Date: Thu, 27 Feb 2020 21:37:06 +0100 From: Willem Jan Withagen <wjw@digiware.nl> To: Pete Wright <pete@nomadlogic.org>, Miroslav Lachman <000.fbsd@quip.cz>, "ports@freebsd.org" <ports@freebsd.org> Subject: Re: About protocols in openssl Message-ID: <0104ac5e-8d50-4a7e-ee6e-20c3a0167700@digiware.nl> In-Reply-To: <be596e5a-c136-cd3f-d634-f19558ac25ff@nomadlogic.org> References: <f7d98734-20dd-5ee7-b8b9-6ebc69603cb7@digiware.nl> <d7673dcd-467a-25ce-bca7-21cd74bf1777@quip.cz> <75330ed3-5f85-ea63-b8df-c73b5426b5a8@digiware.nl> <be596e5a-c136-cd3f-d634-f19558ac25ff@nomadlogic.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 27-2-2020 20:52, Pete Wright wrote: > > > On 2020-02-27 11:42, Willem Jan Withagen wrote: >> On 27-2-2020 20:25, Miroslav Lachman wrote: >>> Willem Jan Withagen wrote on 2020/02/27 20:00: >>>> Hi, >>>> >>>> My ceph ports uses all kinds of python stuff, and now the trouble >>>> is that I'm getting >>>> an error on missing: >>>> SSLv3_client_method >>>> >>>> Which i guess, is because in the current openssl libs SSLv3 is >>>> disabled. >>>> And I sort of get this, SSLv3 is unsafe. >>>> >>>> But I need it to be able to run parts of the ceph port. >>>> >>>> So how do I get a openssl lib dependancy that has SSLv3 enabled. >>> >>> You can build OpenSSL 1.1.1 from the ports where you can enable >>> SSLv3 in the options dialog. >>> >>> https://www.freshports.org/security/openssl/ >>> >>> The defaults are: >>> ====> Protocol Support >>> NEXTPROTONEG=on: Next Protocol Negotiation (SPDY) >>> SCTP=on: SCTP (Stream Control Transmission) >>> SSL3=off: SSLv3 (unsafe) >>> TLS1=on: TLSv1.0 (requires TLS1_1, TLS1_2) >>> TLS1_1=on: TLSv1.1 (requires TLS1_2) >>> TLS1_2=on: TLSv1.2 >> >> Yup, this is what I did, and that works. >> But how do I do that for a port? And the make sure that the installer >> of the ceph-package gets an openssl that had SSLv3 > It may be best to build an internal package with the options you need > configured accordingly. I do this via poudriere for some of my > internal software. For example I have this file on my package builder: > /usr/local/etc/poudriere.d/make.conf > > which contains the following: > x11-servers_xorg-server_SET=FIXDRM > > I think this matches the same format of make.conf you would use if > building the ports tree locally. Interesting, but not quite what I want.... It is not for personal usage, but for ports that I have commited to the ports collection, and want to upgrade. And yes, fixing openssl works for this problem, but it is not only my problem. I maintain these Ceph ports, and now upstream uses a python module that expects SSlv3 to be available in the openssl that encounters on the system. And the question is how to accommodate that? Short of embedding my own openssl libs with the ceph-libs, thus creating a huge maintenance problem. I could also argue that switching of SSLv3 in a generic library is sort of impractical, even if it is a protocol that we want to erradicate. But I guess that the maintainers of openssl have decided that this is the smart thing to do. And I'm in peace with that, but now require an escape from this catch-22. --WjW
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0104ac5e-8d50-4a7e-ee6e-20c3a0167700>