Bug 192080 - [PATCH] bsd.openssl.mk: supply -L in addition to -Wl,-rpath
Summary: [PATCH] bsd.openssl.mk: supply -L in addition to -Wl,-rpath
Status: Open
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Ports Framework (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: Port Management Team
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-07-24 02:44 UTC by Craig Leres
Modified: 2014-11-09 22:34 UTC (History)
1 user (show)

See Also:

Attachments
patch.txt (390 bytes, text/plain)
2014-07-24 02:44 UTC, Craig Leres 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Craig Leres freebsd_committer 2014-07-24 02:44:45 UTC 
Created attachment 144927 [details]
patch.txt

I was having trouble using sysutils/syslog-ng with self-signed
	ssl certificates after I installed the security/openssl port.

	I tracked this down to syslog-ng trying to open a rootca
	cert via a hash name, e.g. .../certs/9624bd1a.0, which didn't
	exist. When I first installed the openssl port I had noticed
	that the cert filename has changed and that it was necessary
	to re-run the c_rehash script against my certs directory.

	Since I had WITH_OPENSSL_PORT=yes in /etc/make.conf and had
	selected the PORTS_SSL option when building sysutils/syslog-ng,
	I suspected syslog-ng was linking against the base libcrypto.

	As it turns out the syslog-ng package is a twisted maze of
	shared images, some linked against /usr/local/lib/libcrypto.so
	and some against /usr/lib/libcrypt.so.

How-To-Repeat:
- Add WITH_OPENSSL_PORT=yes to /etc/make.conf
	- Build and install security/openssl
	- Build and isntall sysutils/syslog-ng with PORTS_SSL
	- Temporarily rename /lib/libcrypto.so.6 to /lib/libcrypto.so.6-
	- Create a syslog-ng.conf that uses tls() to forward logs:

	    destination d_syslog {
		    tcp("logger.noname.net" port(12345)
			tls(ca_dir("/usr/local/etc/certs")
			    key_file("/usr/local/etc/private/ahost.noname.net.key")
			    cert_file("/usr/local/etc/certs/ahost.noname.net.pem")
			    peer_verify(required-trusted)
			)
		    );
	    };

	- Attempt to start syslog-ng and see lots of shared images
	  that to reference the wrong libcrypto:

	    Error opening plugin module; module='afsocket-tls', error='Shared object "libcrypto.so.6" not found, required by "libafsocket-tls.so"'
	    Error opening plugin module; module='afmongodb', error='Shared object "libcrypto.so.6" not found, required by "libafmongodb.so"'
	    Error opening plugin module; module='afsocket', error='Shared object "libcrypto.so.6" not found, required by "libafsocket.so"'
	    Error opening plugin module; module='cryptofuncs', error='Shared object "libcrypto.so.6" not found, required by "libcryptofuncs.so"'
	    Error parsing afsocket, inner-dest plugin tls not found in /usr/local/etc/syslog-ng.conf at line 56, column 6:

			tls(ca_dir("/usr/local/etc/stunnel/certs")
			^^^

	    syslog-ng documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
	    mailing list: https://lists.balabit.hu/mailman/listinfo/syslog-ng

Fix:
A minimal fix is to add -L/usr/local/lib where OPENSSL_LIBS
	is set in Makefile. However I believe the correct fix is
	something similar to the attached patch to bsd.openssl.mk
	which adds -L to OPENSSL_LDFLAGS. This approach should solve
	this issue for any port using this variable.
Comment 1 John Marino freebsd_committer 2014-07-24 08:04:47 UTC 
For portmgr?
Comment 2 Keith Beattie 2014-10-01 00:38:27 UTC 
I too am experiencing this problem.

bsd.openssl.mk was updated on 2014-09-01, then syslog-ng was updated on 2014-09-02, the combo which broke my syslog-ng config.

Perhaps very few people are effected by this, but I would very much like to see this patch applied.