node comes with its own OpenSSL library, but some of us would prefer to be using one OpenSSL library across the board. The attached patch adds a BUNDLED_SSL option that uses a shared OpenSSL library. Currently it requires a version from ports (build fails against the base OpenSSL on 9 and 10-stable).
Created attachment 161683 [details] BUNDLED_SSL option
*** Bug 203527 has been marked as a duplicate of this bug. ***
Created attachment 167724 [details] BUNDLED_SSL option (updated) Updated patch against latest www/node
Can you please take another look at this PR? It builds perfectly on 9 and 10, and every SSL test I've run works perfectly. OS X Homebrew builds with this change enabled as default. Given the frequency of OpenSSL-related exploits, we really, really should be providing a way for people to link their own OpenSSL version. root@lockup:/wrkdirs/usr/ports/www/node/work # ldd /usr/local/bin/node | egrep 'ssl|crypto' libcrypto.so.8 => /usr/local/lib/libcrypto.so.8 (0x80153c000) libssl.so.8 => /usr/local/lib/libssl.so.8 (0x801949000)
Maintainer approved, please check if this patch could apply to node 5.8.0. Thanks.
The patch doesn't apply cleanly anymore, so it'll need updating. What about the other node ports, might be nice to do them all at the same time?
Hey Bradley, sorry I didn't update this PR earlier. Node does not build against any current version of LibreSSL. This patch would need to do something like what ftp/curl does for the TLS_SRP option---print a message and error out if LibreSSL is the library being linked against.
I wasn't thinking about libressl, but rather about the other www/node* ports. I went ahead and updated your patch and adapted it for all 4 ports. See https://github.com/bradleythughes/freebsd-ports/commit/b292974aaa3a824af797f710f312b025f4abb6a9 :)
Your updated patch looks great, but it will still break when LibreSSL is installed. It needs to identify that case and produce a helpful message.
That is true. Looking through various discussions in issues and pull requests for node.js on Github, I see that LibreSSL support isn't a priority or a concern. I am not sure how we can address/communicate this in the port if the user has OPENSSL_PORT=security/libressl in their local make.conf.
ftp/curl does something similar. Check out https://svnweb.freebsd.org/ports/head/ftp/curl/Makefile?r1=382459&r2=382461
I just submitted a new PR with patch to unconditionally use external dependencies where possible, including openssl. See https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=209793 The porters handbook and general consensus is that these shouldn't be options. That PR makes this one unnecessary.
Closing this PR. A better plan was introduced by maintainer in bug #209793. *** This bug has been marked as a duplicate of bug 209793 ***