Bug 200223 - security/tor: ship tor package linked against openssl from ports (faster ECDH support)
Summary: security/tor: ship tor package linked against openssl from ports (faster ECDH...
Status: Closed Works As Intended
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: freebsd-ports-bugs (Nobody)
Depends on:
Reported: 2015-05-15 17:28 UTC by nusenu
Modified: 2018-02-25 21:06 UTC (History)
2 users (show)

See Also:
bugzilla: maintainer-feedback? (bf)
vlad-fbsd: maintainer-feedback? (yuri)


Note You need to log in before you can comment on or make changes to this bug.
Description nusenu 2015-05-15 17:28:03 UTC
security/tor package currently does not depend on openssl from ports but uses openssl provided by base.
openssl in base comes without enable-ec_nistp_64_gcc_128 support, tor will show the following line in the logs (if tor has been installed via 'pkg install tor')

[notice] We were built to run on a 64-bit CPU, with OpenSSL 1.0.1 or later, but with a version of OpenSSL that apparently lacks accelerated support for the NIST P-224 and P-256 groups. Building openssl with such support (using the enable-ec_nistp_64_gcc_128 option when configuring it) would make ECDH much faster.

Installing openssl from packages/ports + recompiling tor solves this.

What do you think about making tor depend on the openssl package (not the one in base) and ship the tor package which is linked against the openssl package to solve this also in the package out of the box?

I saw it was actually you (the security/tor maintainer) who enabled enable-ec_nistp_64_gcc_128 in the first place:

(Is there a particular reason why this feature is off in base by default?)

Comment 1 Rene Ladan freebsd_committer 2016-06-27 21:47:45 UTC
Maintainer reset.
Comment 2 VK freebsd_triage 2016-10-02 19:16:40 UTC
New maintainer, request feedback.
Comment 3 Yuri Victorovich freebsd_committer 2016-11-27 21:57:39 UTC
It is still the case that tor builds with the base OpenSSL when the port isn't present. USES=ssl has this logic of choosing which OpenSSL to use based on file presence. I would rather have this dependency explicit.

tor should probably have special option USE_PORT_OPENSSL.

There is also a somewhat related torproject ticket asking to support various other OpenSSL interface implementations: https://trac.torproject.org/projects/tor/ticket/13977
Comment 4 Walter Schwarzenfeld freebsd_triage 2018-01-16 09:32:42 UTC
Comment 5 Yuri Victorovich freebsd_committer 2018-01-16 09:41:28 UTC

The variable DEFAULT_VERSIONS in /etc/make controls which ssl version is used globally. As far as I understand, you need to rebuild all ports once you change this selection, since it is a global option.

See here: https://wiki.freebsd.org/DEFAULT_VERSIONS#SSL_Library_Selection

Please raise this on ports@ mailing list if this is a concern.

Please close this bug if this answers your concern.