Re: SSL configured wrong for DragonFly. How can it be fixed?

[Jonathan Perkin <jperkin%joyent.com@localhost>]

* On 2016-11-25 at 00:03 GMT, John Marino wrote:

> pkgsrc assumes OpenSSL base at /usr:
> security/openssl/builtin.mk:127:BUILDLINK_PREFIX.openssl= /usr
> 
> This assumption is wrong for DragonFly which has a private OpenSSL library
> only for base use.  pkgsrc is supposed to build and use its own OpenSSL.
> 
> The BUILDLINK_PREFIX.openssl is hardcoded. What's the proper fix for pkgsrc?
> (Yes, I know I can patch it in pkgsrc-synth).

pkgsrc will only enable a builtin if it finds the necessary libraries
and headers in the base system.  This is performed using the
BUILTIN_FIND_* variables defined in security/openssl/builtin.mk.  If
those tests aren't satisfied and IS_BUILTIN.openssl=no then pkgsrc
will not use the builtin, even if you ask it to.

Thus if you don't want users to use your private OpenSSL then the best
solution is to modify your installation in a way that software cannot
find it.  The way SmartOS does this is described here:

  http://dtrace.org/blogs/wesolows/2014/04/10/libsunw_ssl-or-how-smartos-avoids-sadness/

Until that is implemented though you can provide hints to pkgsrc for
it to prefer pkgsrc or native implementations of builtin-aware
software by setting e.g.

  _OPSYS_PREFER.openssl?= pkgsrc

in mk/platform/DragonFly.mk.  See mk/platform/SunOS.mk for some
examples.

These variables take precedence over a user's PREFER_PKGSRC=yes or
PREFER_NATIVE=yes setting, but they do not take precedence over
PREFER.openssl or if "openssl" is specifically listed in PREFER_*, so
it is still possible that users could configure their pkgsrc to use
your base OpenSSL.

Cheers,

-- 
Jonathan Perkin  -  Joyent, Inc.  -  www.joyent.com