# Upgrade OpenSSL 1.0.2 > 1.1.1



## Mayhem30 (Sep 12, 2018)

I noticed that OpenSSL v1.1.1 is now available as a new port ( security/openssl111 ). I have OpenSSL 1.0.2 currently installed ( security/openssl ).

How do upgrade to this newest version using PKG and Synth?


----------



## kpa (Sep 12, 2018)

You don't until the individual port maintainers set their ports to use the new version. That's not just a simple flick of the switch because OpenSSL 1.1.1 has a different API than the current 1.0.2. It's going to be both an upstream and port maintainer issue for the ports involved.


----------



## kpa (Sep 12, 2018)

Some of the ports will work with the new OpenSSL because the upstream has already made them aware of the new API and it's just a matter of recompiling with the OpenSSL port set to the new one (once the setting hits the ports tree) but I bet there's an awful lot of software out there that needs updating to use the new API.
https://lists.freebsd.org/pipermail/freebsd-ports/2018-September/114239.html


----------



## Mayhem30 (Sep 13, 2018)

How will I know when all my ports that depend on security/openssl are ready to be upgraded to the latest version of OpenSSL?

```
$ pkg info -r security/openssl
openssl-1.0.2p_1,1:
        ldns-1.7.0_1
        cclient-2007f_3,1
        apr-1.6.3.1.6.1_1
        nmap-7.70
        wget-1.19.5
        libzip-1.5.1
        unbound-1.7.3
        postfix-3.3.1_1,1
        python36-3.6.6_1
        nginx-1.14.0_11,2
        mysql56-client-5.6.41
        mysql56-server-5.6.41
        php71-openssl-7.1.21
        php71-imap-7.1.21
        php71-ftp-7.1.21
        dovecot-2.3.2.1_1
        libevent-2.1.8_2
        curl-7.61.1
        opendkim-2.10.3_8
```


----------



## rigoletto@ (Sep 13, 2018)

They will probably be updated 'alone' during the regular updates, until the point a `pkg autoremove` will get rid of the old openssl package.


----------



## xtaz (Sep 13, 2018)

I occasionally get the same issue with libressl-devel versions. What I do is periodically change the default SSL version in make.conf and let poudriere (or synth in your case) try and build all of my packages. If any fail then I know it's still not ready and I revert to what I had before.

I've never tried to use openssl111 though, but I assume you would set DEFAULT_VERSIONS+=ssl=openssl111 in the make.conf that synth uses.

Which according to the documentation is /usr/local/etc/synth/[profile]-make.conf where [profile] is LiveSystem if you've never customised it.

If you change that and run a synth prepare-system then you should see it rebuild all packages that depend on openssl. If any fail then remove that line and rebuild it again. If all is successful then you can pkg upgrade it.


----------



## Mayhem30 (Sep 13, 2018)

xtaz said:


> If you change that and run a synth prepare-system then you should see it rebuild all packages that depend on openssl. If any fail then remove that line and rebuild it again. If all is successful then you can pkg upgrade it.



Thank you, I'll try that this afternoon and see what happens.


----------



## kpa (Sep 13, 2018)

Settings DEFAULT_VERSIONS+=ssl=openssl111 seems to work already for most part but there are some odd ports that fail to build with OpenSSL v1.1.1, for me at least www/elinks failed to build with ports-mgmt/poudriere.


----------



## Mayhem30 (Sep 13, 2018)

Is it possible to have both security/openssl and security/openssl111 installed at the same time?


----------



## rigoletto@ (Sep 13, 2018)

You will need to set a general `DEFAULT_VERSIONS+=` ( if you do not want to use the Base one by default ), and one per port you want to use a different version. However I don't remember the exactly syntax right now, but it is something a long lines with `cat_port_DEFAULT_VERSIONS+=`.

*[EDIT]*

See bsd.default-versions.mk.


----------



## Mayhem30 (Sep 13, 2018)

I can't seem to get this to work correctly. All synth wants to do is build security/openssl111 - and not rebuild any ports that depend on it.

```
$ sudo synth status
Querying system about current package installations.
Stand by, comparing installed packages against the ports tree.
Scanning existing packages.
These are the ports that would be built ([N]ew, [R]ebuild, [U]pgrade):
  N => security/openssl111
Total packages that would be built: 1
```

/usr/local/etc/synth/LiveSystem-make.conf :

```
OPTIONS_UNSET = X11 CUPS

DEFAULT_VERSIONS+=ssl=openssl111 php=7.1 mysql=5.6
```


----------



## xtaz (Sep 14, 2018)

Hrm. Poudriere does this correctly. It detects that a dependency wants to be changed and invalidates all the packages that depend on it. One way around it might be to to pkg info -r openssl (or whatever package you have installed) to get the list and then delete those from the synth package repository directory. That would force it to rebuild them.


----------



## Mayhem30 (Sep 14, 2018)

What's weird is that I've done this before (with PHP, MySQL) - normally making this change in the make.conf triggers all the dependencies to be rebuilt. Something is broken ...

I'll run this past Marino and see if he knows what's going on.


----------



## Mayhem30 (Sep 29, 2018)

Ok, making the changes in my LiveSystem-make.conf file does nothing except install the security/openssl111 port. Synth will not rebuild all the ports that depend on it.

What are my other options? Is it safe to change the port origin?

```
pkg set -o security/openssl:security/openssl111
```


----------



## rigoletto@ (Sep 29, 2018)

Mayhem30 most software depending on OpenSSL will not build against security/openssl111 because they do not support it yet. There were several API changes IIRC. Ever ArchLinux didn't switch completely yet.

If you need it badly to something you know it is already supported better modify the port locally.


----------



## Mayhem30 (Oct 1, 2018)

lebarondemerde said:


> If you need it badly to something you know it is already supported better modify the port locally.



How do I do that? I see nothing in the Makefile.


----------



## Mayhem30 (Oct 11, 2018)

How do I modify the port locally?


----------



## rigoletto@ (Oct 11, 2018)

Would easier if you tell us which port you are talking about, but if the port depends on X version of the OpenSSL you need to edit it to use the 1.1.1 version.


----------



## Mayhem30 (Oct 12, 2018)

Sorry, I'm trying to get Nginx to use the new OpenSSL 1.1.1 version.


----------



## rigoletto@ (Oct 12, 2018)

www/nginx does not support OpenSSL 1.1.1! You need www/nginx-devel which should already support it.

This port is rather complicated to say something with a just the quick look I did, and so would be better to set `DEFAULT_VERSIONS+=ssl=openssl111` just for this port but I never remember the syntax for that. 

And yes, `openssl111` was already added to bsd.default-versions.mk.


----------



## Mayhem30 (Oct 12, 2018)

Thank you. Is it possible to have both OpenSSL versions installed at the same time?



Rigoletto said:


> would be better to set  DEFAULT_VERSIONS+=ssl=openssl111 just for this port



Does anyone know how to set DEFAULT_VERSIONS just for a particular port?


----------



## rigoletto@ (Oct 12, 2018)

Mayhem30 said:


> Is it possible to have both OpenSSL versions installed at the same time?



OpenSSL 1.1.1 will conflict with *SSL from *ports* but not the Base one, which is the default.

IIRC the syntax would be something like `www_nginx-devel_DEFAULT_VERSIONS+=ssl=openssl111`.

*I think* I saw sidetone using per port configurations in the past.


----------



## drhowarddrfine (Oct 12, 2018)

Rigoletto said:


> You need www/nginx-devel which should already support it.


I use nginx-devel and am not aware that it does. There is nothing in config about it, at least.


----------



## rigoletto@ (Oct 12, 2018)

That is not in the config yet, you would need to either modify the port changing all `OPTION_USES` which have `ssl` to `OPTION_RUN_DEPENDS`on security/openssl111, or change the default openssl version like I pointed before.

Nginx do support TLS v1.3 (the draft specification) since 1.13 but the support for openssl111 (with the final TLS v1.3 specification) in it is very, very recent but the 1.15.5 *should* already support it (but I would expect some instability).

Anyway, I would not go for it but wait a few weeks when the default things should be already sorted out.


----------



## rigoletto@ (Oct 13, 2018)

Just in case you are not watching the mail lists, 12R will now come with openssl111 in Base.


----------



## CyberCr33p (Feb 24, 2019)

rigoletto@ said:


> OpenSSL 1.1.1 will conflict with *SSL from *ports* but not the Base one, which is the default.
> 
> IIRC the syntax would be something like `www_nginx-devel_DEFAULT_VERSIONS+=ssl=openssl111`.
> 
> *I think* I saw sidetone using per port configurations in the past.



Are you sure that /etc/make.conf allows to use different default versions per port?

I try to compile net-snmp with base openssl instead of openssl port.


----------



## rigoletto@ (Feb 24, 2019)

CyberCr33p said:


> Are you sure that /etc/make.conf allows to use different default versions per port?



No. I've said "IIRC". I know it work for options but I still don't remember the syntax. 



CyberCr33p said:


> I try to compile net-snmp with base openssl instead of openssl port.



If you are on 12R ---> BROKEN_SSL= openssl111


----------



## CyberCr33p (Feb 24, 2019)

Yes I have 12R.

Finally I change openssl to base and recompile the ports.

Any idea why the openssl port still has older version?


----------



## rigoletto@ (Feb 24, 2019)

CyberCr33p said:


> Any idea why the openssl port still has older version?



Sorry, no. You could contact the maintainer about that. Or open a bug report, with a patch even better.


----------



## Mayhem30 (Feb 24, 2019)

If you're looking to install the latest version of OpenSSL in ports, you need to use security/openssl111


----------



## CyberCr33p (Feb 24, 2019)

Thank you all for the replies.

Yes I know about the openssl111 port.

As base has the same version for now I use openssl from base. In the future I plan to change to openssl111 or openssl port if by that time uses the new version.


----------



## rigoletto@ (Feb 24, 2019)

Base has openssl111 in 12R.


----------



## uzsolt (Feb 25, 2019)

CyberCr33p said:


> Any idea why the openssl port still has older version?




```
$ echo foobar > keyfile
$ echo "to encrypt" | /usr/bin/openssl aes-256-cbc -a -salt -out encrypt -pass file:keyfile
$ /usr/bin/openssl aes-256-cbc -d -a -in encrypt -pass file:keyfile
to encrypt
$  /usr/local/bin/openssl aes-256-cbc -d -a -in encrypt -pass file:keyfile
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
bad decrypt
34387091456:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:crypto/evp/evp_enc.c:537:
$  /usr/bin/openssl version
OpenSSL 1.0.2o-freebsd  27 Mar 2018
$  /usr/local/bin/openssl version
OpenSSL 1.1.1a  20 Nov 2018
```
But it's maybe a bug.


----------

