After all the noise about base openssl vs. ports openssl on this list a couple of weeks ago, I bit the bullet and tossed WITH_OPENSSL_PORT=yes in poudriere.d/*-make.conf and kicked off a poudriere run. It chugged for quite a while and rebuilt lots of ports. After it was done, I ran pkg upgrade and was dismayed when I discovered that ldd told me that quite a few executables were linked to openssl in base.
The big culprit turned out to be ftp/curl. Even though WITH_OPENSSL_PORT=yes caused it to add the openssl port as a build and run dependency, it was silently getting linked to openssl from base. The cause of that problem is that the default GSSAPI_BASE option adds -L/usr/lib near the start of LDFLAGS, so the linker finds the base openssl libraries instead of the ones from the port. I worked around that problem by switching to GSSAPI_NONE, though I tested that the other GSSAPI_* options also work correctly. There is a sanity check in the Makefile that attempts to catch this conflict, but it does not work correctly. See <https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=200555>. After another poudriere run, which rebuilt the curl package and everything that depended on it, things were looking much better. Of my ~1300 installed ports, I only found two other problematic ports: www/links1 <https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=200557> and security/nmap <https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=200558> The only remaining port that links to openssl in base is pkg, which I think is mandatory for chicken vs. egg reasons. I'm currently running with these updated ports and haven't run into any problems. _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
