Roland's homepage

My random knot in the Web

Replacing openssl with libressl for ports

date: 2016-06-21
reading time: 3 min.
category: freebsd
tags: SSL

Since its inception in 2014, I’ve been following the LibreSSL project.

The OpenSSL codebase turns out to have severe problems. See the presentation, and especially sheet 7.

The version in the FreeBSD base system is old, but the version used by the ports I can control. It took a while, but now was the time for me to switch.

Remove old fetchmail

The fetchmail from ports cannot handle libressl because it uses SSLv3. So we remove it and install the upcoming 6.4 later.

# pkg delete fetchmail-6.3.26_3

Update make.conf

From 20160616 onward, you must indicate in make.conf that you want to use an SSL port.

-DEFAULT_VERSIONS= ruby=2.1 python3=3.5 ghostscript=agpl ssl=openssl
+DEFAULT_VERSIONS= ruby=2.1 python3=3.5 ghostscript=agpl ssl=libressl

Since the default is to use the rather old openssl from base, I was already using openssl from ports.

This does mean that I cannot use packages for the ports that use SSL.

Replace openssl with libressl

First, replace the port.

# portmaster -o security/libressl security/openssl

Then update all dependencies.

# portmaster -R -r libressl-2.3.6
...
===>>> The following actions will be taken if you choose to proceed:
    Re-install python27-2.7.11_3
    Re-install xorg-server-1.17.4,1
    Re-install ffmpeg-2.8.7_1,1
    Re-install mutt-1.6.1
    Re-install openssh-portable-7.2.p2,1
    Re-install curl-7.49.0
    Re-install nmap-7.12
    Re-install nettle-3.2
    Re-install git-2.9.0
    Re-install dma-0.11,1
    Re-install nginx-1.10.1,2
    Re-install scrypt-1.2.0_1
    Re-install libevent2-2.0.22_1
    Re-install libarchive-3.2.0_1,1
    Re-install python35-3.5.1_3

Check that there are no missing libraries in /usr/local/bin and /usr/local/sbin.

~/src/scripts/private> python3  missing-libs.py /usr/local/bin/
WARNING: cannot access /usr/local/bin/urxvt
WARNING: cannot access /usr/local/bin/xlock
WARNING: cannot access /usr/local/bin/urxvtd
/usr/local/bin/mupdf        libcrypto.so.8 => not found (0)
/usr/local/bin/mujstest     libcrypto.so.8 => not found (0)
WARNING: ldd failed on /usr/local/bin/rrm
/usr/local/bin/mutool       libcrypto.so.8 => not found (0)
/usr/local/bin/mupdf-x11-curl       libcrypto.so.8 => not found (0)

It is clear that the mupdf port needs updating.

# cd /usr/ports/graphics/mupdf
# make
# make deinstall install clean

After that, there are no more missing libs. The nginx webserver is running as a server. Restart it.

# service nginx restart

Re-install a patched fetchmail

The source code for the upcoming 6.4 release is downloaded from gitlab. Compile, install and start it.

> git clone https://gitlab.com/fetchmail/fetchmail.git
> cd fetchmail/
> git branch
* legacy_64
> sh ./autogen.sh
> ./configure --disable-nls --enable-fallback=no --enable-opie \
--enable-RPA --enable-SDPS --without-hesiod
> gmake
> strip fetchmail
> install fetchmail ~/bin
> rehash
> killall fetchmail
> fetchmail

For comments, please send me an e-mail.

←  Updating Python to 3.5 Updating python3 to 3.6  →