Bug 193482 - security/openssl - new "no-ssl2" feature breaks at least one dependent port
Summary: security/openssl - new "no-ssl2" feature breaks at least one dependent port
Status: Closed DUPLICATE of bug 195796
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Matthieu Bouthors
Depends on:
Reported: 2014-09-09 10:54 UTC by Leif Velcro
Modified: 2015-06-17 22:16 UTC (History)
5 users (show)

See Also:
mva: maintainer-feedback? (matthieu)


Note You need to log in before you can comment on or make changes to this bug.
Description Leif Velcro 2014-09-09 10:54:06 UTC
The new (and very useful) config option to security/openssl allows you to compile it without support for SSLv2.  Arguably, this should be the default option.

However, this has broken at least one dependent port -- security/sslscan <https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=193083>.

I do not know if it has broken others, since sslscan was the tool I was going to use to test other ports.  When it broke, I quickly reverted to the original version of openssl, since so much depends on it and I was worried other things might be quietly broken.

This might not be the fault of the change to the openssl port itself.  Perhaps all dependent ports should be more resilient.  However, it has been suggested that there at least be a warning in the description of the SSLv2 flag.

If there is a convenient, non-spammy way to notify all the major openssl-dependent port maintainers, that's probably also a good idea.
Comment 1 Leif Velcro 2014-09-26 16:26:42 UTC
Using this option also breaks www/libwww: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=193937
Comment 2 Marcus von Appen freebsd_committer freebsd_triage 2014-09-26 20:07:51 UTC
Over to maintainer.
Comment 3 Leif Velcro 2014-10-30 04:39:00 UTC
I should note that with the POODLE exploit, disabling SSLv3 has become quite important.  The option to compile security/openssl without SSLv3 was quite helpfully added at the same time as the option to disable SSLv2, but the options are not useful if other necessary ports will break when they are used.

Currently, it is necessary to track down and reconfigure each port that uses openssl and modify the settings in a manner specific to that port.  Some ports do not allow for this level of configuration, so disabling SSLv2/SSLv3 in the openssl is not only efficient and logical, it is the only way to do such a thing using some ports (eg, mail/imap-uw).
Comment 4 Xin LI freebsd_committer 2015-06-17 22:16:43 UTC
This is in fact a duplicate of 195796.

*** This bug has been marked as a duplicate of bug 195796 ***