# dns/bind910 and OpenSSL from base



## YuryG (May 1, 2016)

In attempt to upgrade bind910-9.10.3P4 to 9.10.4 I get error had to tolerate before. That is,  
	
	



```
bind910-9.10.4 is marked as broken: OpenSSL from the base system does
not support GOST, add  WITH_OPENSSL_PORT=yes to your /etc/make.conf and rebuild
everything  that needs SSL
```
 May be it is possible to get GOST in base OpenSSL version in the nearest future? (I'm on -stable system source updates.) Suppose, some other ports have troubles with GOST either.


----------



## kpa (May 1, 2016)

Not likely if you're on FreeBSD 9.x, the base system OpenSSL will not be updated from 0.9.8za to anything newer because that would break the ABI. Only security and errata fixes will be applied to it but nothing else.


----------



## YuryG (May 1, 2016)

I'm on FreeBSD 10.3-stable. (May be, I have mistakenly recalled, but some time ago I believed there was GOST in base OpenSSL, wasn't it?)


----------



## SirDice (May 2, 2016)

This PR 184805 implies 10-STABLE has support for it.


----------



## YuryG (May 2, 2016)

Well, that's what I have: FreeBSD 10.3-STABLE #0 r297931M, 
	
	



```
openssl ciphers GOST
Error in cipher list
34379309720:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_lib.c:1294:
```
And yes, I remember something about working GOST in the base and some patches. So the question. And the error is different to the one in the mentioned PR. The output of `openssl ciphers`: 
	
	



```
openssl ciphers
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:SRP-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA
```
I can't say for sure, but supposedly, there's no GOST. And I have had already proposed in the PR patch applied.

UPD. And text in dns/bind910/Makefile doesn't check any versions: 
	
	



```
.if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) && defined(WITH_OPENSSL_BASE)
BROKEN= OpenSSL from the base system does not support GOST, add \
  WITH_OPENSSL_PORT=yes to your /etc/make.conf and rebuild everything \
  that needs SSL.
.endif
```
 Have someone cleared out GOST support from base OpenSSL?


----------

