From owner-freebsd-current Fri Feb 18 20:23:37 2000 Delivered-To: freebsd-current@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 7B4D237BB22; Fri, 18 Feb 2000 20:23:35 -0800 (PST) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id UAA61050; Fri, 18 Feb 2000 20:23:19 -0800 (PST) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Fri, 18 Feb 2000 20:23:18 -0800 (PST) From: Kris Kennaway To: Robert Watson Cc: freebsd-current@FreeBSD.org Subject: Re: Supported ways to do RSA/OpenSSL on 4.0? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Fri, 18 Feb 2000, Robert Watson wrote: > I was pointed to you for questions regarding whether or not certain ports > would be working udner 4.0-RELEASE -- specifically, OpenSSH and related > applications which depend on SSL/RSA. All of the ports which explicitly depend on openssl should be working on all supported versions of FreeBSD, modulo screwups :) Jim Bloom has been putting a lot of work into getting these working - I have a couple of patches to commit, but they mostly seem to work fine as far as I've heard. However, Jordan mailed me this morning about a build problem with openssh on a fresh installation which looks very strange - it's like the test for a RSA-enabled openssl is falsely passing, which causes the build to die. This may be the problem you're seeing - as yet I don't have any real clues about why. Could you send me a build log from one of the failing ports as well as the output of 'nm /usr/lib/libcrypto.a | grep RSA_free'? Is this a fresh installation, i.e. with no older cruft possibly lying around? > Do we plan to provide a consistent and documented way for users of > FreeBSD to go from the RSA-disabled base library set to the > RSA-enabled set, and in a way that provides adequate instruction? I > get rather uninformative errors when trying to compile See chapter 6.5 in the handbook. > OpenSSH, SSLproxy, and Apache13-modssl, none of which is discovered by the > ports mechanism, rather the application makefiles. While I understand > that you are not the maintainer for these ports,... :-) > > It might be nice, for example, to have a stage in sysinstall for > crypto-configuration--it would also be accessible post-install, and would > provide easy access to install via package the underlying RSA libraries, > with appropriate documentation of licensing issues and confirmation of > location, etc. Presumably one could back-end this onto a set of ports or > packages, so there would be more scalable command line/scriptable > interface. The packages already exist and are described in the handbook, except they haven't yet made it onto the ftp site. You can pick them up from http://www.freebsd.org/~kris/openssl in the meantime. Sysinstall support is something I'd definitely like to see, but not something I have time (or knowledge) to do right now. I'll be adding some instructions to the release notes this weekend, and it should be giving a helpful error message if you try and install a port which requires RSA and you have a non-RSA library: .if ${USE_OPENSSL} == RSA _HASRSA= "`/usr/bin/nm /usr/lib/libcrypto.a | /usr/bin/grep RSA_free`" .if empty(_HASRSA) .BEGIN: @${ECHO} "This port requires RSA crypto, which is not present in your" @${ECHO} "version of OpenSSL. Please see Chapter 6.5 in the handbook" @${ECHO} "for a description of the problem and alternative solutions." @${FALSE} .endif .endif Kris ---- "How many roads must a man walk down, before you call him a man?" "Eight!" "That was a rhetorical question!" "Oh..then, seven!" -- Homer Simpson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message