FreeBSD includes a stable OpenSSL in the base system and provides additional versions (and alternatives) through ports. This page is an effort to document the usage of OpenSSL in FreeBSD, both in base and in ports.

The information in this article (and its sub-articles and the LibreSSL articles) has been presented at FOSDEM 2016 by Bernard Spil

Supported/used versions

The OpenSSL project published their new Release Strategy end of 2014. Notable changes are

Version

Released

Status

Until

FreeBSD

0.9.8

Jul 2005

Security patches only

31 Dec 2015 (announced Oct 2014)

up to 9.3

1.0.0

Mar 2010

Security patches only

31 Dec 2015 (announced Dec 2014)

none

1.0.1

Mar 2012

Full Support

31 Dec 2015 (announced Dec 2014)

from 10.0

Security patches only

31 Dec 2016 (announced Dec 2014)

1.0.2

Jan 2015

Full Support

31 Dec 2019 (announced Aug 2015)

from 11.0

1.1.0

Aug 2016

Full Support

1.1.1 release + 1 year

Proposed for 12-STABLE

1.1.1

not yet

Beta 5 (pre7)

release + 5 years

12.0 (if released in time)

OpenSSL in base

FreeBSD

OpenSSL

Version

Status

Version

Status

9.x

EoL 2016-12-31

0.9.8

EoL 2015-12-31

10.x

Expected 2018-10-31

1.0.1

EoL 2016-12-31

11.x

Expected 2021-09-30

1.0.2

2019-12-31

12.x

1.1.x

2023

Efforts to change OpenSSL in base are documented in the Base sub-page.

OpenSSL for ports

FreeBSD ports will use OpenSSL from the base system.

To use OpenSSL from ports, add the following to /etc/make.conf

DEFAULT_VERSIONS+= ssl=openssl

This will automatically use security/openssl as the OpenSSL library provider. Possible values for ssl are

Using LibreSSL from ports

To use LibreSSL from ports, add the following to /etc/make.conf

DEFAULT_VERSIONS= ssl=libressl

Upgrade of ports OpenSSL to 1.0.2

Creating a 1.0.2 known problems subpage to collect issues and fixes

Build issues with OpenSSL 1.1.0

Collected on the 1.1.0 known problems sub-page

Build issues with OpenSSL 1.1.1

A bit opportune, but currently (2018-08-17) OpenSSL 1.1.1 is beta 6 (-pre8). As the TLS 1.3 standard is now finalized, hopefully we'll see a 1.1.1 release very soon.

Collected on the 1.1.1 known problems sub-page

Issues when using OpenSSL from ports

Ports linking base libssl when WITH_OPENSSL_PORT is defined

Bug 195796 - exp-build with WITH_OPENSSL_PORT=yes and SSLv2/SSLv3 disabled

See Ports linking base OpenSSL sub-page

There's a nice write-up by bsdx on building a poudriere jail without base ssl forcing ports to link ports ssl

GSSAPI conflicts

Both libgssapi_krb5.so and libgssapi_ntlm.so depend on libcrypto.so. Since these often have a different shared library version this will lead to conflicts. Some ports try to fix that in the Makefile but this should be fixed globally. A work-in-progress fix can be found at Sp1l's GitHub. Your safest bet would be to set in /etc/make.conf

OPTIONS_UNSET= GSSAPI_BASE
OPTIONS_SET=   GSSAPI_MIT

Setting GSSAPI_HEIMDAL would work as well (I haven't ran into issues with it) but there's no ports only specifying Heimdal whereas there are ports that only set MIT (i.e. benchmarks/polygraph, net/ocserv, security/putty excluding krb5/heimdal specific ports).

Affected ports (unconfirmed)

databases/mariadb101-server

dns/bind9-devel

dns/bind910

dns/bind99

ftp/curl

mail/mutt

mail/cyrus-imapd25

mail/cyrus-imapd24

mail/dovecot2

net/samba36

net/wireshark

security/py-kerberos

security/pam_krb5

security/p5-Authen-Krb5

security/cyrus-sasl2-gssapi

security/p5-Heimdal-Kadm5

security/p5-GSSAPI

security/cyrus-sasl2-saslauthd

security/p5-Authen-Krb5-Simple

www/mod_auth_kerb2

www/nginx-devel

www/squid

Build issues using LibreSSL

Please check the LibreSSL page

Build issues with SSLv3 disabled

Collected on the build ports without SSlv3 sub-page

OpenSSL (last edited 2018-08-17 13:56:21 by BernardSpil)