# Using openssl-devel instead of openssl



## Alain De Vos (Sep 29, 2021)

When i want to install openssl-devel the system wants to remove 1300 packages.
Can I recompile all those packages and force to use openssl-devel instead of openssl ?
By putting somewhere a parameter in make.conf ?


----------



## SirDice (Sep 29, 2021)

Alain De Vos said:


> Can I recompile all those packages and force to use openssl-devel instead of openssl ?
> By putting somewhere a parameter in make.conf ?


It looks like `openssl-devel` isn't an option. 

```
# Possible values: base, openssl, libressl, libressl-devel
```
But, setting it does actually work

```
DEFAULT_VERSIONS+= ssl=openssl-devel
```
That's to say, the ports system will pick it up correctly, but you could see a lot of build errors on various ports as they may or may not be compatible with it.


----------



## Alain De Vos (Sep 29, 2021)

I found this. I think I'll just wait a bit longer as I have dovecot,mariadb,postgresql,unbound.


			OpenSSL/3.0.0 - FreeBSD Wiki


----------



## SirDice (Sep 30, 2021)

Alain De Vos said:


> I think I'll just wait a bit longer as I have dovecot,mariadb,postgresql,unbound.


Yes, I would suggest waiting for the dust to settle before blindly updating your production systems. If you want to try it then do so on a couple test systems. Did you set up a Poudriere repository? You could create a second repository with openssl-devel set as the default to see how things are going. That will allow you to test things without interfering with your 'production' repository.


----------



## Alain De Vos (Sep 30, 2021)

It's not because something compiles without a problem that the working of it is without a problem. So we are lacking currently information.


----------



## SirDice (Oct 1, 2021)

Alain De Vos said:


> It's not because something compiles without a problem that the working of it is without a problem.


True, just because it compiles and builds correctly doesn't mean it'll actually work. But if you set up a test repository you can test the resulting packages on a test system too. A lot of professional environments use DTAP cycles for this. Although you don't have a development cycle you can still follow the TAP part of it. You test your stuff on test systems (just making sure nothing breaks), then do acceptance tests (basically running tests with real-world data on a copy of your production system) before you put something out in production.


----------



## Alain De Vos (Oct 2, 2021)

Good idea. I'm going to set up a "Development" environment next to an "Acceptance" environment.
In one jail I run poudriere with openssl-devel ("Development"),  in another jail with openssl ("Acceptance").
When a change in default version works in "Development"  i can add it "Acceptance".
When updating the system ("Production") i need just to point "/usr/local/etc/pkg/repos/Local.conf" to the correct nginx jailed server.
Currently starting compiling 2500 ports with openssl-devel. I'm really curieus about the result.
As an experiment I also disabled TLS1.0 & TLS 1.1


----------



## Alain De Vos (Oct 2, 2021)

Compiling ruby30 or ruby27 , is failing taking with it 200 ports, unacceptable for the moment.


----------

