# How to use two OpenSSL ports at the same time



## wattie (Mar 18, 2020)

I have FreeBSD 11.3 and I have two OpenSSL ports installed:

A. /usr/ports/security/openssl/ which installs in /usr/local/openssl/ (still holding on old version 1.0.2u)
B. /usr/ports/security/openssl-unsafe/ which installs in /usr/local/openssl-unsafe/ (it is version 1.0.2k)

In /etc/make.conf I do have "DEFAULT_VERSIONS+=ssl=openssl" which means that serverwide I do use the first one - port A. I wish to continue to use it that way (and eventually update it to 1.1.1 after I resolve the issue below) and all software to use it except...

... I need to also run PHP 5.4 which will not work with OpenSSL 1.1.1 when I update. In fact this is the reason why I added the port openssl-unsafe (port B mentioned above). Obviously I need to do a custom installation (5.4 is no longer in ports). So I downloaded the sources and added "--with-openssl=/usr/local/openssl-unsafe" directive in the PHP 5.4 configure script.

So far, so good - it compiles, then it runs, however later on I see that it's compiled against 1.0.2k (which is openssl-unsafe) but it loads dynamically libs from the other one (1.0.2u). I attach an image with the phpinfo() output which shows that.

My guess here is that PHP 5.4 uses the libraries defined in "ssl" from DEFAULT_VERSIONS regardless that it is compiled with another path in the configure script. Any idea how can I resolve this situation?

P.S.1. FreeBSD 11.3 also have OpenSSL 1.0.2s preinstalled in /usr/bin but as mentioned above I am not using it.

P.S.2. Please skip the advice to not use outdated and unsupported software. I know that it is bad and it should not be used in production, etc., thanks.


----------



## ShelLuser (Mar 18, 2020)

wattie said:


> P.S.2. Please skip the advice to not use outdated and unsupported software. I know that it is bad and it should not be used in production, etc., thanks.


Obviously you don't. And I don't say this because of your message, but because of the time since PHP 5.4 was a thing and the timespan between 5 and 7; this gave plenty of options to prepare for the inevitable. Not to mention that they did quite a lot to make PHP somewhat backwards compatible.

Alas...  I'd suggest you use a jail. Helps for damage control (which I think you desperately need) and it would make it much easier to use one version of OpenSSL for common services and the other for your web setup.


----------



## wattie (Mar 18, 2020)

Jail is a good advice; however it will be too hard for me to integrate it with the other services. I am looking for an option to make it easier (if possible).

Please do not comment on upgrading PHP 5.4. I know it's dead and insecure. And you don't know why I need it and how I use it.

Hopefully my question will help other people who wish to use more than one OpenSSL instance on one machine.


----------



## wattie (Mar 19, 2020)

From another source I heard that this issue is not happening when the primary OpenSSL is from base and not from ports. If this is true, it must be the /etc/make.conf DEFAULT_VERSIONS directive - probably PHP is looking to it when loading...


----------

