Forcing use of newer version of OpenSSL

Matthew Seaman matthew at freebsd.org
Tue Sep 15 17:01:03 UTC 2015 

On 09/15/15 17:33, Jerry wrote:
> I have both OpenSSL 1.0.1l-freebsd 15 Jan 2015 {located in /usr/bin} and
> OpenSSL 1.0.2d 9 Jul 2015 {located in /usr/local/bin} residing on my system.
> Now, I want to use and hopefully link programs against the "port", ie, newer
> version. If I adjust the path to use "/usr/local/bin" first, some programs
> fail to build. I discovered this a few months ago and received that bit of
> knowledge on this forum. I therefore changed the path so "/usr/bin" goes
> before "/usr/local/bin". That has the effect of causing the older version of
> OpenSSL being used.
> 
> Other than permanently changing the path, and then changing it back when a
> build fails, how can I permanently fix this problem. IMHO, the newer version
> should permanently  overwrite the older version. I don't need or want to
> versions. Since the older version comes with the base system, I am hesitant
> to try and remove it. In a perfect world, the base system would be updated,
> but I guess that is not going to happen anytime soon.

For anything you want to compile from ports, just add:

WITH_OPENSSL_PORT=      yes

to /etc/make.conf (or /usr/local/etc/poudriere.d/make.conf if you're
using poudriere)

Additionally you have to be careful of some ports that have GSSAPI
options -- don't enable GSSAPI support from the base system, or you'll
end up with a binary linked against two different versions of OpenSSL
libraries.  Apart from that, the ports openssl is pretty much a drop-in
replacement.

For stuff you're compiling yourself, outside of ports, you need to force
your compilation to use the appropriate -I (for include files) and -L
(for libraries) search paths when compiling C code.  How to do this is
specific to the compilation system used by whatever code your trying to
compile.

It's not feasible to remove openssl from base -- too much stuff in base
needs it -- nor is it feasible to overwrite the base openssl with the
ports version -- the ABIs have changed between the two versions.

I believe the ultimate plan is to make the base version of openssl a
private library and require all ported software to use the ports version
of openssl, but that is for future implementation.

	Cheers,

	Matthew

	


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20150915/ed2d22a2/attachment.bin>

More information about the freebsd-questions mailing list