Opened 12 months ago

Closed 12 months ago

Last modified 12 months ago

#1367 closed Bug / Defect (notabug)

OpenSSL version too old Ubuntu 16.04 OpenSSL 1.0.2g OpenVPN 2.5.0

Reported by: alicek Owned by:
Priority: minor Milestone: release 2.5
Component: Generic / unclassified Version: OpenVPN 2.5.0 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

I'm trying to run OpenVPN client 2.5.0, but the connection is constantly being re-connected.

Connection reset, restarting [0]
SIGUSR1[soft,connection-reset] received, process restarting

I tried to re-build OpenVPN manually and got this error:

checking additionally if OpenSSL is available and version >= 1.0.2... configure: error: OpenSSL version too old

But the documentation says that any version OpenSSL >= 1.0.2 is suitable. https://github.com/OpenVPN/openvpn/blob/master/INSTALL

REQUIRES:
   ...
  (2) OpenSSL library, necessary for encryption, version 1.0.2 or higher
      required, available from http://www.openssl.org/
      or
  ...

Am I wrong? Should the client work with version 1.0.2g?

OpenVPN 2.5.0 OpenSSL 1.0.2g

OpenVPN 2.5.0 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct 28 2020
library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>

Change History (4)

comment:1 Changed 12 months ago by Gert Döring

Resolution: notabug
Status: newclosed

I just re-checked configure.ac, and it requests 1.0.2 from the system, or newer

                # if the user did not explicitly specify flags, try to autodetect
                PKG_CHECK_MODULES(
                        [OPENSSL],
                        [openssl >= 1.0.2],
                        [have_openssl="yes"],
                        [] # If this fails, we will do another test next
                )
                OPENSSL_LIBS=${OPENSSL_LIBS:--lssl -lcrypto}

so I would guess that there are different openssl versions lying around on your system, and one of them is too old.

My FreeBSD builds use this

library versions: OpenSSL 1.0.2u-freebsd  20 Dec 2019, LZO 2.10

and it works fine.

I would just update that ubuntu to 18.04 or 20.04 - not worth spending extra time on systems that are out of support, are no longer receiving bugfixes, etc.

comment:2 in reply to:  description Changed 12 months ago by tct

Replying to alicek:

I tried to re-build OpenVPN manually and got this error:

checking additionally if OpenSSL is available and version >= 1.0.2... configure: error: OpenSSL version too old

But the documentation says that any version OpenSSL >= 1.0.2 is suitable. https://github.com/OpenVPN/openvpn/blob/master/INSTALL

The message says that you do not have openssl 1.0.2 or greater on your system.

comment:3 Changed 12 months ago by alicek

Thanks for your reply.
Naturally, I can upgrade the system to version 18.04 or 20.04. Everything works fine on these versions.
I also manually updated OpenSSL from version 1.0.2g to version 1.1.1c, and everything works.
As I indicated above, the OpenSSL 1.0.2g library is installed on my test system, which belongs to version 1.0.2 of OpenSSL (https://www.openssl.org/news/openssl-1.0.2-notes.html). So it should pass the check.
Yes, I'm a bore. But maybe it will be useful to someone. Thank you for your time.

comment:4 Changed 12 months ago by Gert Döring

Well, in that case you'll need to figure out why it is not working on your system.

Configure writes a log where it details what it tests and why it concludes that "your openssl version is too old".

I can tell you that it generally works with OpenSSL 1.0.2 (already did that), and "so that it can be useful to someone" I went out and tested it on my Ubuntu 16.04 system:

gert@ubuntu1604$ cat /etc/lsb-release 
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.4 LTS"
gert@ubuntu1604:~/openvpn.git$ git checkout v2.5.0
...
gert@ubuntu1604:~/openvpn.git$ autoreconf -vif
...
gert@ubuntu1604:~/openvpn.git$ ./configure
...
checking for OPENSSL... no
checking additionally if OpenSSL is available and version >= 1.0.2... ok
...
config.status: executing libtool commands
gert@ubuntu1604:~/openvpn.git$ make
...
gert@ubuntu1604:~/openvpn.git$ src/openvpn/openvpn --version
OpenVPN 2.5.0 [git:HEAD/a73072d8f780e888] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Dec 17 2020
library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08

I have also tested with the 2.5.0 release tarball (to make sure it's not something funky with the "autoreconf" being run on a different system). Works.

So - this is something on your system, not a general OpenVPN build issue. If you do not want to upgrade, you'll have to figure out what you did to break openssl detection.

Note: See TracTickets for help on using tickets.