Contents

Supported/used versions
OpenSSL in base
OpenSSL for ports

FreeBSD includes a stable OpenSSL in the base system and provides additional versions (and alternatives) through ports. This page is an effort to document the usage of OpenSSL in FreeBSD, both in base and in ports.

The information in this article (and its sub-articles and the LibreSSL articles) has been presented at FOSDEM 2016 by Bernard Spil

Supported/used versions

The OpenSSL project published their new Release Strategy and 1.1.1 EoL March of 2023.

Version	Released	Status	Until	FreeBSD
0.9.8	Jul 2005	EoL	31 Dec 2015 (announced Oct 2014)	up to 9.3
1.0.0	Mar 2010	EoL	31 Dec 2015 (announced Dec 2014)	none
1.0.1	Mar 2012	EoL	31 Dec 2015 (announced Dec 2014)	from 10.0
1.0.1	Mar 2012	EoL	31 Dec 2016 (announced Dec 2014)	from 10.0
1.0.2	Jan 2015	EoL	31 Dec 2019 (announced Aug 2015)	from 11.0
1.1.0	Aug 2016	EoL	Sep 2019	Proposed for 12-STABLE
1.1.1	Sep 2018	EoL	Sep 2023	12.0
3.0	Sep 2021	Full Support	Sep 2026	14.0 (planned)
3.1	Mar 2023	Full Support
3.2	Oct 2023 (planned)	Alpha release

OpenSSL in base

FreeBSD		OpenSSL
Version	Status	Version	Status
9.x	EoL 2016-12-31	0.9.8	EoL 2015-12-31
10.x	EoL 2017-10-03	1.0.1	EoL 2016-12-31
11.x	EoL 2020-06-23	1.0.2	EoL 2020-06-23
12.x	Full Support (EoL expected 2023-12-31)	1.1.x	2023-09-11 (expected)
13.x	Full support (EoL expected 2026-01-31)	1.1.1	2023-09-11 (expected)
14.x	Beta	3.0	2026-09-07 (expected)

Efforts to change OpenSSL in base are documented in the Base sub-page.

OpenSSL for ports

FreeBSD ports will use OpenSSL from the base system.

To use OpenSSL from ports, add the following to /etc/make.conf

DEFAULT_VERSIONS+= ssl=openssl

This will automatically use security/openssl as the OpenSSL library provider. Possible values for ssl are

openssl (currently 1.1.1)
openssl30
openssl31
openssl32 (currently Alpha stage)
openssl-quictls (currently 3.0.0)
libressl (currently 2.7.3)
libressl-devel (currently 2.8.1)

Using LibreSSL from ports

To use LibreSSL from ports, add the following to /etc/make.conf

DEFAULT_VERSIONS= ssl=libressl

Upgrade of ports OpenSSL to 1.0.2

Creating a 1.0.2 known problems subpage to collect issues and fixes

Build issues with OpenSSL 1.1.0

Collected on the 1.1.0 known problems sub-page

Build issues with OpenSSL 1.1.1

Collected on the 1.1.1 known problems sub-page

Build issues with OpenSSL 3.0.0

Collected on the 3.0.0 known problems sub-page

Issues when using OpenSSL from ports

Ports linking base libssl when WITH_OPENSSL_PORT is defined

Bug 195796 - exp-build with WITH_OPENSSL_PORT=yes and SSLv2/SSLv3 disabled

See Ports linking base OpenSSL sub-page

There's a nice write-up by bsdx on building a poudriere jail without base ssl forcing ports to link ports ssl

GSSAPI conflicts

Both libgssapi_krb5.so and libgssapi_ntlm.so depend on libcrypto.so. Since these often have a different shared library version this will lead to conflicts. Some ports try to fix that in the Makefile but this should be fixed globally. A work-in-progress fix can be found at Sp1l's GitHub. Your safest bet would be to set in /etc/make.conf

OPTIONS_UNSET= GSSAPI_BASE
OPTIONS_SET=   GSSAPI_MIT

Setting GSSAPI_HEIMDAL would work as well (I haven't ran into issues with it) but there's no ports only specifying Heimdal whereas there are ports that only set MIT (i.e. benchmarks/polygraph, net/ocserv, security/putty excluding krb5/heimdal specific ports).

Affected ports (unconfirmed)

databases/mariadb101-server

dns/bind9-devel

dns/bind910

dns/bind99

ftp/curl

mail/mutt

mail/cyrus-imapd25

mail/cyrus-imapd24

mail/dovecot2

net/samba36

net/wireshark

security/py-kerberos

security/pam_krb5

security/p5-Authen-Krb5

security/cyrus-sasl2-gssapi

security/p5-Heimdal-Kadm5

security/p5-GSSAPI

security/cyrus-sasl2-saslauthd

security/p5-Authen-Krb5-Simple

www/mod_auth_kerb2

www/nginx-devel

www/squid

Build issues using LibreSSL

Please check the LibreSSL page

Build issues with SSLv3 disabled

Collected on the build ports without SSlv3 sub-page