# Compile GELI with OpenSSL from ports



## equal (Jan 8, 2018)

FreeBSD 11.1 i386

I have compiled and installed openssl from ports, so there are:
a) /usr/bin/openssl (OpenSSL 1.0.2k-freebsd  26 Jan 2017) with /lib/libcrypto.so.8, /usr/lib/libssl.so.8
and
b) /usr/local/bin/openssl (OpenSSL 1.0.2n  7 Dec 2017) with /usr/local/lib/libcrypto.so.9, /usr/local/lib/libssl.so.9

And I want to compile base system with new version of openssl (for use in another project)
As GELI is one of files in base currently requiring libcrypto, I try to make /usr/src/sbin/geom with options:
/etc/make.conf:
DEFAULT_VERSIONS+=ssl=openssl        # yes, it's for ports, not base
WITH_OPENSSL_PORT=YES
OPENSSL_PORT=security/openssl
### WITHOUT_OPENSSL=                 # in this case, geli doesn't compile at all

but with no success.

```
ldd /usr/src/sbin/geom/class/eli/geom_eli.so:
    libcrypto.so.8 => /lib/libcrypto.so.8 (0x2861b000)
```
Naturally, I can manually replace libcrypto.so.8 with libcrypto.so.9:
ln -sf /usr/local/bin/openssl /usr/bin/openssl
ln -sf /usr/local/lib/libcrypto.so.9 /lib
ln -sf /lib/libcrypto.so.9 /usr/lib/libcrypto.so
<and libssl, include files, ...>

But is there any legal opportunity to compile geli (base) with openssl (or libressl) from ports?


----------



## SirDice (Jan 8, 2018)

GELI is part of the base OS. Nothing from the base OS can ever depend on a port.


----------



## equal (Jan 8, 2018)

There are examples (like https://wiki.freebsd.org/LibreSSL) of replacing openssl with libressl, even in base OS. In my case I just want to replace openssl with more fresh version


----------



## SirDice (Jan 8, 2018)

equal said:


> There are examples (like https://wiki.freebsd.org/LibreSSL) of replacing openssl with libressl, even in base OS.


Yes, but this _replaces_ the SSL libraries of the base OS, it does not use a port for that.


----------



## equal (Jan 8, 2018)

ok, _replacing_ old openssl with a newer one is good for my purpose.

Will it be enough (if simplified) to replace /usr/src/crypto/openssl with downloaded and patched content of /usr/ports/security/openssl/work/openssl-1.0.2n - and all source files in base that require libcrypto or libssl, if compiled will be linked to newer openssl libraries? Well, keeping in mind the difference in paths - /usr/local/lib vs /usr/lib, of course.


----------



## SirDice (Jan 8, 2018)

equal said:


> ok, _replacing_ old OpenSSL with a newer one is good for my purpose.


Exactly why do you want to do this anyway? The SSL version in the base may appear to be an older version, security issues are always backported.

I'm quite sure you will run into all sorts of compatibility issues, not just with GELI but with everything from the base OS that uses the OpenSSL libraries.


----------



## equal (Jan 8, 2018)

Currently I have OpenSSL 1.0.2k (older) in base, and OpenSSL 1.0.2n (newer) in ports.

I am making custom tiny installation, and don't want to have some software (from base - like geli) compiled with older openssl (libcrypto.so.8, libssl.so.8), and other software (from ports) with newer (libcrypto.so.9, libssl.so.9). That's all.

Compile _all_ with old version from base - not a good idea because of security issues. Carry both library versions - also, no way. Compile _all_ with newer version - yesssss, but how???


----------

