After all the noise about base openssl vs. ports openssl on this list a
couple of weeks ago, I bit the bullet and tossed WITH_OPENSSL_PORT=yes
in poudriere.d/*-make.conf and kicked off a poudriere run. It chugged
for quite a while and rebuilt lots of ports. After it was done, I ran
pkg upgrade and was dismayed when I discovered that ldd told me that
quite a few executables were linked to openssl in base.
The big culprit turned out to be ftp/curl. Even though
WITH_OPENSSL_PORT=yes caused it to add the openssl port as a build and
run dependency, it was silently getting linked to openssl from base. The
cause of that problem is that the default GSSAPI_BASE option adds
-L/usr/lib near the start of LDFLAGS, so the linker finds the base
openssl libraries instead of the ones from the port. I worked around
that problem by switching to GSSAPI_NONE, though I tested that the other
GSSAPI_* options also work correctly. There is a sanity check in the
Makefile that attempts to catch this conflict, but it does not work
correctly. See
<https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=200555>.
After another poudriere run, which rebuilt the curl package and
everything that depended on it, things were looking much better. Of my
~1300 installed ports, I only found two other problematic ports:
www/links1 <https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=200557>
and
security/nmap
<https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=200558>
The only remaining port that links to openssl in base is pkg, which I
think is mandatory for chicken vs. egg reasons.
I'm currently running with these updated ports and haven't run into any
problems.