Opened 14 months ago

Closed 14 months ago

Last modified 14 months ago

#1188 closed Bug / Defect (wontfix)

Compilation OpenVPN 2.4.7 and libssl.so.0.9.8

Reported by: langioletto Owned by:
Priority: blocker Milestone:
Component: Building / Compiling Version: OpenVPN 2.4.7 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc: Steffan Karger, selvanair

Description

./configure --disable-plugins

-----OK, no error-----

make

gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include  -I../../include -I../../src/compat       -DPLUGIN_LIBDIR=\"/usr/local/lib/openvpn/plugins\"  -Wall -Wno-unused-parameter -Wno-unused-function -g -O2 -std=c99 -MT ssl.o -MD -MP -MF .deps/ssl.Tpo -c -o ssl.o ssl.c
mv -f .deps/ssl.Tpo .deps/ssl.Po
gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include  -I../../include -I../../src/compat       -DPLUGIN_LIBDIR=\"/usr/local/lib/openvpn/plugins\"  -Wall -Wno-unused-parameter -Wno-unused-function -g -O2 -std=c99 -MT ssl_openssl.o -MD -MP -MF .deps/ssl_openssl.Tpo -c -o ssl_openssl.o ssl_openssl.c
ssl_openssl.c: In function ‘openssl_tls_version’:
ssl_openssl.c:230: error: ‘TLS1_1_VERSION’ undeclared (first use in this function)
ssl_openssl.c:230: error: (Each undeclared identifier is reported only once
ssl_openssl.c:230: error: for each function it appears in.)
ssl_openssl.c:234: error: ‘TLS1_2_VERSION’ undeclared (first use in this function)
ssl_openssl.c: In function ‘backend_tls_ctx_reload_crl’:
ssl_openssl.c:1028: warning: value computed is not used
ssl_openssl.c: In function ‘show_available_tls_ciphers_list’:
ssl_openssl.c:1858: error: ‘TLS1_2_VERSION’ undeclared (first use in this function)
make[3]: *** [ssl_openssl.o] Errore 1

Compilation OpenVPN 2.4.4 non problem, the problem arises from version 2.4.5

and this is the cause of the error:

https://patchwork.openvpn.net/patch/201/

Version of libcrypto and libssl

find /usr/ | egrep "libssl.so|libcrypto.so" | grep -v "/src/"
/usr/lib/libssl.so.0.9.8
/usr/lib/libssl.so
/usr/lib/libcrypto.so.0.9.8
/usr/lib/libcrypto.so

Thanks

Best regard

Change History (18)

comment:1 Changed 14 months ago by Gert Döring

Cc: Steffan Karger selvanair added

Mmmmh. The patch you have referenced hasn't been merged to 2.4, so it cannot be the reason for the problem...

Which platform are you compiling on?

comment:2 Changed 14 months ago by Gert Döring

So - I just re-tested this because I assume it should work, and it does...

$ src/openvpn/openvpn --version
OpenVPN 2.4.7 [git:release/2.4/0c1cc8d65539f5e1+] amd64-unknown-freebsd8.4 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] built on May 16 2019
library versions: OpenSSL 0.9.8zd-freebsd 8 Jan 2015, LZO 2.09

(this is on FreeBSD 8 with the built-in OpenSSL, which is old)

Thus: more details needed - platform, configure output (maybe it's not picking up 0.9.8 but there's a 0.9.6 lying around elsewhere - and *that* is no longer supported indeed)...

comment:3 Changed 14 months ago by Gert Döring

What does "openssl version" print?

comment:4 Changed 14 months ago by plaisthos

Looks like there 0.9.8 version like 0.9.8e which RHEL5 ships that do not even support TLS1.1 and current code breaks with them. On the other hand versions like 0.9.8zd have TLS1.1 support. So the exact version and platform you are trying to compile here is important.

comment:5 Changed 14 months ago by langioletto

Change log OpenVPN 2.4.5

Add SSL_CTX_get_max_proto_version() not in openssl 1.0

Selva Nair (14):
      Check whether in pull_mode before warning about previous connection blocks
      Avoid illegal memory access when malformed data is read from the pipe
      Fix missing check for return value of malloc'd buffer
      Return NULL if GetAdaptersInfo fails
      Use RSA_meth_free instead of free
      Bring cryptoapi.c upto speed with openssl 1.1
      Add SSL_CTX_get_max_proto_version() not in openssl 1.0
      TLS v1.2 support for cryptoapicert -- RSA only
      Refactor get_interface_metric to return metric and auto flag separately
      Ensure strings read from registry are null-terminated
      Make most registry values optional
      Use lowest metric interface when multiple interfaces match a route
      Adapt to RegGetValue brokenness in Windows 7
      Fix format spec errors in Windows builds

Sorry if I didn't enter the output

uname -snrvm

Linux linux 2.6.32-21-generic #32-Ubuntu SMP Fri Apr 16 08:10:02 UTC 2010 i686

openvpn --version

OpenVPN 2.4.4 i686-pc-linux [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] built on May 15 2019
library versions: OpenSSL 0.9.8k 25 Mar 2009, LZO 2.03
Originally developed by James Yonan
Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>

comment:6 Changed 14 months ago by plaisthos

What distribution is that? And we wanted openssl version not openvpn --version :)

If we are to fix that bug we need to have some platform to test on.

comment:7 Changed 14 months ago by langioletto

ubuntu-10.04-desktop-i386

comment:8 in reply to:  3 Changed 14 months ago by langioletto

Replying to Gert Döring:

What does "openssl version" print?

openssl version

OpenSSL 0.9.8k 25 Mar 2009

comment:9 in reply to:  6 Changed 14 months ago by langioletto

Replying to plaisthos:

What distribution is that? And we wanted openssl version not openvpn --version :)

If we are to fix that bug we need to have some platform to test on.

If you want, I can make teamviewers available for remote connection to that distribution

comment:10 Changed 14 months ago by plaisthos

Okay. While this issue is probably easy to fix, no one of our team will work on that. The reason is that this OpenSSL Version is ancient and does not get security updates anymore. Also no supported distribution exists that has such an ancient OpenSSL version that is still supported. RHEL5 had 0.9.8e but is also EOL. Also Ubuntu 10.04 is not supported since 2015. So from our perspective there is no reason anymore to support 0.9.8.x.

That being said if someone submits a patch to the mailing list to support non TLS1.1 OpenSSL 0.9.x we might include it since it technically is a regression.

comment:11 Changed 14 months ago by plaisthos

Resolution: wontfix
Status: newclosed

comment:12 Changed 14 months ago by langioletto

OpenVPN 2.4.x still supports OpenSSL 0.9.8x or am I wrong?

comment:13 Changed 14 months ago by plaisthos

Basically what I wrote. Although we technically promised 0.9.8 support, we accidently broke it and no one of the OSS contributers sees a good reason to fix it as we see no valid reason to do it. And if you want to go on technicalities, we still support 0.9.8 just not old version. And also 0.9.8x is too old too as it also lacks TLS1.1 support. As Gert discovered, 0.9.8zd works.

comment:14 Changed 14 months ago by langioletto

:)

kindly you can tell me the command to debug at high level during the compilation, so I can write the patch

Eliminating the check the compilation goes to good end, but I wanted to create something more elegant

Very thanks

comment:15 Changed 14 months ago by plaisthos

Fixing this requires only very basic C understanding of defines and ifdefs, I am not what I can you tell apart from "fix the c files, run make". If it compiles make a patch send it to openvpn-devel.

comment:16 Changed 14 months ago by Gert Döring

Security-wise, it would make much more sense to compile a more recent OpenSSL version (like 1.0.1) and install it to /usr/local/ - then, configure OpenVPN with "OPENSSL_CFLAGS=" and "OPENSSL_LIBS=" arguments to "configure" to use this version.

0.9.8k is very very VERY old, and has lots of security relevant bugs.

comment:17 Changed 14 months ago by langioletto

I have compiled the last library "OpenSSL 1.1.1b", I hope it does not give problems with the current distribution

openvpn --version

OpenVPN 2.4.7 i686-pc-linux [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May 18 2019
library versions: OpenSSL 1.1.1b  26 Feb 2019, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>

Thank you all

Last edited 14 months ago by langioletto (previous) (diff)

comment:18 Changed 14 months ago by Gert Döring

If it compiles, it should work fine - we test with 1.1.1 (1.1.1b is just a patch release)

Note: See TracTickets for help on using tickets.