#1188 closed Bug / Defect (wontfix)
Compilation OpenVPN 2.4.7 and libssl.so.0.9.8
Reported by: | langioletto | Owned by: | |
---|---|---|---|
Priority: | blocker | Milestone: | |
Component: | Building / Compiling | Version: | OpenVPN 2.4.7 (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
Cc: | Steffan Karger, Selva Nair |
Description
./configure --disable-plugins
-----OK, no error-----
make
gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/local/lib/openvpn/plugins\" -Wall -Wno-unused-parameter -Wno-unused-function -g -O2 -std=c99 -MT ssl.o -MD -MP -MF .deps/ssl.Tpo -c -o ssl.o ssl.c mv -f .deps/ssl.Tpo .deps/ssl.Po gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/local/lib/openvpn/plugins\" -Wall -Wno-unused-parameter -Wno-unused-function -g -O2 -std=c99 -MT ssl_openssl.o -MD -MP -MF .deps/ssl_openssl.Tpo -c -o ssl_openssl.o ssl_openssl.c ssl_openssl.c: In function ‘openssl_tls_version’: ssl_openssl.c:230: error: ‘TLS1_1_VERSION’ undeclared (first use in this function) ssl_openssl.c:230: error: (Each undeclared identifier is reported only once ssl_openssl.c:230: error: for each function it appears in.) ssl_openssl.c:234: error: ‘TLS1_2_VERSION’ undeclared (first use in this function) ssl_openssl.c: In function ‘backend_tls_ctx_reload_crl’: ssl_openssl.c:1028: warning: value computed is not used ssl_openssl.c: In function ‘show_available_tls_ciphers_list’: ssl_openssl.c:1858: error: ‘TLS1_2_VERSION’ undeclared (first use in this function) make[3]: *** [ssl_openssl.o] Errore 1
Compilation OpenVPN 2.4.4 non problem, the problem arises from version 2.4.5
and this is the cause of the error:
https://patchwork.openvpn.net/patch/201/
Version of libcrypto and libssl
find /usr/ | egrep "libssl.so|libcrypto.so" | grep -v "/src/" /usr/lib/libssl.so.0.9.8 /usr/lib/libssl.so /usr/lib/libcrypto.so.0.9.8 /usr/lib/libcrypto.so
Thanks
Best regard
Change History (18)
comment:1 Changed 5 years ago by
Cc: | Steffan Karger Selva Nair added |
---|
comment:2 Changed 5 years ago by
So - I just re-tested this because I assume it should work, and it does...
$ src/openvpn/openvpn --version
OpenVPN 2.4.7 [git:release/2.4/0c1cc8d65539f5e1+] amd64-unknown-freebsd8.4 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] built on May 16 2019
library versions: OpenSSL 0.9.8zd-freebsd 8 Jan 2015, LZO 2.09
(this is on FreeBSD 8 with the built-in OpenSSL, which is old)
Thus: more details needed - platform, configure output (maybe it's not picking up 0.9.8 but there's a 0.9.6 lying around elsewhere - and *that* is no longer supported indeed)...
comment:4 Changed 5 years ago by
Looks like there 0.9.8 version like 0.9.8e which RHEL5 ships that do not even support TLS1.1 and current code breaks with them. On the other hand versions like 0.9.8zd have TLS1.1 support. So the exact version and platform you are trying to compile here is important.
comment:5 Changed 5 years ago by
Change log OpenVPN 2.4.5
Add SSL_CTX_get_max_proto_version() not in openssl 1.0
Selva Nair (14): Check whether in pull_mode before warning about previous connection blocks Avoid illegal memory access when malformed data is read from the pipe Fix missing check for return value of malloc'd buffer Return NULL if GetAdaptersInfo fails Use RSA_meth_free instead of free Bring cryptoapi.c upto speed with openssl 1.1 Add SSL_CTX_get_max_proto_version() not in openssl 1.0 TLS v1.2 support for cryptoapicert -- RSA only Refactor get_interface_metric to return metric and auto flag separately Ensure strings read from registry are null-terminated Make most registry values optional Use lowest metric interface when multiple interfaces match a route Adapt to RegGetValue brokenness in Windows 7 Fix format spec errors in Windows builds
Sorry if I didn't enter the output
uname -snrvm
Linux linux 2.6.32-21-generic #32-Ubuntu SMP Fri Apr 16 08:10:02 UTC 2010 i686
openvpn --version
OpenVPN 2.4.4 i686-pc-linux [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] built on May 15 2019 library versions: OpenSSL 0.9.8k 25 Mar 2009, LZO 2.03 Originally developed by James Yonan Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>
comment:6 follow-up: 9 Changed 5 years ago by
What distribution is that? And we wanted openssl version not openvpn --version :)
If we are to fix that bug we need to have some platform to test on.
comment:8 Changed 5 years ago by
Replying to Gert Döring:
What does "openssl version" print?
openssl version
OpenSSL 0.9.8k 25 Mar 2009
comment:9 Changed 5 years ago by
Replying to plaisthos:
What distribution is that? And we wanted openssl version not openvpn --version :)
If we are to fix that bug we need to have some platform to test on.
If you want, I can make teamviewers available for remote connection to that distribution
comment:10 Changed 5 years ago by
Okay. While this issue is probably easy to fix, no one of our team will work on that. The reason is that this OpenSSL Version is ancient and does not get security updates anymore. Also no supported distribution exists that has such an ancient OpenSSL version that is still supported. RHEL5 had 0.9.8e but is also EOL. Also Ubuntu 10.04 is not supported since 2015. So from our perspective there is no reason anymore to support 0.9.8.x.
That being said if someone submits a patch to the mailing list to support non TLS1.1 OpenSSL 0.9.x we might include it since it technically is a regression.
comment:11 Changed 5 years ago by
Resolution: | → wontfix |
---|---|
Status: | new → closed |
comment:13 Changed 5 years ago by
Basically what I wrote. Although we technically promised 0.9.8 support, we accidently broke it and no one of the OSS contributers sees a good reason to fix it as we see no valid reason to do it. And if you want to go on technicalities, we still support 0.9.8 just not old version. And also 0.9.8x is too old too as it also lacks TLS1.1 support. As Gert discovered, 0.9.8zd works.
comment:14 Changed 5 years ago by
:)
kindly you can tell me the command to debug at high level during the compilation, so I can write the patch
Eliminating the check the compilation goes to good end, but I wanted to create something more elegant
Very thanks
comment:15 Changed 5 years ago by
Fixing this requires only very basic C understanding of defines and ifdefs, I am not what I can you tell apart from "fix the c files, run make". If it compiles make a patch send it to openvpn-devel.
comment:16 Changed 5 years ago by
Security-wise, it would make much more sense to compile a more recent OpenSSL version (like 1.0.1) and install it to /usr/local/ - then, configure OpenVPN with "OPENSSL_CFLAGS=" and "OPENSSL_LIBS=" arguments to "configure" to use this version.
0.9.8k is very very VERY old, and has lots of security relevant bugs.
comment:17 Changed 5 years ago by
I have compiled the last library "OpenSSL 1.1.1b", I hope it does not give problems with the current distribution
openvpn --version
OpenVPN 2.4.7 i686-pc-linux [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May 18 2019 library versions: OpenSSL 1.1.1b 26 Feb 2019, LZO 2.02 Originally developed by James Yonan Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
Thank you all
comment:18 Changed 5 years ago by
If it compiles, it should work fine - we test with 1.1.1 (1.1.1b is just a patch release)
Mmmmh. The patch you have referenced hasn't been merged to 2.4, so it cannot be the reason for the problem...
Which platform are you compiling on?