OpenSSL problem: bind98-base FreeBSD port

Matthew Seaman m.seaman at
Mon Jul 9 07:23:27 UTC 2012

On 09/07/2012 01:40, Doug Barton wrote:
> On 07/08/2012 17:33, Matthew Pounsett wrote:
>> On 2012/07/08, at 20:29, Matthew Pounsett wrote:
>>> On 2012/07/08, at 20:26, Mark Andrews wrote:
>>>> One can also build named w/o GOST support if one wants.  We statically
>>>> link all the engines when building named on Windows.
>>> Unfortunately the port doesn't provide the config hooks to disable GOST support.
>> Actually.. how do you go about doing that anyway?  I was just taking a look at writing a patch for the port to allow GOST to be turned off, but BIND's configure script doesn't have any information in it about disabling individual ciphers.
> I wouldn't accept it anyway. For better or worse, GOST is part of the
> protocol.

GOST is not available in the version of OpenSSL in the FreeBSD base.

Here's a patch to turn off GOST from the dns/bind99 port when used with
openssl 1.0.x also from ports:

cvs diff: Diffing .
Index: Makefile
RCS file: /home/ncvs/ports/dns/bind99/Makefile,v
retrieving revision 1.9
diff -u -u -r1.9 Makefile
--- Makefile	4 Jun 2012 21:51:34 -0000	1.9
+++ Makefile	9 Jun 2012 08:59:45 -0000
@@ -209,6 +209,11 @@
 		${WRKSRC}/bin/named/ > \

+.if defined(WITH_OPENSSL_PORT)
+	${SED} -i~ -e 's:^#define HAVE_OPENSSL_GOST.*:/* #undef
 PKGMESSAGE=	${.CURDIR}/../bind97/pkg-message
 PKGINSTALL=	${.CURDIR}/../bind97/pkg-install

The equivalent for dns/bind98 is almost identical.



Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP:     Ramsgate
JID: matthew at               Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 267 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the bind-users mailing list