# FreeBSD 12.1 - /usr/ports/devel/git - error on "make install clean" - Any tips?



## StreetDancer (Feb 28, 2020)

Hey everyone! Up against a tough error compile that I cannot seem to resolve without asking for help. 

root@sharpenyoursword:/usr/ports/devel/git # make install clean


```
===>  Staging for git-2.25.1
===>   git-2.25.1 depends on executable: curl - found
===>   git-2.25.1 depends on executable: cvsps - found
===>   git-2.25.1 depends on package: p5-CGI>=0 - found
===>   git-2.25.1 depends on package: p5-Error>=0 - found
===>   git-2.25.1 depends on package: p5-Authen-SASL>=0 - not found
===>   p5-Authen-SASL-2.16_1 depends on package: p5-Digest-HMAC>0 - found
===>   p5-Authen-SASL-2.16_1 depends on package: p5-GSSAPI>0 - not found
===>  p5-GSSAPI-0.28_1 You are using OpenSSL from ports and have selected
GSSAPI from base, please select another GSSAPI value.
*** Error code 1

Stop.
make[4]: stopped in /usr/ports/security/p5-GSSAPI
*** Error code 1

Stop.
make[3]: stopped in /usr/ports/security/p5-Authen-SASL
*** Error code 1

Stop.
make[2]: stopped in /usr/ports/security/p5-Authen-SASL
*** Error code 1

Stop.
make[1]: stopped in /usr/ports/devel/git
*** Error code 1

Stop.
make: stopped in /usr/ports/devel/git
root@sharpenyoursword:/usr/ports/devel/git #
```


----------



## StreetDancer (Feb 28, 2020)

I found this thread : https://forums.freebsd.org/threads/gssapi-preventing-build-of-ports.58805/

However I couldn't see how it would help assist me. Perhaps I am missing something.


----------



## SirDice (Feb 28, 2020)

The answer is in the message:

```
===>  p5-GSSAPI-0.28_1 You are using OpenSSL from ports and have selected
GSSAPI from base, please select another GSSAPI value.
```


```
====> GSSAPI Security API support: you have to select exactly one of them
     GSSAPI_BASE=on: GSSAPI support via base system (needs Kerberos)
     GSSAPI_HEIMDAL=off: GSSAPI support via security/heimdal
     GSSAPI_MIT=off: GSSAPI support via security/krb5
```


----------



## StreetDancer (Feb 28, 2020)

I found this thread : https://forums.freebsd.org/threads/gssapi-preventing-build-of-ports.58805/

However I couldn't see how it would help assist me. Perhaps I am missing something.


SirDice said:


> The answer is in the message:
> 
> ```
> ===>  p5-GSSAPI-0.28_1 You are using OpenSSL from ports and have selected
> ...


SirDice,

I see the answer in the output. I just do not understand it. When issuing "make install clean" I receive a pop-up with options. None of them are asking me to use GSSAPI or OpenSSL. And the default checked items also include "Perl" which I believed to be the "p5-GSSAPI". 

I then attempted to "make install clean" again after issuing "make rmconfig" and then unchecking Perl support only to receive the same error again!

Thank you!

Best Regards,

Brandon Kastning


----------



## SirDice (Feb 28, 2020)

You've set an alternate SSL in /etc/make.conf. This conflicts with the default options from security/p5-GSSAPI. 

If you look at the Makefile of devel/git you can see it's the SEND_EMAIL option that pulls in security/p5-Authen-SASL:

```
89 	SEND_EMAIL_IMPLIES=     PERL
90 	SEND_EMAIL_RUN_DEPENDS= p5-Authen-SASL>=0:security/p5-Authen-SASL \
91 	                        p5-IO-Socket-SSL>=0:security/p5-IO-Socket-SSL
```


----------



## StreetDancer (Feb 28, 2020)

SirDice said:


> You've set an alternate SSL in /etc/make.conf. This conflicts with the default options from security/p5-GSSAPI.
> 
> If you look at the Makefile of devel/git you can see it's the SEND_EMAIL option that pulls in security/p5-Authen-SASL:
> 
> ...


SirDice,

You are very right. I most certainly did update my /etc/make.conf around Christmas and after January when we had the OpenSSL package problems/changes. 

Is the solution to edit the current /etc/make.conf

which is:


```
DEFAULT_VERSIONS+=ssl=openssl
#DEFAULT_VERSIONS+=ssl=openssl111
```

change it to:


```
#DEFAULT_VERSIONS+=ssl=openssl
#DEFAULT_VERSIONS+=ssl=openssl111
```

then go back to /usr/ports/devel/git and issue "make install clean" and it should default to a non-overriding make setting which doesn't use openssl? Then cycle it back on in /etc/make.conf once it installs; provided that's the correct solution.


----------



## SirDice (Feb 28, 2020)

StreetDancer said:


> Then cycle it back on in /etc/make.conf once it installs; provided that's the correct solution.


No, because that would cause other problems. You can't just mix and match dependencies like that. You either use OpenSSL from the base _or_ OpenSSL from ports. And you do this for _everything_ (that's why it's set in /etc/make.conf).

So, the question should be, do I really need to use OpenSSL from ports? If yes, then you will need to fix any dependency issues that may arise from this (which often means disabling certain options or setting the correct GSSAPI). If no, then remove the setting from make.conf and rebuild everything.


----------



## StreetDancer (Feb 28, 2020)

SirDice said:


> No, because that would cause other problems. You can't just mix and match dependencies like that. You either use OpenSSL from the base _or_ OpenSSL from ports. And you do this for _everything_ (that's why it's set in /etc/make.conf).
> 
> So, the question should be, do I really need to use OpenSSL from ports? If yes, then you will need to fix any dependency issues that may arise from this (which often means disabling certain options or setting the correct GSSAPI). If no, then remove the setting from make.conf and rebuild everything.


SirDice,

OpenSSL is required for Apache/NGINX SSL's from my understanding. As well as using Certbot for self-signing SSL Certificates. 

So if that's true; then I most certainly need OpenSSL for all my web projects.

How to build git then by fixing any dependency issues. I am not sure how to approach this sir.


----------



## SirDice (Feb 28, 2020)

StreetDancer said:


> OpenSSL is required for Apache/NGINX SSL's from my understanding.


OpenSSL is included in the base OS. 

```
dice@wintermute:~ % freebsd-version -uk
12.1-RELEASE-p2
12.1-RELEASE-p2
dice@wintermute:~ % /usr/bin/openssl version
OpenSSL 1.1.1d-freebsd  10 Sep 2019
```


----------



## StreetDancer (Feb 28, 2020)

SirDice said:


> OpenSSL is included in the base OS.
> 
> ```
> dice@wintermute:~ % freebsd-version -uk
> ...


SirDice,

So with it being in the base OS. I shouldn't remove it. How do I make git work; or do I not get to utilize git on FreeBSD due to me keeping OpenSSL?


----------



## proton1234 (Mar 1, 2020)

don't want to create new thread so would ask here

What the difference between "apachectl graceful" and "apachectl -k graceful" ? Man page say that there is no difference but as far as i can see "apachectl -k graceful" run silently while "apachectl graceful" output some messages to CLI?





						apachectl
					






					www.freebsd.org
				





			httpd - Apache Hypertext Transfer Protocol Server - Apache HTTP Server Version 2.4


----------



## richardtoohey2 (Mar 1, 2020)

Back to the OP's question - there is no "right" answer - it's a choice you make.  Either use base OpenSSL OR ports OpenSSL and then build everything that depends on OpenSSL against that version.

At this point in time - FreeBSD 12.1 base OpenSSL is 1.1.1d, and so is the ports version.  But that may change.

On FreeBSD 11 the base OpenSSL was 1.0.2 but that became EOL so if you wanted to be up-to-date, you had to install ports OpenSSL 1.1.1 and rebuild everything against that.  Base OpenSSL wasn't the "best" option (at that time).  There was a bit of pain around the 1.0.2 EOL to 1.1.1 ports migration (with the make.conf variable changing) but it wasn't too bad in the end (for me, anyway!)

To make your life simpler (for now!), you may want to revert to the base OpenSSL and then (hopefully) everything including git will build.  But you should make sure you rebuild everything against base OpenSSL and remove the port (just to be on the safe side) - so that you know you are 100% using base OpenSSL.  If you leave a mixture of ports with some built against base OpenSSL and some built against port's OpenSSL - you will be in pain in a few months or whenever OpenSSL 1.1.1e or whatever comes out.

BUT if you stick with base OpenSSL then if at some point in the future OpenSSL 2.0 (or whatever) came out, or the base OpenSSL got to EOL, then you'll be coming back to the decision you made now.


----------



## StreetDancer (Mar 2, 2020)

richardtoohey2 said:


> Back to the OP's question - there is no "right" answer - it's a choice you make.  Either use base OpenSSL OR ports OpenSSL and then build everything that depends on OpenSSL against that version.
> 
> At this point in time - FreeBSD 12.1 base OpenSSL is 1.1.1d, and so is the ports version.  But that may change.
> 
> ...


richardtoohey2,

Thank you for that very detailed information. I most certainly want to avoid future problems on this server build. How do I ensure that OpenSSL base is the only OpenSSL used.

I went ahead and issued a "pkg info openssl" and received the following:


```
# pkg info openssl
openssl-1.1.1d,1
Name           : openssl
Version        : 1.1.1d,1
Installed on   : Thu Feb 27 06:44:14 2020 PST
Origin         : security/openssl
Architecture   : FreeBSD:12:amd64
Prefix         : /usr/local
Categories     : security devel
Licenses       : OpenSSL
Maintainer     : brnrd@FreeBSD.org
WWW            : https://www.openssl.org/
Comment        : TLSv1.3 capable SSL and crypto library
Options        :
    ARIA           : off
    ASM            : on
    ASYNC          : on
    CT             : on
    DES            : on
    EC             : on
    GOST           : on
    IDEA           : off
    MAN3           : on
    MD2            : off
    MD4            : on
    MDC2           : off
    NEXTPROTONEG   : on
    RC2            : on
    RC4            : on
    RC5            : off
    RFC3779        : off
    RMD160         : on
    SCTP           : on
    SHARED         : on
    SM2            : off
    SM3            : off
    SM4            : off
    SSE2           : on
    SSL3           : off
    THREADS        : on
    TLS1           : on
    TLS1_1         : on
    TLS1_2         : on
    ZLIB           : off
Shared Libs provided:
    libcrypto.so.11
    libssl.so.11
Annotations    :
    FreeBSD_version: 1200086
    cpe            : cpe:2.3:a:openssl:openssl:1.1.1d:::::freebsd12:x64
    repo_type      : binary
    repository     : FreeBSD
Flat size      : 13.4MiB
Description    :
The OpenSSL Project is a collaborative effort to develop a robust,
commercial-grade, full-featured, and Open Source toolkit implementing
the Secure Sockets Layer (SSL v3) and Transport Layer Security (TLS v1,
v1.1, v1.2, v1.3) protocols with full-strength cryptography world-wide.
The project is managed by a worldwide community of volunteers that use
the Internet to communicate, plan, and develop the OpenSSL tookit
and its related documentation.

OpenSSL is based on the excellent SSLeay library developed by Eric
A. Young and Tim J. Hudson. The OpenSSL toolkit is licensed under
an Apache-style licence, which basically means that you are free
to get and use it for commercial and non-commercial purposes subject
to some simple license conditions.

WWW: https://www.openssl.org/
#
```

Thank you very much!

Best Regards,

Brandon Kastning


----------



## richardtoohey2 (Mar 2, 2020)

You need to find anything you've linked to ports OpenSSL, remove the DEFAULT_VERSIONS+=ssl=openssl from /etc/make.conf (if you've still got it), and rebuild those ports that you built linked to the ports OpenSSL.

To find the ports (if any) linked to the ports OpenSSL, I think this will do the trick:

```
pkg info -r openssl
```
So that's the list of ports you've built linked to ports OpenSSL.  Double check your /etc/make.conf doesn't have any openssl line in it.

Then rebuild those ports (how you do so depends on what tool(s) you've been building with so far.)  You seem to be using make directly (in your git example) so you might have to go to each of the ports you've built and do some sort of make clean and then make reinstall dance (I'm not a ports or make expert so can't tell you exactly what will work.)  It's good to have another machine or VM to experiment on!

Might also be an idea to remove the OpenSSL port after that, to make sure you are 100% base.

Note: /usr/bin/openssl is the base OpenSSL, /usr/*local*/bin/openssl is the ports OpenSSL.  And something like this shows you the binary files they are linked to:

```
% ldd /usr/bin/openssl
/usr/bin/openssl:
    libssl.so.111 => /usr/lib/libssl.so.111 (0x8002dd000)
    libcrypto.so.111 => /lib/libcrypto.so.111 (0x800375000)
    libc.so.7 => /lib/libc.so.7 (0x800664000)
    libthr.so.3 => /lib/libthr.so.3 (0x800a5d000)
    
% ldd /usr/local/bin/openssl
/usr/local/bin/openssl:
    libssl.so.11 => /usr/local/lib/libssl.so.11 (0x8002dc000)
    libcrypto.so.11 => /usr/local/lib/libcrypto.so.11 (0x800372000)
    libthr.so.3 => /lib/libthr.so.3 (0x8005f9000)
    libc.so.7 => /lib/libc.so.7 (0x800626000)
```

So my base openssl program is linked to /usr/lib/libssl.so.111
My ports openssl program is linked to /usr/local/lib/libssl.so.11

Or looking at mod_ssl for Apache:

```
% ldd /usr/local/libexec/apache24/mod_ssl.so
/usr/local/libexec/apache24/mod_ssl.so:
    libssl.so.11 => /usr/local/lib/libssl.so.11 (0x8006ab000)
    libcrypto.so.11 => /usr/local/lib/libcrypto.so.11 (0x800e00000)
    libcrypt.so.5 => /lib/libcrypt.so.5 (0x800741000)
    libthr.so.3 => /lib/libthr.so.3 (0x800762000)
    libc.so.7 => /lib/libc.so.7 (0x80024a000)
```
You can see libssl.so.11 is located at /usr/local/lib/libssl.so.11 - so my mod_ssl is linked to the ports OpenSSL.

Same for MySQL:

```
% ldd /usr/local/libexec/mysqld
/usr/local/libexec/mysqld:
    libz.so.6 => /lib/libz.so.6 (0x800d6e000)
    libm.so.5 => /lib/libm.so.5 (0x800d88000)
    libexecinfo.so.1 => /usr/lib/libexecinfo.so.1 (0x800dba000)
    libcrypt.so.5 => /lib/libcrypt.so.5 (0x800dbf000)
    libssl.so.11 => /usr/local/lib/libssl.so.11 (0x800de0000)
    libcrypto.so.11 => /usr/local/lib/libcrypto.so.11 (0x800e76000)
    libc++.so.1 => /usr/lib/libc++.so.1 (0x8010fd000)
    libcxxrt.so.1 => /lib/libcxxrt.so.1 (0x8011cd000)
    libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x8011ef000)
    libthr.so.3 => /lib/libthr.so.3 (0x801209000)
    libc.so.7 => /lib/libc.so.7 (0x801236000)
    libelf.so.2 => /lib/libelf.so.2 (0x80162f000)
```
You can see libssl is pointing to /usr/*local*/lib/libssl.so.11 - the ports OpenSSL.

You've said "I most certainly want to avoid future problems on this server build" - but what I've recommended doesn't guarantee that.  Like I said if an OpenSSL 2.x (or whatever) came out with whizzy new features and you wanted to use them in e.g. Apache - then using the base OpenSSL will mean you can't.  You are making a choice - the base OpenSSL should be fine and it should be easier to build ports using it but it is a choice!  It's your system, so you have to make the choice.

I'm pretty sure you don't want to mix & match the versions.


----------



## StreetDancer (Mar 3, 2020)

richardtoohey2 said:


> You need to find anything you've linked to ports OpenSSL, remove the DEFAULT_VERSIONS+=ssl=openssl from /etc/make.conf (if you've still got it), and rebuild those ports that you built linked to the ports OpenSSL.
> 
> To find the ports (if any) linked to the ports OpenSSL, I think this will do the trick:
> 
> ...


Fair enough! 

# pkg info -r openssl
openssl-1.1.1d,1:
# 

I ran that after hashing out the /etc/make.conf lines on openssl


----------



## StreetDancer (Mar 3, 2020)

Here are the outputs to mine... they look exactly like yours richardtoohey2

# ldd /usr/bin/openssl

```
/usr/bin/openssl:
    libssl.so.111 => /usr/lib/libssl.so.111 (0x8002dd000)
    libcrypto.so.111 => /lib/libcrypto.so.111 (0x800375000)
    libc.so.7 => /lib/libc.so.7 (0x800664000)
    libthr.so.3 => /lib/libthr.so.3 (0x800a5d000)
```

# ldd /usr/local/bin/openssl


```
/usr/local/bin/openssl:
    libssl.so.11 => /usr/local/lib/libssl.so.11 (0x8002dd000)
    libcrypto.so.11 => /usr/local/lib/libcrypto.so.11 (0x800370000)
    libthr.so.3 => /lib/libthr.so.3 (0x800657000)
    libc.so.7 => /lib/libc.so.7 (0x800684000)
```

# ldd /usr/local/libexec/apache24/mod_ssl.so


```
/usr/local/libexec/apache24/mod_ssl.so:
    libssl.so.111 => /usr/lib/libssl.so.111 (0x8006ac000)
    libcrypto.so.111 => /lib/libcrypto.so.111 (0x800e00000)
    libcrypt.so.5 => /lib/libcrypt.so.5 (0x800744000)
    libthr.so.3 => /lib/libthr.so.3 (0x800765000)
    libc.so.7 => /lib/libc.so.7 (0x80024a000)
```

# ldd /usr/local/libexec/mysqld


```
/usr/local/libexec/mysqld:
    liblz4.so.1 => /usr/local/lib/liblz4.so.1 (0x801822000)
    libcrypt.so.5 => /lib/libcrypt.so.5 (0x801857000)
    libssl.so.111 => /usr/lib/libssl.so.111 (0x801878000)
    libcrypto.so.111 => /lib/libcrypto.so.111 (0x801910000)
    libz.so.6 => /lib/libz.so.6 (0x801bff000)
    libm.so.5 => /lib/libm.so.5 (0x801c19000)
    librt.so.1 => /usr/lib/librt.so.1 (0x801c4b000)
    libexecinfo.so.1 => /usr/lib/libexecinfo.so.1 (0x801c53000)
    libc++.so.1 => /usr/lib/libc++.so.1 (0x801c58000)
    libcxxrt.so.1 => /lib/libcxxrt.so.1 (0x801d28000)
    libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x801d4a000)
    libthr.so.3 => /lib/libthr.so.3 (0x801d64000)
    libc.so.7 => /lib/libc.so.7 (0x801d91000)
    libelf.so.2 => /lib/libelf.so.2 (0x80218a000)
```


----------



## richardtoohey2 (Mar 3, 2020)

Nope, your outputs look exactly like you've built Apache and MySQL against base OpenSSL - which is what I think you wanted:

```
/usr/local/libexec/apache24/mod_ssl.so:
    libssl.so.111 => /usr/lib/libssl.so.111 (0x8006ac000)
```
and

```
/usr/local/libexec/mysqld:
    libssl.so.111 => /usr/lib/libssl.so.111 (0x801878000)
```
So they are linked to /usr/lib/libssl.so - the base OpenSSL library.  What happens if you try and build git now?  You might still not get much further forward depending on config options you've taken with earlier ports but at least you are working with base OpenSSL now.


----------



## richardtoohey2 (Mar 17, 2020)

This post is just to try and illustrate what I was talking about previously - the base and ports OpenSSL versions diverging.

So OpenSSL 1.1.1e is now available: 






						FreshPorts -- security/openssl: TLSv1.3 capable SSL and crypto library
					

The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v3) and Transport Layer Security (TLS v1, v1.1, v1.2, v1.3) protocols with full-strength cryptography world-wide. The project is...




					www.freshports.org
				




You look at the changelog: https://www.openssl.org/news/cl111.txt

And perhaps you decide you really need _errrm_ the fix for "an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli".

You've built everything against the base OpenSSL 1.1.1d - and I don't _think_ that will be upgraded in FreeBSD 12.1 (_maybe_ in a 12.2?)  So you've got to stay with OpenSSL 1.1.1d (or go for the ports option).

But if you used the ports option - you can upgrade to OpenSSL 1.1.1e and (if required) rebuild the ports linked to it.

Neither option (base OpenSSL or ports OpenSSL) is necessarily "right" or "wrong" or "best" - it's a choice to make based on _your_ requirements.

(Please do correct me if I'm wrong, just going by my observations, so would be good to know.)


----------



## PMc (Mar 18, 2020)

richardtoohey2 said:


> You look at the changelog: https://www.openssl.org/news/cl111.txt
> 
> And perhaps you decide you really need _errrm_ the fix for "an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli".



Yes indeed, that's the question.

But there is more to it. It begins with the devel/git pulling in security/p5-Authen-SASL. It does so only if you want to "SEND_EMAIL", but that happens to be the default.
Then, security/p5-Authen-SASL pulls in security/p5-GSSAPI. It does so only if you want to use "KERBEROS", but that happens to be the default. (Do you know what KERBEROS is good for and why you might need it? If not, then you quite certainly do not need it.)

Then security/p5-GSSAPI pulls in Kerberos - and gladly we have three of them: one is integrated in the base system, one is available from MIT, and another one, Heimdal, was created in Sweden to overcome crypto export regulations. (And nobody ever bothered to clean up that mess - they do interoperate, but have some different function names and calling conventions.)

Now for some reasons the OpenSSL from ports does not work (or not build?) with the Kerberos integrated in the base system. I wonder why that would be the case. Let's find out:



> Revision *420788*
> *Wed Aug 24 13:03:30 2016 UTC*
> 
> Can't use GSSAPI from base when using OpenSSL from ports.
> ...



Okay, that sounds like it was never fully debugged. Can understand that - I had enough pain when I tried to make Ruby work with the Kerberos in base.


----------

