what's the proper way to do it?
As far as I understand from googling around, and please correct me if
I'm wrong, the way to compile ports with openssl is, first install
openssl from ports, then add WITH_OPENSSL_PORTS=YES to make.conf, then
compile everything that uses openssl. That is, with something like
portmaster, not poudriere.
I tried adding WITH_OPENSSL_PORTS=YES to poudriere's make.conf, but it
doesn't pull in openssl as a dependency. I suppose that is because it
has to be already installed for the ports to see it at compile time and
use that one instead of base. Which, I suppose, means that I should
install openssl in poudriere's jail first and remember to upgrade it in
that jail if needed before compiling stuff when it gets updated.
Is that correct? Is there a better way?
The way I thought it was going to work is add WITH_OPENSSL_PORTS=YES to
poudriere's make.conf then openssl will be considered a dependency for
any port that uses it and treated as such by poudriere.
On a side note, might be totally unrelated but I don't have a better
place to ask about it anyway, the reason I need to do this is because I
have Nginx as a loadbalancing proxy talking to Apache backends over
https. Apache is compiled with openssl from ports, while Nginx is
compiled with base. The problem is that when I try to load one of the
https websites, I get a 502 Bad Gateway in Nginx and the following error
in nginx-error.log:
[error] 13004#0: *7 SSL_do_handshake() failed (SSL: error:1408E0F4:SSL
routines:SSL3_GET_MESSAGE:unexpected message) while SSL handshaking to
upstream, client: XXX.XXX.XXX.XXX, server: ssl.enabled.site.example.com,
request: "GET /favicon.ico HTTP/1.1", upstream:
"https://YYY.YYY.YYY.YYY:443/favicon.ico";, host:
"ssl.enabled.site.example.com"
There's another set of Nginx' that are compiled with openssl from ports,
just like Apache, and I don't get the error there. The 'workaround' I
found (http://code.google.com/p/googleappengine/issues/detail?id=5075)
is to add
proxy_ssl_session_reuse off;
to Nginx. This works, but I'd still like to know what is going on and
why it works w/o that line on the Nginx servers compiled with the same
version of openssl as Apache. I can't see anything in Apache's logs, the
load balancing is done through ip_hash, which means that I should talk
to the same Apache server every time, and it happens even if all
backends except one are marked as down in Nginx conf. The config files
on all Nginx servers are identical.
_______________________________________________
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
