# Problem with openssl port dependency on ngnix update



## Radibor (Jun 13, 2016)

Hello,

I have a FreeBSD 10.3 system running with nginx-1.8.1,2 installed. I'm using openssl(1) from the base system so no security/openssl port installed currently. When I now try to update NGINX to nginx-1.10.1,2 via portmaster(8) the update wants to install the security/openssl port as a dependency, which is a problem for 2 reasons: 1st: I want to use the base system openssl(1) prior to the ports version whenever possible, 2nd: the current security/openssl version in ports throws a security issue upon installation attempt anyway:

```
openssl-1.0.2_12 is vulnerable:
OpenSSL -- vulnerability in DSA signing
CVE: CVE-2016-2178
WWW: https://vuxml.FreeBSD.org/freebsd/6f0529e2-2e82-11e6-b2ec-b499baebfeaf.html
```
Regarding this I have 2 questions:

1. (out of curiosity): Why does minor version update of nginx (1.8 .1 to 1.10.1.) adds a decency to the OpenSSL port anyway when the current version obviously did not need it?

2. (to solve my current problem): How can I force nginx 1.10.1 to use openssl from the base system instead of trying to install the openssl port during update?

Thanks in advance.
Regards,
Gunnar


----------



## SirDice (Jun 13, 2016)

The port will always use the OpenSSL port for FreeBSD below 11.0:

```
.if defined(NGINX_OPENSSL)
 	USE_OPENSSL=    yes
 	.if ${OSVERSION} < 1100000
 	   WITH_OPENSSL_PORT=yes
	.endif
.endif
```


----------



## Radibor (Jun 13, 2016)

That is strange as I have version nginx-1.8.1,2 installed from ports a couple of months ago (FreeBSD was v10.1 at that point, I recently upgraded to 10.3-RELEASE) and it's running properly and neither demanded installation of OpenSSL port back then nor is the OpenSSL port installed at all at the moment. So this version check for the OpenSSL port might have been added recently? Which also bears the question why it has been added at all if v1.8.1 is working properly along with the base system OpenSSL?
So it doesn't really make sense to me right now.


----------



## SirDice (Jun 13, 2016)

It's possible the new version requires certain features or options that aren't available with the OpenSSL from the base.


----------



## ondra_knezour (Jun 13, 2016)

It is unknown to me if it is directly related, but https://www.nginx.com/blog/supporting-http2-google-chrome-users/


----------



## Mayhem30 (Jun 16, 2016)

I'm also using security/openssl and running in to the "vulnerability in DSA signing" error when trying to update it.

I sent an email to the port maintainer yesterday, but I believe it just fell on deaf ears. The port has been updated to fix that vulnerability, but I believe he needs to bump the port revision - otherwise we'll still get the error message and not be able to upgrade it.

If anyone else wants to try and email him, his address is at the top of the Makefile here :

http://svnweb.freebsd.org/ports/head/security/openssl/Makefile?revision=416823&view=markup


----------



## kpa (Jun 16, 2016)

Have you run `pkg audit -F` after updating your ports?

Btw, as of today security/openssl is at version 1.0.2_13 and at least on my system I don't get any vulnerability warnings with pkg-audit(8) so definitely check if your vulnerabilty database at /var/db/pkg/vuln.xml is up to date.


----------



## Mayhem30 (Jun 16, 2016)

I'm still not able to update after the audit.

```
$pkg audit -F
vulnxml file up-to-date
openssl-1.0.2_12 is vulnerable:
OpenSSL -- vulnerability in DSA signing
CVE: CVE-2016-2178
WWW: https://vuxml.FreeBSD.org/freebsd/6f0529e2-2e82-11e6-b2ec-b499baebfeaf.html

1 problem(s) in the installed packages found.
```


----------



## kpa (Jun 16, 2016)

Are you using the official packages or building ports yourself? I checked the ports tree and both head and 2016Q2 branches have 1.0.2_13.


----------



## rotor (Jun 16, 2016)

fwiw, here's a similar thread that had scrolled to the third page...

https://forums.freebsd.org/threads/56398/


----------



## Mayhem30 (Jun 16, 2016)

kpa said:


> Are you using the official packages or building ports yourself?



I'm building the ports myself. However, after upgrading the ports once again this morning - security/openssl is no longer throwing the error when trying upgrade it.


----------



## kpa (Jun 16, 2016)

The port was updated on 12th of june, you might have forgotten to update your ports tree after that.

FYI, OpenSSL is now supported by the DEFAULT_VERSIONS mechanism:

https://svnweb.freebsd.org/ports?view=revision&revision=416965


The /usr/ports/UPDATING entry:


```
20160616
  AFFECTS: users of security/openssl*, security/libressl*
  AUTHOR: mat@FreeBSD.org

  Previously, to tell the ports tree, you needed to set:

  WITH_OPENSSL_PORT=yes

  And if you wanted a port that was not security/openssl, you needed to add,
  for example:

  OPENSSL_PORT=    security/libressl

  Now, all you need to do is:

  DEFAULT_VERSIONS+=  ssl=libressl

  Valid values are base, openssl, openssl-devel, libressl, and libressl-devel.
```


----------



## Mayhem30 (Jun 16, 2016)

kpa said:


> The port was updated on 12th of june, you might have forgotten to update your ports tree after that.



No, that's not it - I have `portsnap cron update` in cron that fires at 12:01am daily + I manually run `portsnap fetch update` myself before updating ports.

Also, thanks for the head up! I also received the depreciated warnings when updating this morning - and I fixed my /etc/make.conf file and included `DEFAULT_VERSIONS+=ssl=openssl`.


----------

