Opened 6 months ago

Closed 7 weeks ago

#1469 closed Bug / Defect (fixed-external)

DCO tree on Ubuntu 20.04 does not build with OpenSSL 3.0.5

Reported by: Gert Döring Owned by: Antonio Quartulli
Priority: major Milestone: release 2.6
Component: Generic / unclassified Version: OpenVPN git master branch (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: dco, building, ubuntu2004, libnl, pkg-config


Having OpenSSL 1.1.1 in the standard system library path and OpenSSL 3.0.x in a custom path fails, because pkg-config for libnl injects -L/usr/lib/x86_64-linux-gnu in the link path, so -lssl -lcrypto finds the wrong library:

cryptoapi.o -Wl,-rpath=/home/openssl-3.0.5/lib64  ../../src/compat/.libs/libcompat.a -L/usr/lib/x86_64-linux-gnu -lnsl -lresolv -llzo2 -L/usr/lib -llz4 -L/home/openssl-3.0.5/lib64 -lssl -lcrypto -ldl -lnl-genl-3 -lnl-3

Arguably the bug is in Ubuntu's .pc file

$ pkg-config --libs --print-errors "libnl-genl-3.0 >= 3.4.0"
-L/usr/lib/x86_64-linux-gnu -lnl-genl-3 -lnl-3 

but I think our configure could be a bit smarter about command line placement - so if we place "things that are not pkg-config" in front (OPENSSL_LIBS, LZO_LIBS, ...) - assuming that those will be "in that place, there is only this single library" - we'd be more robust against .pc stupidity.

We might want to file an ubuntu bug as well, but I think this is likely to hit us again - so if we can handle it, even better.

Change History (2)

comment:1 Changed 6 months ago by David Sommerseth

Can you try this patch and see how that works out for you?

diff --git a/ b/
index bebed1ac..b693e63f 100644
--- a/
+++ b/
@@ -781,8 +781,8 @@ dnl
                                          [AC_MSG_ERROR([libnl-genl-3.0 package not found or too old. Is the development package and pkg-config installed? Must be version 3.4.0 or newer])]
-                       CFLAGS="${CFLAGS} ${LIBNL_GENL_CFLAGS}"
-                       LIBS="${LIBS} ${LIBNL_GENL_LIBS}"
+                       AC_SUBST([LIBNL_GENL_CFLAGS])
+                       AC_SUBST([LIBNL_GENL_LIBS])
                        AC_DEFINE(ENABLE_DCO, 1, [Enable shared data channel offload])
                        AC_MSG_NOTICE([Enabled ovpn-dco support for Linux])
diff --git a/src/openvpn/ b/src/openvpn/
index 8d0e66b4..1abd3e6d 100644
--- a/src/openvpn/
+++ b/src/openvpn/
@@ -26,6 +26,7 @@ AM_CPPFLAGS = \
        $(TAP_CFLAGS) \
+       $(LIBNL_GENL_CFLAGS) \
        $(OPTIONAL_LZ4_CFLAGS) \
@@ -147,6 +148,7 @@ openvpn_LDADD = \
        $(OPTIONAL_LZ4_LIBS) \
+       $(LIBNL_GENL_LIBS) \
        $(OPTIONAL_DL_LIBS) \

comment:2 Changed 7 weeks ago by Gert Döring

Resolution: fixed-external
Status: assignedclosed

So, it turns out that this is an Ubuntu "too many choices" weirdness.

There is "pkgconf", which does

$ pkg-config -libs libnl-genl-3.0
-L/usr/lib/x86_64-linux-gnu -lnl-genl-3 -lnl-3 

and there is "pkg-config", which you get by explicitly asking for it...

$ SU apt-get install pkg-config
The following packages will be REMOVED:
The following NEW packages will be installed:

... and then:

$ pkg-config --libs libnl-genl-3.0
-lnl-genl-3 -lnl-3

which will make the build succeed.

Recording this here, in full detail, in case someone else bumps into this - but we're not going to do anything about it on the OpenVPN build side for now.

Note: See TracTickets for help on using tickets.