Replacing openssl with libressl for ports
Since its inception in 2014, I’ve been following the LibreSSL project.
The OpenSSL codebase turns out to have severe problems. See the presentation, and especially sheet 7.
The version in the FreeBSD base system is old, but the version used by the ports I can control. It took a while, but now was the time for me to switch.
Remove old fetchmail
The fetchmail from ports cannot handle libressl because it uses SSLv3. So we remove it and install the upcoming 6.4 later.
# pkg delete fetchmail-6.3.26_3
From 20160616 onward, you must indicate in
make.conf that you want to use
an SSL port.
-DEFAULT_VERSIONS= ruby=2.1 python3=3.5 ghostscript=agpl ssl=openssl +DEFAULT_VERSIONS= ruby=2.1 python3=3.5 ghostscript=agpl ssl=libressl
Since the default is to use the rather old openssl from base, I was already using openssl from ports.
This does mean that I cannot use packages for the ports that use SSL.
Replace openssl with libressl
First, replace the port.
# portmaster -o security/libressl security/openssl
Then update all dependencies.
# portmaster -R -r libressl-2.3.6 ... ===>>> The following actions will be taken if you choose to proceed: Re-install python27-2.7.11_3 Re-install xorg-server-1.17.4,1 Re-install ffmpeg-2.8.7_1,1 Re-install mutt-1.6.1 Re-install openssh-portable-7.2.p2,1 Re-install curl-7.49.0 Re-install nmap-7.12 Re-install nettle-3.2 Re-install git-2.9.0 Re-install dma-0.11,1 Re-install nginx-1.10.1,2 Re-install scrypt-1.2.0_1 Re-install libevent2-2.0.22_1 Re-install libarchive-3.2.0_1,1 Re-install python35-3.5.1_3
Check that there are no missing libraries in
~/src/scripts/private> python3 missing-libs.py /usr/local/bin/ WARNING: cannot access /usr/local/bin/urxvt WARNING: cannot access /usr/local/bin/xlock WARNING: cannot access /usr/local/bin/urxvtd /usr/local/bin/mupdf libcrypto.so.8 => not found (0) /usr/local/bin/mujstest libcrypto.so.8 => not found (0) WARNING: ldd failed on /usr/local/bin/rrm /usr/local/bin/mutool libcrypto.so.8 => not found (0) /usr/local/bin/mupdf-x11-curl libcrypto.so.8 => not found (0)
It is clear that the
mupdf port needs updating.
# cd /usr/ports/graphics/mupdf # make # make deinstall install clean
After that, there are no more missing libs. The nginx webserver is running as a server. Restart it.
# service nginx restart
Re-install a patched fetchmail
The source code for the upcoming 6.4 release is downloaded from gitlab. Compile, install and start it.
> git clone https://gitlab.com/fetchmail/fetchmail.git > cd fetchmail/ > git branch * legacy_64 > sh ./autogen.sh > ./configure --disable-nls --enable-fallback=no --enable-opie \ --enable-RPA --enable-SDPS --without-hesiod > gmake > strip fetchmail > install fetchmail ~/bin > rehash > killall fetchmail > fetchmail
For comments, please send me an e-mail.