From owner-freebsd-ports@FreeBSD.ORG  Fri May  2 06:24:28 2014
Return-Path: <owner-freebsd-ports@FreeBSD.ORG>
Delivered-To: freebsd-ports@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 341F7505;
 Fri,  2 May 2014 06:24:28 +0000 (UTC)
Received: from c01.escapebox.net (c01.escapebox.net [87.230.55.75])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id DA93E1E6E;
 Fri,  2 May 2014 06:24:27 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=geminix.org;
 s=g01; 
 h=Content-Transfer-Encoding:Content-Type:In-Reply-To:References:Subject:To:MIME-Version:From:Date:Message-ID;
 bh=ku+FFgivBWLnaH7fMnA41/v54ZgIXRdlekDIJDJSJvQ=; 
 b=xukpshZBAcG6eRzk9MUr01iBuqgyBcM3YYAv/TgV1jqbaD6i3nrZfk7BtjV9ywvc+m2YlgBaNlXcOv8JScW24pij7lYvyuwgSo9hbmqIEUNrhVDfAGB49JwsQBUuDZRhAxd1PjmT83Ef3ShZpI2xqedJBOUAt5lUygqbNDI5E6Y=;
Received: from user.n01.escapebox.net ([fd45:7d86:a5ba::3b] ident=mailnull)
 by repo.n01.escapebox.net with esmtp (Exim 4.82 (FreeBSD))
 (envelope-from <SRS0=SxZT.Z=2A=geminix.org=gemini@c01.escapebox.net>)
 id 1Wg6tP-0005yW-CF; Fri, 02 May 2014 08:24:19 +0200
Message-ID: <53633A26.3010701@geminix.org>
Date: Fri, 02 May 2014 08:24:38 +0200
From: Uwe Doering <gemini@geminix.org>
Organization: Private UNIX Site
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9;
 rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>, 
 "freebsd-ports@freebsd.org" <freebsd-ports@freebsd.org>
Subject: Re: ports requiring OpenSSL not honouring OpenSSL from ports
References: <201404271508.s3RF8sMA014085@catnip.dyslexicfish.net>
 <CACdU+f_Wo6VDcJkn6tmF8MTU49=rnJM7SB6XxofGZVdukSarHA@mail.gmail.com>
 <201404272250.s3RMo2NZ095771@catnip.dyslexicfish.net>
 <445CDD31-5A11-4F5E-92DE-CB11A10E9BDE@odo.in-berlin.de>
 <5361896C.7010703@bluerosetech.com> <53621BE0.4040704@geminix.org>
 <15864901-C372-43A8-A6E6-BF0AF73F2EC6@vpnc.org>
 <536267A0.9010403@geminix.org> <5362725B.6010109@geminix.org>
 <AC9A6B25-3AEE-4140-9338-4D21A26AA8B4@odo.in-berlin.de>
In-Reply-To: <AC9A6B25-3AEE-4140-9338-4D21A26AA8B4@odo.in-berlin.de>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Received: from gemini by user.n01.escapebox.net with esmtpa (Exim 4.82
 (FreeBSD)) (envelope-from <gemini@geminix.org>)
 id 1Wg6tP-0005yR-8N; Fri, 02 May 2014 08:24:19 +0200
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports/>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 02 May 2014 06:24:28 -0000

On 01.05.14 22:24, Michael Grimm wrote:
> On 01.05.2014, at 18:12, Uwe Doering <gemini@geminix.org> wrote:
> [...]
>> And it is also not mentioned there that it is, to
>> my knowledge, considered good practice to have that setting in
>> "/etc/make.conf" in order to avoid any confusion about which port is
>> linked with what version of OpenSSL.
> 
> Here's my question: Which knobs are considered good practice? Is it experience, is it gut feeling, religion, ...? I would love to see a documentation covering the pro and cons about every "knob" ... I do not complain, I know, that is hard work and hard to accomplish.
> 
> But any links to documents -besides the ones already mentioned- are highly appreciated.

Well, links to documents I cannot provide, but for years I at least have
only these settings in "/etc/make.conf":

  KERNCONF=ESCAPEBOX
  WITH_OPENSSL_PORT=yes
  NO_WARNING_PKG_INSTALL_EOL=yes

Or rather, the last line I added only recently because I haven't
switched to the "pkg" port, yet. And the first line is only relevant if
you compile your own modified kernel, like I do.

There can be other things in it like compiler switches, but I'm rather
conservative in this regard and try to keep defaults wherever I can,
because these mainstream settings are usually the best tested ones. I
need my servers to just run and do their job. In fact, I do not have the
time for surprises due to unnecessary experiments.

> E.g: excuse my ignorance, but should I stay with ...
> 
> | www-jail> ldd `which nginx`
> | /usr/local/sbin/nginx:
> | 	libcrypt.so.5 => /lib/libcrypt.so.5 (0x8008aa000)
> 
> ..., or would there be an alternative in ports? libgcrypt? or? (All my relevant services are run being compiled from ports, and within jails.)

Don't mix up "libcrypt" with "libcrypto". Only the latter has to do with
OpenSSL. If you install OpenSSL from ports you actually have two sets of
similarly named libs. One in "/lib", the other in "/usr/local/lib". In
my case (FreeBSD 8.4):

  /lib/libcrypto.so.6
  /usr/local/lib/libcrypto.so.8

And while I don't have Nginx installed, here is the relevant "ldd" line
for Apache's "mod_ssl":

  libcrypto.so.8 => /usr/local/lib/libcrypto.so.8 (0x800d66000)

I would think that if you haven't had the "WITH_OPENSSL_PORT" directive
in "/etc/make.conf" so far it would be best to make sure that you have
the latest version of OpenSSL from ports installed and then reinstall
all packages that depend on OpenSSL. "portmaster", for instance, has the
"-r" option to do this automatically in one go.

Best regards,

   Uwe
-- 
Uwe Doering         |  EscapeBox - IT Consulting
gemini@geminix.org  |  http://www.escapebox.net