OpenSSL port issue/question

Started by Mystique, April 06, 2005, 06:50:35 AM

Previous topic - Next topic

Mystique

Hey all,

New toaster user, but old freebsd/qmail user.

I'm trying to *not* use the openssl port as I've had a myraid of problems with the ssl port and other apps in the past.

I helped someone else figure out his issues that were related to his usage of the openssl port, so I'm trying to save myself that trouble.  But I seem to not be able to build apache (and others) without using the openssl port.

Quote:

root@toaster [/usr/local/etc]# 30 > toaster_setup.pl -s apache

ports_check_age: Ports file is current (enough).
running: make  -DWITH_OPENSSL_PORT  WITH_SUEXEC=yes  SUEXEC_DOCROOT=/usr/local/www/data  SUEXEC_USERDIR=html  SUEXEC_SAFEPATH=/usr/local/bin:/usr/bin:/bin  SUEXEC_LOGFILE=/var/log/apache/suexec.log  SUEXEC_UIDMIN=1000  SUEXEC_GIDMIN=1000  SUEXEC_CALLER=www  install clean===>   apache-2.0.53_1 depends on file: /usr/local/lib/libcrypto.so.3 - not found
===>    Verifying install for /usr/local/lib/libcrypto.so.3 in /usr/ports/security/openssl


and it tries to build the port.

but:

Quote:

root@toaster [/usr/local/etc]# 31 > grep -i openssl *.conf
pkgtools.conf:# 'lang/php4'    => 'WITH_IMAP=1 WITH_APACHE2=1 WITH_SNMP=4 WITH_GD=1 WITH_OPENSSL=1',
pkgtools.conf:  'lang/php4'        => 'WITH_IMAP=1 WITH_APACHE2=1 WITH_SNMP=5 WITH_GD=1 WITH_OPENSSL=1',
pkgtools.conf:  'databases/mysql40-server'  => 'BUILD_OPTIMIZED=yes WITH_OPENSSL=yes',
pkgtools.conf:  'databases/mysql41-server'  => 'BUILD_OPTIMIZED=yes WITH_OPENSSL=yes',
toaster-watcher.conf:install_openssl_port           = 0



To me that looks like the openssl port is disabled.  So I'm just wondering if using suexec forces a usage of the ssl port? or maybe something else?

Is there some sort of 'make clean' that I need to do?

Clues would be appreciated.

Also,

perldoc toaster-watcher.conf has nothing on that openssl port option, the only ssl information mentioned is install_mysql_ssl; nothing more.

LogicX

Related to the base problem of openssl problems --
you wouldn't happen to have /usr/local symlink'd to /usr?

the reason I say is that such a configuration, or perhaps many configuration problems I've come across with openssl results from /lib/libcrypto.so.3 differing from /usr/lib/libcrypto.so.3 (or /usr/local/lib/libcrypto.so.3) as the case may be.

the solution I've found, after installing openssl port is to:

mv /lib/libcrypto.so.3 /lib/libcrypto.so.3.bad
cp /usr/local/lib/libcrypto.so.3 /lib

-- if you simply rm /lib/libcrypto.so.3 anything using it will die (sshd).
by moving it -- it maintains the same inode, and any process accessing it will be fine.

After doing so you'll have to restart any daemon that uses the library (try lsof |grep -i libcrypto)
--- May this post be indexed by spiders, and archived for all to see as my internet epitaph.
http://fpux.com" target="_blank">http://fpux.com

Mystique

Hello Smile

(I never got notice that you had replied to my original posting.. )

I'm trying *not* to use the openssl port at all.  I've found that using the openssl port (again at least in my situations) has caused me many problems in the future.

So I'm trying to install the toaster *without* using the openssl port, I'd rather use the base version if at all possible.

OpenSSL> version
OpenSSL 0.9.7d 17 Mar 2004

my problem (seems to be) that the -DWITH_OPENSSL_PORT seems to be 'active' or 'present' even though I think I've disabled it in the toaster-watcher.conf.

Is there something that I need to do to show/tell something that I've disabled the openssl port?

matt

I have already updated Apache.pm so that if you have the openssl port build disabled, it will build Apache without it.

Specifically, what problems have you had using the port version, and what version of FreeBSD did you have this problem on?  I've had no issues whatsoever, and in fact, had very specific issues using older version of OpenSSL with the newer TLS extensions to qmail.

Mystique

Hello (again),

I've had troubles in the past on freebsd 4.x, like when the ssh 'hole' was around, and (the adviseable thing at the time) was to use openssh from ports, which used openssl from ports, which then changed the place that the ssl libs were found.. etc.

It was a while back, and I am just a little apprehensive about the whole openssl from ports.  Just because it is included in the base, much like how in the 4.x to 5.x change they removed perl from base (from what I remember) due to it's difficulity to upgrade versions.

Usually base and ports conflict with each other..

matt

I must disagree with you. There is no inherent conflict with having OpenSSL installed in the base system and from ports. If it's done that way, you'll have OpenSSL libs in /usr/lib and /usr/include as well as in /usr/local/lib and /usr/include/lib.

Software that seaches your path first (/usr/[lib|bin|include]) will find the system version, and most of the ports are now set up to look for the libs in /usr/local/[lib|bin|include].

To assume you'll have problems today just because you did years ago is a tad presumptious.