkg info -r openssl (or whatever package you have installed) to get the list and then delete those from the synth package repository directory. That would force it to rebuild them.
 
What's weird is that I've done this before (with PHP, MySQL) - normally making this change in the make.conf triggers all the dependencies to be rebuilt. Something is broken ...

I'll run this past Marino and see if he knows what's going on.
 
Ok, making the changes in my LiveSystem-make.conf file does nothing except install the security/openssl111 port. Synth will not rebuild all the ports that depend on it.

What are my other options? Is it safe to change the port origin?
Code: 
pkg set -o security/openssl:security/openssl111
 
Mayhem30 most software depending on OpenSSL will not build against security/openssl111 because they do not support it yet. There were several API changes IIRC. Ever ArchLinux didn't switch completely yet.

If you need it badly to something you know it is already supported better modify the port locally.
 
Would easier if you tell us which port you are talking about, but if the port depends on X version of the OpenSSL you need to edit it to use the 1.1.1 version.
 
www/nginx does not support OpenSSL 1.1.1! You need www/nginx-devel which should already support it.

This port is rather complicated to say something with a just the quick look I did, and so would be better to set DEFAULT_VERSIONS+=ssl=openssl111 just for this port but I never remember the syntax for that. :rolleyes:

And yes, openssl111 was already added to bsd.default-versions.mk.
 
Mayhem30 said:
Is it possible to have both OpenSSL versions installed at the same time?
Click to expand...

OpenSSL 1.1.1 will conflict with *SSL from ports but not the Base one, which is the default.

IIRC the syntax would be something like www_nginx-devel_DEFAULT_VERSIONS+=ssl=openssl111.

I think I saw sidetone using per port configurations in the past.
 
That is not in the config yet, you would need to either modify the port changing all `OPTION_USES` which have `ssl` to `OPTION_RUN_DEPENDS`on security/openssl111, or change the default openssl version like I pointed before.

Nginx do support TLS v1.3 (the draft specification) since 1.13 but the support for openssl111 (with the final TLS v1.3 specification) in it is very, very recent but the 1.15.5 should already support it (but I would expect some instability).

Anyway, I would not go for it but wait a few weeks when the default things should be already sorted out.
 
You must log in or register to reply here.
Back
Top