Opened 9 years ago

Closed 9 years ago

#382 closed Bug / Defect (notabug)

Build failure for 2.3.3 if PCKS#11 and OpenSSL are enabled

Reported by: jkb Owned by:
Priority: critical Milestone: release 2.3.3
Component: Building / Compiling Version: OpenVPN git master branch (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc: Steffan Karger


When trying to build OpenVPN 2.3.3 for Tunnelblick with PKCS11 and OpenSSL support, I get the following error:

libtool: link: blah, blah, blah…
Undefined symbols:

"_pkcs11h_openssl_session_getEVP", referenced from:

_pkcs11_init_tls_session in pkcs11_openssl.o

ld: symbol(s) not found
collect2: ld returned 1 exit status

I had downloaded the source from on 2014-03-25.

Looking at the source, I see a reference to


at line 66 of pkcs11_openssl.c, but I cannot find any place it is defined.

Line 66 is conditionally compiled when:

#if defined(ENABLE_PKCS11) && defined(ENABLE_CRYPTO_OPENSSL)

The reference to pkcs11h_openssl_session_getEVP is not present in the source for OpenVPN 2.3.2.

(I filed this under "git master branch" because there is no "2.3.3" option. I do not know if the problem occurs with the source from the git master branch.)

Change History (4)

comment:1 Changed 9 years ago by Gert Döring

Cc: Steffan Karger added

I seem to remember that we need a more recent version of pkcs11_helper "since some change". Let me go searching...

comment:2 Changed 9 years ago by Gert Döring

Ah, indeed, commit f8b590d5a6692324a from Nov 12, 2013

pkcs11: use generic evp key instead of rsa

Enables DSA, ECDSA key usages with newer pkcs11-helper.

configure should complain that pkcs11-helper needs to be 1.11 or later, but if I read this right, it will only do that if "pkg-config" is there and can be queried for versions.

comment:3 Changed 9 years ago by jkb

Thank you! Linking with pkcs11-helper 1.11 solves the problem.

Apparently variable names prefixed with "pkcs11h_" refer to items outside of the OpenVPN source, in the pcks11-helper source -- I had not realized that.

Sorry for the trouble, and thanks again.

This ticket can be closed, or marked "invalid" or something.

comment:4 Changed 9 years ago by Gert Döring

Resolution: notabug
Status: newclosed

Thanks for testing and reporting :-) - will close!

Note: See TracTickets for help on using tickets.