WITH_OPENSSL_PORT=yes not respected by all ports

[icecoke]

On a 10.1p19 (and other earlier Versions) I'm trying to have the latest security/openssl port to be used instead of the slightly older base openssl. But it seems all settings I use, do not achieve this with all ports

/etc/make.conf:

WITH_OPENSSL_PORT=yes
OPENSSLBASE=/usr/local

Even after a portmaster --no-confirm -adfy I still find some of these:

ldd /usr/local/lib/php/20121212-zts/snmp.so | grep -E "(ssl|crypto)"

        libssl.so.8 => /usr/local/lib/libssl.so.8 (0x80160e000)
        libcrypto.so.8 => /usr/local/lib/libcrypto.so.8 (0x802194000)
        libssl.so.7 => /usr/lib/libssl.so.7 (0x803020000)
        libcrypto.so.7 => /lib/libcrypto.so.7 (0x80328b000)

ldd /usr/local/sbin/saslauthd | grep -E "(ssl|crypto)"

        libcrypto.so.8 => /usr/local/lib/libcrypto.so.8 (0x80151c000)
        libcrypto.so.7 => /lib/libcrypto.so.7 (0x802c45000)

After some finding around, it looks like at least these ports do not respect the wish to use the security/openssl port only:

security/cyrus-sasl2-saslauthd, ports-mgmt/pkg, net-mgmt/net-snmp, net-mgmt/php55-snmp (the latter because of the net-mgmt/net-snmp port)

I may understand the reason for the ports-mgmt/pkg port, but at least the net-mgmt/net-snmp port causes some problems in all webservers using phpxx-snmp modules.

Is there a known reason/solution?

 

[asteriskRoss]

I am sure the port maintainers would be grateful to learn about your research and receive any patches you are able to prepare. Have a look at the Dealing with Broken Ports section in the handbook.

 

[kpa]

There are some libraries that indirectly pull in the base system OpenSSL libraries. The most well known example is ftp/curl if you build it with GSSAPI_BASE option which happens to be the default. The problem there is that the base system GSSAPI libraries are linked against the base system OpenSSL libraries at compile time so anyone using those GSSAPI libraries will be forced to link against the base system OpenSSL as well. Ain't ELF wonderful?

 

[icecoke]

Thanks for all your input. After some findings (still had not the time to work really on it) it seems that it is just net-mgmt/net-snmp which is compiling in the pkg libs, which in return are forced to use the base openssl things by design. In the end this brakes at least php and the webserver when these php modules are used and sasl too. Not all the time, but we have hundred of installations showing up that this is not a single problem.

kpa - yep, like ftp/curl with the default switch, net-mgnt/net-snmp is like this. Both curl.so and snmp.so from php are suffering from that.

I will go to build some packages which do not rely on the base openssl to get rid of this.