Bug 192080 - [PATCH] bsd.openssl.mk: supply -L in addition to -Wl,-rpath
Summary: [PATCH] bsd.openssl.mk: supply -L in addition to -Wl,-rpath
Status: Open
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Ports Framework (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: portmgr
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-07-24 02:44 UTC by leres
Modified: 2014-11-09 22:34 UTC (History)
1 user (show)

See Also:


Attachments
patch.txt (390 bytes, text/plain)
2014-07-24 02:44 UTC, leres
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description leres 2014-07-24 02:44:45 UTC
Created attachment 144927 [details]
patch.txt

I was having trouble using sysutils/syslog-ng with self-signed
	ssl certificates after I installed the security/openssl port.

	I tracked this down to syslog-ng trying to open a rootca
	cert via a hash name, e.g. .../certs/9624bd1a.0, which didn't
	exist. When I first installed the openssl port I had noticed
	that the cert filename has changed and that it was necessary
	to re-run the c_rehash script against my certs directory.

	Since I had WITH_OPENSSL_PORT=yes in /etc/make.conf and had
	selected the PORTS_SSL option when building sysutils/syslog-ng,
	I suspected syslog-ng was linking against the base libcrypto.

	As it turns out the syslog-ng package is a twisted maze of
	shared images, some linked against /usr/local/lib/libcrypto.so
	and some against /usr/lib/libcrypt.so.

How-To-Repeat:
- Add WITH_OPENSSL_PORT=yes to /etc/make.conf
	- Build and install security/openssl
	- Build and isntall sysutils/syslog-ng with PORTS_SSL
	- Temporarily rename /lib/libcrypto.so.6 to /lib/libcrypto.so.6-
	- Create a syslog-ng.conf that uses tls() to forward logs:

	    destination d_syslog {
		    tcp("logger.noname.net" port(12345)
			tls(ca_dir("/usr/local/etc/certs")
			    key_file("/usr/local/etc/private/ahost.noname.net.key")
			    cert_file("/usr/local/etc/certs/ahost.noname.net.pem")
			    peer_verify(required-trusted)
			)
		    );
	    };

	- Attempt to start syslog-ng and see lots of shared images
	  that to reference the wrong libcrypto:

	    Error opening plugin module; module='afsocket-tls', error='Shared object "libcrypto.so.6" not found, required by "libafsocket-tls.so"'
	    Error opening plugin module; module='afmongodb', error='Shared object "libcrypto.so.6" not found, required by "libafmongodb.so"'
	    Error opening plugin module; module='afsocket', error='Shared object "libcrypto.so.6" not found, required by "libafsocket.so"'
	    Error opening plugin module; module='cryptofuncs', error='Shared object "libcrypto.so.6" not found, required by "libcryptofuncs.so"'
	    Error parsing afsocket, inner-dest plugin tls not found in /usr/local/etc/syslog-ng.conf at line 56, column 6:

			tls(ca_dir("/usr/local/etc/stunnel/certs")
			^^^

	    syslog-ng documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
	    mailing list: https://lists.balabit.hu/mailman/listinfo/syslog-ng

Fix:
A minimal fix is to add -L/usr/local/lib where OPENSSL_LIBS
	is set in Makefile. However I believe the correct fix is
	something similar to the attached patch to bsd.openssl.mk
	which adds -L to OPENSSL_LDFLAGS. This approach should solve
	this issue for any port using this variable.
Comment 1 John Marino freebsd_committer 2014-07-24 08:04:47 UTC
For portmgr?
Comment 2 Keith Beattie 2014-10-01 00:38:27 UTC
I too am experiencing this problem.

bsd.openssl.mk was updated on 2014-09-01, then syslog-ng was updated on 2014-09-02, the combo which broke my syslog-ng config.

Perhaps very few people are effected by this, but I would very much like to see this patch applied.