# moving to ports' security/openssl



## YuryG (Jan 5, 2020)

Is there a smooth way to move from base OpenSSL to ports' OpenSSL? As far as I can see, no simple option to find exact ports that were build using base OpenSSL that someone want to move to using ports' one.


----------



## drhowarddrfine (Jan 5, 2020)

Install security/openssl from ports.
Add `DEFAULT_VERSIONS= ssl=openssl` to /etc/make.conf
Rebuild any ports you want to use with it.
Done.


----------



## YuryG (Jan 5, 2020)

drhowarddrfine said:


> Install security/openssl from ports.
> Add `DEFAULT_VERSIONS= ssl=openssl` to /etc/make.conf
> Rebuild any ports you want to use with it.
> Done.


Isn't that clear from my first post? There's no (easy?) way to find ports that use OpenSSL. And if I have half of ports that use it from base, and the other half that use it from ports, and then not all autoconfigure's are good enough to use just what I say in make.conf options… I see a bunch of potentially bad-bad problems.


----------



## Alain De Vos (Jan 5, 2020)

I don't see major issues beforehand. For GSSAPI I use HEIMDAL when possible.


----------



## drhowarddrfine (Jan 5, 2020)

YuryG  All ports use the base port unless you change it in make.conf as I showed.


----------



## richardtoohey2 (Jan 5, 2020)

I think the OP means if you have 100 ports installed how do you know which of those 100 are linked to base OpenSSL?  How can you _easily_ find out that say, Apache, MySQL, and Python are linked to the base OpenSSL?

Once you are using ports you can do something like this

```
% pkg info -r openssl
openssl-1.1.1d,1:
    python36-3.6.9_3
    php73-openssl-7.3.13
    php73-ftp-7.3.13
    apache24-2.4.41
    apr-1.7.0.1.6.1
    libzip-1.5.2
    vsftpd-ssl-3.0.3_1
    mysql56-server-5.6.46
    mysql56-client-5.6.46
    libevent-2.1.11
    libarchive-3.4.0,1
    curl-7.67.0
```
But how can you do the same thing if those ports were built WITHOUT the change to /etc/make.conf?  I think that is the question.


----------



## Alain De Vos (Jan 5, 2020)

Rebuilt every port, of find out a .so file is missing.


----------



## obsigna (Jan 5, 2020)

richardtoohey2 said:


> I think the OP means if you have 100 ports installed how do you know which of those 100 are linked to base OpenSSL? ...
> ... I think that is the question.



Execute the following command:
`find /usr/local/bin /usr/local/sbin /usr/local/libexec /usr/local/lib -type f | xargs -n1 file -F ' ' | grep ELF | cut -f1 -d' ' | xargs ldd -f '%A %o\n' | grep "libssl.so\|libcrypto.so" | cut -f1 -d' ' | sort -u | xargs -n1 pkg which | cut -f6 -d' ' | sort -u | tee ~/openssl_dependencies.txt`

Be aware that this takes some time (45 min on my low end system). Here comes the result:

```
apache24-2.4.41
apr-1.7.0.1.6.1
cmake-3.15.5
curl-7.67.0
cyrus-sasl-2.1.27
dovecot-2.3.9.2
git-2.24.1
gnupg1-1.4.23_2
isc-dhcp44-server-4.4.1_4
ldns-1.7.1_1
libarchive-3.4.0,1
libevent-2.1.11
libzip-1.5.2
mpd5-5.8_10
mysql56-client-5.6.46
mysql56-server-5.6.46
netatalk3-3.1.12_2,1
p5-subversion-1.13.0
php72-curl-7.2.26
php72-openssl-7.2.26
php72-pdo_pgsql-7.2.26
php72-pgsql-7.2.26
php72-zip-7.2.26
pkg-1.12.0
postfix-sasl-3.4.8,1
postgresql96-client-9.6.16
postgresql96-contrib-9.6.16
postgresql96-server-9.6.16
py37-cryptography-2.6.1
python37-3.7.6
samba410-4.10.11
serf-1.3.9_4
squid-4.9
strongswan-5.8.2
subversion-1.13.0
trousers-0.3.14_2
```

Once you prepared everything for building with security/openssl you could rebuild the list of the ports using the following command:

`portmaster `cat ~/openssl_dependencies.txt``

Note, that some ports insist on being build with openssl from base. For example the last time I tried this some years ago, curl didn’t like to being build with openssl from the ports.


----------

