W dniu 2015-03-21 o 11:06, Matthias Andree pisze:
> Am 21.03.2015 um 00:13 schrieb Wietse Venema:
>> Viktor Dukhovni:
>>> I am curious what:
>>>
>>> ldd /usr/local/lib/libssl.so.8
>>>
>>> reports and whether there are headers and or shared objects for
>>> libz in ports?
>>
>> In a FreeBSD 10.1 testvm:
>>
>> # ldd -a /usr/local/lib/libssl.so.8
>> /usr/local/lib/libssl.so.8:
>> libcrypto.so.8 => /usr/local/lib/libcrypto.so.8 (0x801668000)
>> libthr.so.3 => /lib/libthr.so.3 (0x801a6c000)
>> libc.so.7 => /lib/libc.so.7 (0x80081f000)
>> /usr/local/lib/libcrypto.so.8:
>> libthr.so.3 => /lib/libthr.so.3 (0x801a6c000)
>> libc.so.7 => /lib/libc.so.7 (0x80081f000)
>> /lib/libthr.so.3:
>> libc.so.7 => /lib/libc.so.7 (0x80081f000)
>>
>> Fascinating: no libz dependency. See below for build options.
>>
>> # uname -a
>> FreeBSD freebsd101.porcupine.org 10.1-RELEASE FreeBSD 10.1-RELEASE #0
>> r274401: Tue Nov 11 21:02:49 UTC 2014
>> r...@releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64
>>
>> # grep OPENSSL_VERSION_NUMBER /usr/local/include/openssl/opensslv.h
>> #define OPENSSL_VERSION_NUMBER 0x100010afL
>>
>> This is OpenSSL 1.0.1j built from ports with default options:
>>
>> | |+[x] SHARED build of shared libs |
>> |
>> | |+[x] THREADS Threading support |
>> |
>> | |+[ ] I386 Optimize for i386 (instead of i486+) |
>> |
>> | |+[x] SSE2 runtime SSE2 detection |
>> |
>> | |+[x] ASM optimized Assembler code |
>> |
>> | |+[ ] PADLOCK VIA Padlock support |
>> |
>> | |+[x] ZLIB zlib compression support |
>> |
>> | |+[x] SCTP SCTP protocol support |
>> |
>> | |+[x] SSL2 SSLv2 protocol support |
>> |
>> | |+[x] SSL3 SSLv3 protocol support |
>> |
>> ...
>>
>> I don't zlib or libz in ports.
>
> These were removed from ports c. three years ago.
> libz (zlib) is only in FreeBSD's base system (/lib/libz.so.6, as of
> 10.1), if there are remnants of it under /usr/local, then users should
> check for stale ports, or unregistered leftovers and should purge them.
>
> Note that the FreeBSD base system's OpenSSL does not dynamically link
> against libz.so either.
>
>> I don't know how zlib is linked in, but it is relatively easy to
>> disable. One may have to rm -rf /var/db/ports/security_openssl to
>> reset previously-cached build options.
>
> "make rmconfig -C /usr/ports/security/openssl"
I'll describe a brief history of this system. I started using openssl
from ports after heartbleed hype. It was on the old server - FreeBSD 9.3
i386. Recently I have decided to go for a new box, 64-bit architecture,
so I've installed 10.1 amd64. I've installed the same ports set as I had
on old box (hence openssl from ports) and configured postfix exactly the
same as it was on 9.3.
As this was a clean 10.1 installation there was no stale ports left from
previous upgrades. I use my own poudriere instance, so all packages are
build from ports in a clean environment and then they are installed on
destination servers.
I've restored mail server to previous state (with openssl from ports
with zlib enabled). Some data:
# pkg query "%Ok %Ov" openssl
ASM on
DOCS off
EC on
EXPCIPHERS off
GMP off
I386 off
MD2 on
PADLOCK off
RC5 off
RFC3779 off
SCTP on
SHARED on
SSE2 on
SSL2 off
SSL3 off
THREADS on
ZLIB on
It seems that ./config sets zlib as zlib-dynamic:
# grep zlib
/data/poudriere/data/logs/bulk/openssl-vesper-default/latest-per-pkg/openssl-1.0.1_19.log
ZLIB=on: zlib compression support
cd /wrkdirs/usr/ports/security/openssl/work/openssl-1.0.1m &&
/usr/bin/env CC="cc" FREEBSDCC="cc" CFLAGS="-O2 -pipe -march=corei7
-fstack-protector -fno-strict-aliasing" PERL="/usr/local/bin/perl"
PTHREAD_CFLAGS= PTHREAD_LIBS=-pthread ./config --prefix=/usr/local
--openssldir=/usr/local/openssl
--install_prefix=/wrkdirs/usr/ports/security/openssl/work/stage
-L/usr/local/lib enable-asm threads shared zlib zlib-dynamic sctp
no-ssl2 no-ssl3 enable-md2 no-rc5 no-gmp no-rfc3779
enable-ec_nistp_64_gcc_128
cc -I.. -I../.. -I../modes -I../asn1 -I../evp -I../../include -fPIC
-DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -pthread
-D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -O3 -Wall -O2 -pipe
-march=corei7 -fstack-protector -fno-strict-aliasing
-DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5
-DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM
-DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -c c_zlib.c
ar r ../../libcrypto.a comp_lib.o comp_err.o c_rle.o c_zlib.o
And some ldd:
# ldd -a /usr/local/lib/libssl.so.8
/usr/local/lib/libssl.so.8:
libcrypto.so.8 => /usr/local/lib/libcrypto.so.8 (0x801660000)
libthr.so.3 => /lib/libthr.so.3 (0x801a65000)
libc.so.7 => /lib/libc.so.7 (0x80081f000)
/usr/local/lib/libcrypto.so.8:
libthr.so.3 => /lib/libthr.so.3 (0x801a65000)
libc.so.7 => /lib/libc.so.7 (0x80081f000)
/lib/libthr.so.3:
libc.so.7 => /lib/libc.so.7 (0x80081f000)
# ldd -a /usr/local/lib/libpcre.so.1
/usr/local/lib/libpcre.so.1:
libthr.so.3 => /lib/libthr.so.3 (0x801672000)
libc.so.7 => /lib/libc.so.7 (0x80081f000)
/lib/libthr.so.3:
libc.so.7 => /lib/libc.so.7 (0x80081f000)
# ldd -a /usr/local/lib/libcrypto.so.8
/usr/local/lib/libcrypto.so.8:
libthr.so.3 => /lib/libthr.so.3 (0x801805000)
libc.so.7 => /lib/libc.so.7 (0x80081f000)
/lib/libthr.so.3:
libc.so.7 => /lib/libc.so.7 (0x80081f000)
# ldd -a /usr/local/lib/mysql/libmysqlclient.so.18
/usr/local/lib/mysql/libmysqlclient.so.18:
libm.so.5 => /lib/libm.so.5 (0x8019df000)
libc++.so.1 => /usr/lib/libc++.so.1 (0x801c07000)
libcxxrt.so.1 => /lib/libcxxrt.so.1 (0x801ec7000)
libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x8020e3000)
libthr.so.3 => /lib/libthr.so.3 (0x8022f1000)
libc.so.7 => /lib/libc.so.7 (0x80081f000)
/lib/libm.so.5:
libc.so.7 => /lib/libc.so.7 (0x80081f000)
/usr/lib/libc++.so.1:
libcxxrt.so.1 => /lib/libcxxrt.so.1 (0x801ec7000)
libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x8020e3000)
libc.so.7 => /lib/libc.so.7 (0x80081f000)
/lib/libcxxrt.so.1:
libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x8020e3000)
libc.so.7 => /lib/libc.so.7 (0x80081f000)
/lib/libgcc_s.so.1:
libc.so.7 => /lib/libc.so.7 (0x80081f000)
/lib/libthr.so.3:
libc.so.7 => /lib/libc.so.7 (0x80081f000)
--
best regards,
Lukasz Wasikowski
