# Prioritizing SSL/TLS in make.conf



## sidetone (Oct 22, 2017)

In /etc/make.conf, I would like to set openssl(1), security/libressl or security/nss over security/gnutls, and know whether security/libressl can coexist with Openssl.
In make.conf, this is what I have in mind

```
OPTIONS_SET=OPENSSL
OPTIONS_SET+=NSS
```
Libressl has a reputation for being better than Openssl, but not very many ports work with it, and setting it as default with

```
DEFAULT_VERSIONS+=ssl=libressl
```
in make.conf (as suggested by installing net/openntpd) breaks many ports. If I don't set Libressl as default, as the port suggests, will the existence of it break other ports that rely on Openssl?

If it's possible, how would I set Openssl as default, fall back to NSS, yet switch to Libressl when available.
If I unset GNUTLS, or NSS

```
OPTIONS_UNSET=GNUTLS
```
, I believe this will be insecure for ports that can't use other protocols, or that openssl or libressl can't cover.

If I understand correctly, Openssl and Libressl don't cover as many TLS protocols as NSS or GNUTLS.

I would like to prioritize, Libressl, over Openssl, then NSS, if all is possible.


----------



## rigoletto@ (Oct 22, 2017)

I use this:


```
OPTIONS_UNSET = GNUTLS TLS_SRP
DEFAULT_VERSIONS+= ssl=libressl
```

YMMV, but TLS_SRP is the only option I had to disable in order to avoid ftp/curl failing to build due to security/libressl not supporting it yet.

I added it to make.conf just in case something else also have this option.

EDIT: 





> I believe this will be insecure for ports that can't use other protocols, or that openssl or libressl can't cover.



If the port cannot use another thing and must need (i.e.) security/gnutls ON, the ability to disable it should not ever be in there.

Others cases are like irc/weechat what needs security/gnutls just if you want to have SSL/TLS support, but disabling it will not break the port.

For those cases you just need to turn it ON for those specific ports.

In here irc/weechat is the only thing keeping security/gnutls installed in the system for instance.


----------



## sidetone (Oct 22, 2017)

Having security/libressl installed conflicts with openssl(3), and not everything works with it.
For this I just went with 
	
	



```
OPTIONS_SET=NSS
```
 for if there were option was available, and I didn't unset anything.

Having either of 
	
	



```
DEFAULT_VERSIONS+=ssl=libressl
DEFAULT_VERSIONS?=ssl=libressl
DEFAULT_VERSIONS+=ssl=nss
DEFAULT_VERSIONS?=ssl=nss
```
didn't allow me to compile some programs.

The options for me would be OpenSSL, then NSS for anything OpenSSL can't cover. Otherwise, absolutely required settings by the port must be used.


----------



## rigoletto@ (Oct 22, 2017)

What did you hit that does not work with security/libressl? I never got anything like that but the TLS_SRP detail.

Yes, the rule is one or another, but IIRC I saw a post where someone was using both defining for specific ports, but I do not remember what topic it was.

EDIT: I had minor a problem with irc/quassel-core, I do not remember the details, but it was with security/libressl 2.4.x and  irc/quassel-core was working with that, it just printed some warning.

EDIT_2: very few ports should have security/nss support. Setting it as default ssl version would be cumberstone and not work.

Probably everything that do support security/nss should have it as OPTION or as default already. So, it would be better to set per port.


----------



## tobik@ (Oct 22, 2017)

sidetone said:


> DEFAULT_VERSIONS+=ssl=nss DEFAULT_VERSIONS?=ssl=nss


ssl=nss isn't a supported value.



sidetone said:


> as suggested by installing net/openntpd


net/openntpd works fine without it. It statically links with LibreSSL in case you aren't using ssl=libressl, so it can be installed even without it.

When building it directly on your system (outside of Poudriere/Synth) it'll probably leave the environment dirty since it'll leave LibreSSL behind. This is dangerous when you haven't set ssl=libressl. EDIT: Nevermind... This is blatantly wrong ;-)


----------



## rigoletto@ (Oct 22, 2017)

It would be very weird (at minimum) if net/openntpd didn't work together with security/libressl in FreeBSD since both are in OpenBSD base.


----------



## sidetone (Oct 22, 2017)

lebarondemerde said:


> What did you hit that does not work with security/libressl? I never got anything like that but the TLS_SRP detail.
> 
> Yes, the rule is one or another, but IIRC I saw a post where someone was using both defining for specific ports, but I do not remember what topic it was.
> 
> ...



It was net-im/pidgin, and I think some other GNU related ports. Perhaps it is not Pidgin itself, but a dependency of it.



tobik@ said:


> net/openntpd works fine without it. It statically links with LibreSSL in case you aren't using ssl=libressl, so it can be installed even without it.


 


lebarondemerde said:


> It would be very weird (at minimum) if net/openntpd didn't work together with security/libressl in FreeBSD since both are in OpenBSD base.


Just having LibreSSL installed breaks the installation of Pidgin, and other programs that don't know where to look for LibreSSL components, as opposed to OpenSSL.

OpenNTP is supposed to work with LibreSSL: it's that a few other ports don't build with OpenNTP, and if it's not set to default, it constantly nags with a warning to make it the default SSL.


The new questions are:
How would I replace only GNUTLS settings with NSS? Also, how would I automatically have CA_BUNDLE unchecked, if OpenSSL is not chosen?

Edit:

```
OPTIONS_SET=NSS
OPTIONS_UNSET+=CA_BUNDLE
```
So far, I'll see if this works. This affects ftp/curl. Perhaps it can be looked at as a bug.

+ and ? are similar, as they set it to not absolute values. The Porter's Handbook have some explanation for them:
https://www.freebsd.org/doc/en_US.ISO8859-1/books/porters-handbook/dads-cc.html
https://www.freebsd.org/doc/en_US.ISO8859-1/books/porters-handbook/dads-cflags.html


----------



## rigoletto@ (Oct 22, 2017)

sidetone

There should have something very wrong in your system, or at least in the way you are building ports. I just built net-im/pidgin (default options), installed it and apparently it is working fine (I do not have any actual account to test with it).



> How would I replace only GNUTLS settings with NSS?



You can just do that if the port does support both, and the most reliable way would be per port.

Basically you have two SSL (default) options, OpenSSL and LibreSSL. But for some ports you have eventually other options: gnutls, nss, etc... Those customizations are better handled per port, otherwise you can break something.

If you disable CA_BUNDLE, the security/ca_root_nss will not be installed¹ and then security/nss will not work either because it does need security/ca_root_nss.

EDIT: if you just change the options in the make.conf file and continues using ports without actually rebuilding everything what are affected by those changes, things will break.

¹ it actually will because most things that does need it will install it anyway.


----------



## Deleted member 48958 (Oct 22, 2017)

If you use pidgin to use jabber,
then it is possible to install net-im/gajim: 





> The goal of Gajim is to provide a full featured and easy to use Jabber
> client. Gajim works nicely with GNOME, but does not require it to run.
> It is released under the GNU General Public License.


----------



## sidetone (Oct 22, 2017)

ILUXA said:


> If you use pidgin to use jabber,
> then it is possible to install net-im/gajim


I like net-im/psi for Jabber, but it is not as good as Pidgin for me. Gaijim might be good as well.



lebarondemerde said:


> If you disable CA_BUNDLE, the security/ca_root_nss will not be installed¹ and then security/nss will not work either because it does need security/ca_root_nss.


For ftp/curl, NSS required me to unset CA_Bundle, at least that time. I was thinking that NSS needed some form of ca_root. I'll try it again, and see if I get a different result.

If not, I'll just go back to default settings on this, without LibreSSL.

Update: I still get the error:

```
====> You cannot select multiple options from the SSL radio
=====> Only one of these must be defined: NSS OPENSSL
Config is invalid. Re-edit? [Y/n]
```
This is for having both NSS and CA_BUNDLE enabled.

I don't have to set NSS. I can go with defaults, or keep playing around with it. I want to keep all required settings on TLS, but just wanted to use NSS whenever the option was there over GNUTLS.


----------



## rigoletto@ (Oct 22, 2017)

That message is related with the "SSL protocol support" section. You somehow managed to have two options "enabled", probably due something in your make.conf. It does not even let you choose two options at the same time. 

Just to enlight the things up, this is what the CA_BUNDLE option does in the port:


```
CA_BUNDLE_CONFIGURE_OFF=--without-ca-bundle
CA_BUNDLE_CONFIGURE_ON=   --with-ca-bundle=${LOCALBASE}/share/certs/ca-root-nss.crt
CA_BUNDLE_RUN_DEPENDS=   ${LOCALBASE}/share/certs/ca-root-nss.crt:security/ca_root_nss
```

It seems your ports config options are really messed up, and you probably have many broken ones in need to be rebuilt due to options changed.

In your place I would rip /var/db/ports off completely to start it from zero (including the make.conf), and rebuild everything.

You probably are using ports-mgmt/portmaster to build ports. That would (partially) explain why the things are so messed, because it run make config for every single port it touch (and all of them are saved even if defaults are kept, and if the options change upstream the old saved ones continues in there), while most of the time just the origins ports needs to have some sort of customization, and when if any.

You probably would do better using ports-mgmt/synth or ports-mgmt/poudriere which does take care to rebuild what is necessary every time you (or upstream) change something. Synth is easier and simpler to use, and also faster to deploy than Poudriere.


----------



## sidetone (Oct 22, 2017)

lebarondemerde said:


> That message is related with the "SSL protocol support" section. You somehow managed to have two options "enabled", probably due something in your make.conf.


No, radio options only allow one setting, NSS, GNUTLS, OpenSSL or other. Only one is set anyway. CA_BUNDLED is outside of the radio options setion. And I've already deleted /var/db/ports/, and have done a fresh `portsnap fetch extract`. As I've said, CA_BUNDLED conflicts with NSS. It must be a different implementation or version of CA.


----------



## rigoletto@ (Oct 22, 2017)

So, then disable CA_BUNDLED for that specific port.



> And I've already deleted /var/db/ports/, and have done a fresh portsnap fetch extract.



EDIT: /var/db/ports are where the ports options are stored, while portsnap handle the ports tree: /usr/ports.


----------



## sidetone (Oct 23, 2017)

https://wiki.freebsd.org/LibreSSL#How_to_use_LibreSSL
This is helpful. It says to use LibreSSL from ports, use GSS-API from ports, not base.
So, GSS-API should be set in make.conf.

```
USES_UNSET=GSSAPI_BASE
```
Then either of two below. Note the disable option.

```
USES_SET=GSSAPI_HEIMDA
...
USES_SET=GSSAPI_MIT
#USES_SET=GSSAPI_NONE
```
It explains using LibreSSL in base, but that is more complicated.


----------

