Re: About protocols in openssl

Thu, 27 Feb 2020 12:38:23 -0800 

On 27-2-2020 20:52, Pete Wright wrote:



On 2020-02-27 11:42, Willem Jan Withagen wrote:

On 27-2-2020 20:25, Miroslav Lachman wrote:

Willem Jan Withagen wrote on 2020/02/27 20:00:

Hi,


My ceph ports uses all kinds of python stuff, and now the trouble 
is that I'm getting

an error on missing:
     SSLv3_client_method


Which i guess, is because in the current openssl libs SSLv3 is 
disabled.

And I sort of get this, SSLv3 is unsafe.

But I need it to be able to run parts of the ceph port.

So how do I get a openssl lib dependancy that has SSLv3 enabled.



You can build OpenSSL 1.1.1 from the ports where you can enable 
SSLv3 in the options dialog.


https://www.freshports.org/security/openssl/

The defaults are:
====> Protocol Support
NEXTPROTONEG=on: Next Protocol Negotiation (SPDY)
SCTP=on: SCTP (Stream Control Transmission)
SSL3=off: SSLv3 (unsafe)
TLS1=on: TLSv1.0 (requires TLS1_1, TLS1_2)
TLS1_1=on: TLSv1.1 (requires TLS1_2)
TLS1_2=on: TLSv1.2


Yup, this is what I did, and that works.

But how do I do that for a port? And the make sure that the installer 
of the ceph-package gets an openssl that had SSLv3

It may be best to build an internal package with the options you need 
configured accordingly.  I do this via poudriere for some of my 
internal software.  For example I have this file on my package builder:

/usr/local/etc/poudriere.d/make.conf

which contains the following:
x11-servers_xorg-server_SET=FIXDRM


I think this matches the same format of make.conf you would use if 
building the ports tree locally.


Interesting, but not quite what I want....

It is not for personal usage, but for ports that I have commited to the 
ports collection, and want to upgrade.
And yes, fixing openssl works for this problem, but it is not only my 
problem.



I maintain these Ceph ports, and now upstream uses a python module that 
expects SSlv3 to be available in the openssl that encounters on the system.

And the question is how to accommodate that?

Short of embedding my own openssl libs with the ceph-libs, thus creating 
a huge maintenance problem.



I could also argue that switching of SSLv3 in a generic library is sort 
of impractical, even if it is a protocol that we want to erradicate.
But I guess that the maintainers of openssl have decided that this is 
the smart thing to do.

And I'm in peace with that, but now require an escape from this catch-22.

--WjW

_______________________________________________
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"






















					Reply via email to