Opened 3 years ago

Closed 2 years ago

Last modified 2 years ago

#759 closed Bug / Defect (fixed)

openvpn fails to build with openssl 1.1

Reported by: limburgher Owned by: Steffan Karger
Priority: major Milestone: release 2.5
Component: Generic / unclassified Version: OpenVPN git master branch (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

https://kojipkgs.fedoraproject.org//work/tasks/2678/16282678/build.log

In file included from crypto.c:36:0:
crypto.h:437:12: error: field 'ctx' has incomplete type

md_ctx_t ctx;

and others. I'm the Fedora package maintainer. This is happening with 2.3.13, and this is also happening with older releases on Debian.

Change History (16)

comment:1 Changed 3 years ago by Gert Döring

Owner: set to Steffan Karger
Status: newassigned

2.3 will never receive support for OpenSSL 1.1.x

2.4 might, but we haven't agreed on a timeline yet.

comment:2 Changed 3 years ago by Gert Döring

Milestone: release 2.3.14release 2.4

comment:3 Changed 3 years ago by limburgher

Ok, thank you. I'll try to get by with our compat-openssl10 package for now.

comment:4 Changed 3 years ago by limburgher

That doesn't work, because openvpn requires pkcs11-helper, which is built against the new openssl.

comment:5 Changed 3 years ago by nmav

Would openvpn 2.4 deprecate pkcs11-helper and use openssl's engine instead? If yes, we could only provide a pkcs11-helper for openssl 1.0.x.

Last edited 3 years ago by nmav (previous) (diff)

comment:6 Changed 3 years ago by Steffan Karger

We could consider that, but we'd still need a solution for mbed TLS, and try to keep the user experience similar for the two backends...

I haven't looked into openssl's pkcs11 engine yet, so I can't say up front whether I think that is a good solution.

comment:7 Changed 3 years ago by Steffan Karger

Milestone: release 2.4release 2.5

We're too close to 2.4_rc1 to tackle this in 2.4. Moving to 2.5.

comment:8 Changed 3 years ago by eworm

We are running into the same issue with the Arch Linux package. Currently this is one of the blockers on my openssl 1.1.0 rebuild list.

comment:9 Changed 3 years ago by nmav

While pkcs11-help may provide consistency across openvpn, it does not provide consistency within an OS like Fedora. In Fedora all the PKCS#11 applications and libraries identify objects using PKCS#11 URIs. Pkcs11-helper is a library which does use custom identifiers for objects in smart cards, and thus any user would have to treat and think about smart card objects in openvpn differently. To avoid that, we keep a downstream patch which adds URIs to pkcs11-helper, but if you could switch to engine_pkcs11 for openssl, it would simplify many things for integrators.

Last edited 3 years ago by nmav (previous) (diff)

comment:10 Changed 3 years ago by Gert Döring

Just to add the cross reference - a patch set has materialized on the openvpn-devel list and is under review. This will at least enable master (2.5) to be compiled with 1.1 - no decision on 2.4.x has been made yet.

https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14075.html

comment:11 Changed 2 years ago by Gert Döring

I think this one can be closed now - 2.4.3 has been released a few weeks ago, and supposedly builds and works fine with openssl 1.1 (we have reports from Arch, at least).

comment:12 Changed 2 years ago by eworm

Yes, can be close. The Arch package does not carry any patches and works without issues.

comment:13 Changed 2 years ago by Steffan Karger

Resolution: fixed
Status: assignedclosed

Many thanks to Emmanuel Deloget for working with us to get this in!

comment:14 Changed 2 years ago by pgnd

Building

	git log | head
		commit 5fd8e94d311825571931414064e4d13ed808f9b5
		Author: Szilárd Pfeiffer <coroner@pfeifferszilard.hu>
		Date:   Mon Sep 4 10:10:12 2017 +0200

		    OpenSSL: Always set SSL_OP_CIPHER_SERVER_PREFERENCE flag

		    * safe bet to say that server admins are better at updating their configs
		      than client users are and if client do want to restrict their ciphers,
		      they should simply evict the ciphers they don't want from their cipher
		      suite

with

	echo $OPENSSL_CFLAGS
		-I/usr/local/include -I/usr/local/openssl11/include -I/usr/include
	echo $OPENSSL_LIBS
		-L/usr/local/openssl11/lib64 -Wl,-rpath,/usr/local/openssl11/lib64 -lssl -lcrypto
	./configure --enable-shared --disable-static --with-crypto-library=openssl 

still FAILs

	make
		...
		/usr/bin/gcc-7 -DHAVE_CONFIG_H -I. -I../.. -I../../include  -I../../include -I../../src/compat -O3 -Wall -fstack-protector -funwind-tables -fasynchronous-unwind-tables -fmessage-length=0 -grecord-gcc-switches -march=native -mtune=native -D_FORTIFY_SOURCE=2  -I/usr/local/include  -I/usr/local/openssl11/include  -I/usr/include    -DPLUGIN_LIBDIR=\"/usr/local/openvpn/lib64/openvpn/plugins\"  -O3 -Wall -fstack-protector -funwind-tables -fasynchronous-unwind-tables -fmessage-length=0 -grecord-gcc-switches -march=native -mtune=native -fPIC -DPIC -D_GNU_SOURCE -fno-strict-aliasing -Wall -std=c99 -MT ssl_verify.o -MD -MP -MF .deps/ssl_verify.Tpo -c -o ssl_verify.o ssl_verify.c
		ssl_openssl.c: In function ‘tls_init_lib’:
		ssl_openssl.c:74:5: warning: implicit declaration of function ‘SSL_library_init’; did you mean ‘SSL_in_init’? [-Wimplicit-function-declaration]
		     SSL_library_init();
		     ^~~~~~~~~~~~~~~~
		     SSL_in_init
		ssl_openssl.c:76:5: warning: implicit declaration of function ‘SSL_load_error_strings’; did you mean ‘ERR_lib_error_string’? [-Wimplicit-function-declaration]
		     SSL_load_error_strings();
		     ^~~~~~~~~~~~~~~~~~~~~~
		     ERR_lib_error_string
		ssl_openssl.c:78:5: warning: implicit declaration of function ‘OpenSSL_add_all_algorithms’; did you mean ‘OpenSSL_add_ssl_algorithms’? [-Wimplicit-function-declaration]
		     OpenSSL_add_all_algorithms();
		     ^~~~~~~~~~~~~~~~~~~~~~~~~~
		     OpenSSL_add_ssl_algorithms
		ssl_openssl.c: In function ‘tls_free_lib’:
		ssl_openssl.c:87:5: warning: implicit declaration of function ‘EVP_cleanup’; did you mean ‘EVP_PBE_cleanup’? [-Wimplicit-function-declaration]
		     EVP_cleanup();
		     ^~~~~~~~~~~
		     EVP_PBE_cleanup
		ssl_openssl.c:89:5: warning: implicit declaration of function ‘ERR_free_strings’; did you mean ‘ERR_load_strings’? [-Wimplicit-function-declaration]
		     ERR_free_strings();
		     ^~~~~~~~~~~~~~~~
		     ERR_load_strings
		ssl_openssl.c: In function ‘tls_ctx_check_cert_time’:
		ssl_openssl.c:408:25: warning: implicit declaration of function ‘X509_get_notBefore’; did you mean ‘X509_getm_notBefore’? [-Wimplicit-function-declaration]
		     ret = X509_cmp_time(X509_get_notBefore(cert), NULL);
		                         ^~~~~~~~~~~~~~~~~~
		                         X509_getm_notBefore
		ssl_openssl.c:408:25: warning: passing argument 1 of ‘X509_cmp_time’ makes pointer from integer without a cast [-Wint-conversion]
		In file included from /usr/local/openssl11/include/openssl/pem.h:17:0,
		                 from /usr/local/openssl11/include/openssl/ssl.h:55,
		                 from ssl_openssl.h:32,
		                 from ssl_backend.h:36,
		                 from ssl_openssl.c:44:
		/usr/local/openssl11/include/openssl/x509.h:474:5: note: expected ‘const ASN1_TIME * {aka const struct asn1_string_st *}’ but argument is of type ‘int’
		 int X509_cmp_time(const ASN1_TIME *s, time_t *t);
		     ^~~~~~~~~~~~~
		ssl_openssl.c:418:25: warning: implicit declaration of function ‘X509_get_notAfter’; did you mean ‘X509_getm_notAfter’? [-Wimplicit-function-declaration]
		     ret = X509_cmp_time(X509_get_notAfter(cert), NULL);
		                         ^~~~~~~~~~~~~~~~~
		                         X509_getm_notAfter
		ssl_openssl.c:418:25: warning: passing argument 1 of ‘X509_cmp_time’ makes pointer from integer without a cast [-Wint-conversion]
		In file included from /usr/local/openssl11/include/openssl/pem.h:17:0,
		                 from /usr/local/openssl11/include/openssl/ssl.h:55,
		                 from ssl_openssl.h:32,
		                 from ssl_backend.h:36,
		                 from ssl_openssl.c:44:
		/usr/local/openssl11/include/openssl/x509.h:474:5: note: expected ‘const ASN1_TIME * {aka const struct asn1_string_st *}’ but argument is of type ‘int’
		 int X509_cmp_time(const ASN1_TIME *s, time_t *t);
		     ^~~~~~~~~~~~~
		In file included from errlevel.h:27:0,
		                 from ssl_openssl.c:39:
		ssl_openssl.c: In function ‘tls_ctx_load_dh_params’:
		ssl_openssl.c:474:13: warning: implicit declaration of function ‘DH_size’; did you mean ‘dysize’? [-Wimplicit-function-declaration]
		         8 * DH_size(dh));
		             ^
		error.h:151:67: note: in definition of macro ‘msg’
		 #define msg(flags, ...) do { if (msg_test(flags)) {x_msg((flags), __VA_ARGS__);} EXIT_FATAL(flags); } while (false)
		                                                                   ^~~~~~~~~~~
		ssl_openssl.c:476:5: warning: implicit declaration of function ‘DH_free’; did you mean ‘gc_free’? [-Wimplicit-function-declaration]
		     DH_free(dh);
		     ^~~~~~~
		     gc_free
		ssl_openssl.c: In function ‘tls_ctx_load_ecdh_params’:
		ssl_openssl.c:502:9: warning: implicit declaration of function ‘SSL_CTX_set_ecdh_auto’; did you mean ‘SSL_CTX_set_dh_auto’? [-Wimplicit-function-declaration]
		         SSL_CTX_set_ecdh_auto(ctx->ctx, 1);
		         ^~~~~~~~~~~~~~~~~~~~~
		         SSL_CTX_set_dh_auto
		ssl_openssl.c: In function ‘openvpn_extkey_rsa_finish’:
		ssl_openssl.c:973:30: warning: implicit declaration of function ‘RSA_get_method’; did you mean ‘SSL_get_ssl_method’? [-Wimplicit-function-declaration]
		     const RSA_METHOD *meth = RSA_get_method(rsa);
		                              ^~~~~~~~~~~~~~
		                              SSL_get_ssl_method
		ssl_openssl.c:973:30: warning: initialization makes pointer from integer without a cast [-Wint-conversion]
		ssl_openssl.c:974:5: warning: implicit declaration of function ‘RSA_meth_free’; did you mean ‘BIO_meth_free’? [-Wimplicit-function-declaration]
		     RSA_meth_free((RSA_METHOD *)meth);
		     ^~~~~~~~~~~~~
		     BIO_meth_free
		ssl_openssl.c: In function ‘rsa_priv_enc’:
		ssl_openssl.c:988:20: error: ‘RSA_PKCS1_PADDING’ undeclared (first use in this function); did you mean ‘i2d_PKCS12_SAFEBAG’?
		     if (padding != RSA_PKCS1_PADDING)
		                    ^~~~~~~~~~~~~~~~~
		                    i2d_PKCS12_SAFEBAG
		ssl_openssl.c:988:20: note: each undeclared identifier is reported only once for each function it appears in
		In file included from ssl_openssl.c:55:0:
		openssl_compat.h:647:46: error: ‘RSA_F_RSA_EAY_PRIVATE_ENCRYPT’ undeclared (first use in this function); did you mean ‘RSA_F_RSA_OSSL_PRIVATE_ENCRYPT’?
		 #define RSA_F_RSA_OSSL_PRIVATE_ENCRYPT       RSA_F_RSA_EAY_PRIVATE_ENCRYPT
		                                              ^
		/usr/local/openssl11/include/openssl/err.h:29:59: note: in definition of macro ‘ERR_PUT_error’
		 #  define ERR_PUT_error(a,b,c,d,e)        ERR_put_error(a,b,c,d,e)
		                                                           ^
		ssl_openssl.c:990:9: note: in expansion of macro ‘RSAerr’
		         RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
		         ^~~~~~
		ssl_openssl.c:990:16: note: in expansion of macro ‘RSA_F_RSA_OSSL_PRIVATE_ENCRYPT’
		         RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
		                ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
		ssl_openssl.c:990:48: error: ‘RSA_R_UNKNOWN_PADDING_TYPE’ undeclared (first use in this function); did you mean ‘SSL_R_UNKNOWN_ALERT_TYPE’?
		         RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
		                                                ^
		/usr/local/openssl11/include/openssl/err.h:29:61: note: in definition of macro ‘ERR_PUT_error’
		 #  define ERR_PUT_error(a,b,c,d,e)        ERR_put_error(a,b,c,d,e)
		                                                             ^
		ssl_openssl.c:990:9: note: in expansion of macro ‘RSAerr’
		         RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
		         ^~~~~~
		ssl_openssl.c:1011:11: warning: implicit declaration of function ‘RSA_size’; did you mean ‘HMAC_size’? [-Wimplicit-function-declaration]
		     len = RSA_size(rsa);
		           ^~~~~~~~
		           HMAC_size
		ssl_openssl.c: In function ‘tls_ctx_use_external_private_key’:
		ssl_openssl.c:1048:16: warning: implicit declaration of function ‘RSA_meth_new’; did you mean ‘BIO_meth_new’? [-Wimplicit-function-declaration]
		     rsa_meth = RSA_meth_new("OpenVPN external private key RSA Method",
		                ^~~~~~~~~~~~
		                BIO_meth_new
		ssl_openssl.c:1049:29: error: ‘RSA_METHOD_FLAG_NO_CHECK’ undeclared (first use in this function); did you mean ‘SSL_SECOP_SIGALG_CHECK’?
		                             RSA_METHOD_FLAG_NO_CHECK);
		                             ^~~~~~~~~~~~~~~~~~~~~~~~
		                             SSL_SECOP_SIGALG_CHECK
		ssl_openssl.c:1051:5: warning: implicit declaration of function ‘RSA_meth_set_pub_enc’; did you mean ‘BIO_meth_set_puts’? [-Wimplicit-function-declaration]
		     RSA_meth_set_pub_enc(rsa_meth, rsa_pub_enc);
		     ^~~~~~~~~~~~~~~~~~~~
		     BIO_meth_set_puts
		ssl_openssl.c:1052:5: warning: implicit declaration of function ‘RSA_meth_set_pub_dec’; did you mean ‘BIO_meth_set_puts’? [-Wimplicit-function-declaration]
		     RSA_meth_set_pub_dec(rsa_meth, rsa_pub_dec);
		     ^~~~~~~~~~~~~~~~~~~~
		     BIO_meth_set_puts
		ssl_openssl.c:1053:5: warning: implicit declaration of function ‘RSA_meth_set_priv_enc’; did you mean ‘BIO_meth_set_write’? [-Wimplicit-function-declaration]
		     RSA_meth_set_priv_enc(rsa_meth, rsa_priv_enc);
		     ^~~~~~~~~~~~~~~~~~~~~
		     BIO_meth_set_write
		ssl_openssl.c:1054:5: warning: implicit declaration of function ‘RSA_meth_set_priv_dec’; did you mean ‘BIO_meth_set_write’? [-Wimplicit-function-declaration]
		     RSA_meth_set_priv_dec(rsa_meth, rsa_priv_dec);
		     ^~~~~~~~~~~~~~~~~~~~~
		     BIO_meth_set_write
		ssl_openssl.c:1055:5: warning: implicit declaration of function ‘RSA_meth_set_init’; did you mean ‘EVP_MD_meth_set_init’? [-Wimplicit-function-declaration]
		     RSA_meth_set_init(rsa_meth, NULL);
		     ^~~~~~~~~~~~~~~~~
		     EVP_MD_meth_set_init
		ssl_openssl.c:1056:5: warning: implicit declaration of function ‘RSA_meth_set_finish’; did you mean ‘BIO_meth_set_gets’? [-Wimplicit-function-declaration]
		     RSA_meth_set_finish(rsa_meth, openvpn_extkey_rsa_finish);
		     ^~~~~~~~~~~~~~~~~~~
		     BIO_meth_set_gets
		ssl_openssl.c:1057:5: warning: implicit declaration of function ‘RSA_meth_set0_app_data’; did you mean ‘SSL_CTX_set_app_data’? [-Wimplicit-function-declaration]
		     RSA_meth_set0_app_data(rsa_meth, NULL);
		     ^~~~~~~~~~~~~~~~~~~~~~
		     SSL_CTX_set_app_data
		ssl_openssl.c:1060:11: warning: implicit declaration of function ‘RSA_new’; did you mean ‘SSL_new’? [-Wimplicit-function-declaration]
		     rsa = RSA_new();
		           ^~~~~~~
		           SSL_new
		ssl_openssl.c:1060:9: warning: assignment makes pointer from integer without a cast [-Wint-conversion]
		     rsa = RSA_new();
		         ^
		ssl_openssl.c:1082:5: warning: implicit declaration of function ‘RSA_get0_key’; did you mean ‘SSL_get0_dane’? [-Wimplicit-function-declaration]
		     RSA_get0_key(pub_rsa, &n, &e, NULL);
		     ^~~~~~~~~~~~
		     SSL_get0_dane
		ssl_openssl.c:1083:5: warning: implicit declaration of function ‘RSA_set0_key’; did you mean ‘SSL_set_bio’? [-Wimplicit-function-declaration]
		     RSA_set0_key(rsa, BN_dup(n), BN_dup(e), NULL);
		     ^~~~~~~~~~~~
		     SSL_set_bio
		ssl_openssl.c:1083:23: warning: implicit declaration of function ‘BN_dup’; did you mean ‘OBJ_dup’? [-Wimplicit-function-declaration]
		     RSA_set0_key(rsa, BN_dup(n), BN_dup(e), NULL);
		                       ^~~~~~
		                       OBJ_dup
		ssl_openssl.c:1084:5: warning: implicit declaration of function ‘RSA_set_flags’; did you mean ‘BIO_set_flags’? [-Wimplicit-function-declaration]
		     RSA_set_flags(rsa, RSA_flags(rsa) | RSA_FLAG_EXT_PKEY);
		     ^~~~~~~~~~~~~
		     BIO_set_flags
		ssl_openssl.c:1084:24: warning: implicit declaration of function ‘RSA_flags’; did you mean ‘ifr_flags’? [-Wimplicit-function-declaration]
		     RSA_set_flags(rsa, RSA_flags(rsa) | RSA_FLAG_EXT_PKEY);
		                        ^~~~~~~~~
		                        ifr_flags
		ssl_openssl.c:1084:41: error: ‘RSA_FLAG_EXT_PKEY’ undeclared (first use in this function); did you mean ‘SSL_F_SSL_SET_PKEY’?
		     RSA_set_flags(rsa, RSA_flags(rsa) | RSA_FLAG_EXT_PKEY);
		                                         ^~~~~~~~~~~~~~~~~
		                                         SSL_F_SSL_SET_PKEY
		ssl_openssl.c:1085:10: warning: implicit declaration of function ‘RSA_set_method’; did you mean ‘SSL_set_ssl_method’? [-Wimplicit-function-declaration]
		     if (!RSA_set_method(rsa, rsa_meth))
		          ^~~~~~~~~~~~~~
		          SSL_set_ssl_method
		ssl_openssl.c:1097:5: warning: implicit declaration of function ‘RSA_free’; did you mean ‘SSL_free’? [-Wimplicit-function-declaration]
		     RSA_free(rsa); /* doesn't necessarily free, just decrements refcount */
		     ^~~~~~~~
		     SSL_free
		ssl_openssl.c: In function ‘key_state_ssl_init’:
		ssl_openssl.c:1542:30: warning: passing argument 1 of ‘getbio’ discards ‘const’ qualifier from pointer target type [-Wdiscarded-qualifiers]
		     ks_ssl->ssl_bio = getbio(BIO_f_ssl(), "ssl_bio");
		                              ^~~~~~~~~
		ssl_openssl.c:1390:1: note: expected ‘BIO_METHOD * {aka struct bio_method_st *}’ but argument is of type ‘const BIO_METHOD * {aka const struct bio_method_st *}’
		 getbio(BIO_METHOD *type, const char *desc)
		 ^~~~~~
		ssl_openssl.c:1543:28: warning: passing argument 1 of ‘getbio’ discards ‘const’ qualifier from pointer target type [-Wdiscarded-qualifiers]
		     ks_ssl->ct_in = getbio(BIO_s_mem(), "ct_in");
		                            ^~~~~~~~~
		ssl_openssl.c:1390:1: note: expected ‘BIO_METHOD * {aka struct bio_method_st *}’ but argument is of type ‘const BIO_METHOD * {aka const struct bio_method_st *}’
		 getbio(BIO_METHOD *type, const char *desc)
		 ^~~~~~
		ssl_openssl.c:1544:29: warning: passing argument 1 of ‘getbio’ discards ‘const’ qualifier from pointer target type [-Wdiscarded-qualifiers]
		     ks_ssl->ct_out = getbio(BIO_s_mem(), "ct_out");
		                             ^~~~~~~~~
		ssl_openssl.c:1390:1: note: expected ‘BIO_METHOD * {aka struct bio_method_st *}’ but argument is of type ‘const BIO_METHOD * {aka const struct bio_method_st *}’
		 getbio(BIO_METHOD *type, const char *desc)
		 ^~~~~~
		ssl_openssl.c: In function ‘print_details’:
		ssl_openssl.c:1689:34: warning: implicit declaration of function ‘RSA_bits’ [-Wimplicit-function-declaration]
		                                  RSA_bits(rsa));
		                                  ^~~~~~~~
		ssl_openssl.c:1695:34: warning: implicit declaration of function ‘DSA_bits’ [-Wimplicit-function-declaration]
		                                  DSA_bits(dsa));
		                                  ^~~~~~~~
		ssl_openssl.c: In function ‘get_ssl_library_version’:
		ssl_openssl.c:1838:12: warning: implicit declaration of function ‘SSLeay_version’; did you mean ‘SSL_version’? [-Wimplicit-function-declaration]
		     return SSLeay_version(SSLEAY_VERSION);
		            ^~~~~~~~~~~~~~
		            SSL_version
		ssl_openssl.c:1838:27: error: ‘SSLEAY_VERSION’ undeclared (first use in this function); did you mean ‘SSL2_VERSION’?
		     return SSLeay_version(SSLEAY_VERSION);
		                           ^~~~~~~~~~~~~~
		                           SSL2_VERSION
		ssl_openssl.c:1839:1: warning: control reaches end of non-void function [-Wreturn-type]
		 }
		 ^
		Makefile:673: recipe for target 'ssl_openssl.o' failed
		make[3]: *** [ssl_openssl.o] Error 1
		make[3]: *** Waiting for unfinished jobs....
		mv -f .deps/socket.Tpo .deps/socket.Po
		mv -f .deps/ssl_verify.Tpo .deps/ssl_verify.Po
		mv -f .deps/ssl.Tpo .deps/ssl.Po
		mv -f .deps/options.Tpo .deps/options.Po
		make[3]: Leaving directory '/usr/local/src/openvpn/src/openvpn'
		Makefile:429: recipe for target 'all-recursive' failed
		make[2]: *** [all-recursive] Error 1
		make[2]: Leaving directory '/usr/local/src/openvpn/src'
		Makefile:614: recipe for target 'all-recursive' failed
		make[1]: *** [all-recursive] Error 1
		make[1]: Leaving directory '/usr/local/src/openvpn'
		Makefile:502: recipe for target 'all' failed
		make: *** [all] Error 2

as code's still using clearly deprecated calls

	https://www.openssl.org/docs/man1.1.0/crypto/OpenSSL_add_all_algorithms.html

comment:15 Changed 2 years ago by Gert Döring

these errors very much look like you have openssl 1.0 installed in /usr/{include,lib} or /usr/local/{include,lib} and configure is picking up the wrong library when searching for "which functions are available and which are not".

How are you calling configure? What does it output regarding openssl?

comment:16 Changed 2 years ago by pgnd

these errors very much look like you have openssl 1.0 installed in /usr/{include,lib} or /usr/local/{include,lib} and configure is picking up the wrong library when searching for "which functions are available and which are not".

Yep, there *is* a system-installed openssl.

I, OTOH, have 'external' instances of openssl v1.0.2 & v1.1.0 in

	/usr/local/openssl10

&

	/usr/local/openssl11

respectively, that I'm linking against.

I.e.,

	find /usr/ | egrep "libssl.so|libcrypto.so" | grep -v "/src/"
!!		/usr/lib64/libcrypto.so
!!		/usr/lib64/libssl.so
		/usr/local/openssl10/lib64/libcrypto.so
		/usr/local/openssl10/lib64/libcrypto.so.1.0.0
		/usr/local/openssl10/lib64/libssl.so
		/usr/local/openssl10/lib64/libssl.so.1.0.0
		/usr/local/openssl11/lib64/libcrypto.so
		/usr/local/openssl11/lib64/libcrypto.so.1.1
		/usr/local/openssl11/lib64/libssl.so
		/usr/local/openssl11/lib64/libssl.so.1.1

How are you calling configure? What does it output regarding openssl?

with either

	case = openssl v1.0.2
		export OPENSSL_CFLAGS="-I/usr/local/include -I/usr/local/openssl10/include -I/usr/include"
		export OPENSSL_LIBS="-L/usr/local/openssl10/lib64 -Wl,-rpath,/usr/local/openssl10/lib64 -lssl -lcrypto"

or

	case = openssl v1.1.0
		export OPENSSL_CFLAGS="-I/usr/local/include -I/usr/local/openssl11/include -I/usr/include"
		export OPENSSL_LIBS="-L/usr/local/openssl11/lib64 -Wl,-rpath,/usr/local/openssl11/lib64 -lssl -lcrypto"

I call configure as

	./configure \
	--prefix=/usr/local/openvpn \
	 --libdir=/usr/local/openvpn/lib64 \
	--enable-shared --disable-static \
	--with-gnu-ld \
	--with-crypto-library=openssl \
	--enable-crypto \
	--enable-x509-alt-username \
	--enable-systemd \
	--disable-multihome \
	--enable-iproute2 \
	--with-mem-check=no \
	--disable-selinux \
	--enable-lzo \
	--enable-lz4

then

	make
	make install

In the openssl v1.0.2 case, all works well enough

	ldd /usr/local/openvpn/sbin/openvpn | egrep -i "ssl|crypto"
		libssl.so.1.0.0 => /usr/local/openssl10/lib64/libssl.so.1.0.0 (0x00007fea5288f000)
		libcrypto.so.1.0.0 => /usr/local/openssl10/lib64/libcrypto.so.1.0.0 (0x00007fea52406000)

	/usr/local/openvpn/sbin/openvpn --version
		OpenVPN 2.5_git [git:master/5fd8e94d31182557] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [AEAD] built on Sep  9 2017
		library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.08
		Originally developed by James Yonan
		Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>
		Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=yes enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multihome=no enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_static=no enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no

but in the openssl v1.1.0 case, fails as reported above

'./configure ...' output for the v1.1.0 case includes

	...
	checking for PKCS11_HELPER... no
	checking additionally if OpenSSL is available and version >= 1.0.1... ok
	checking for SSL_CTX_new... yes
	checking for EVP_CIPHER_CTX_set_key_length... yes
	checking for ENGINE_load_builtin_engines... yes
	checking for ENGINE_register_all_complete... yes
	checking for ENGINE_cleanup... no
	checking for EVP_aes_256_gcm... yes
	checking for HMAC_CTX_new... yes
	checking for HMAC_CTX_free... yes
	checking for HMAC_CTX_reset... yes
	checking for EVP_MD_CTX_new... yes
	checking for EVP_MD_CTX_free... yes
	checking for EVP_MD_CTX_reset... yes
	checking for SSL_CTX_get_default_passwd_cb... yes
	checking for SSL_CTX_get_default_passwd_cb_userdata... yes
	checking for X509_get0_pubkey... yes
	checking for X509_STORE_get0_objects... yes
	checking for X509_OBJECT_free... yes
	checking for X509_OBJECT_get_type... yes
	checking for EVP_PKEY_id... yes
	checking for EVP_PKEY_get0_RSA... yes
	checking for EVP_PKEY_get0_DSA... yes
	checking for EVP_PKEY_get0_EC_KEY... yes
	checking for RSA_set_flags... yes
	checking for RSA_bits... yes
	checking for RSA_get0_key... yes
	checking for RSA_set0_key... yes
	checking for DSA_get0_pqg... yes
	checking for DSA_bits... yes
	checking for RSA_meth_new... yes
	checking for RSA_meth_free... yes
	checking for RSA_meth_set_pub_enc... yes
	checking for RSA_meth_set_pub_dec... yes
	checking for RSA_meth_set_priv_enc... yes
	checking for RSA_meth_set_priv_dec... yes
	checking for RSA_meth_set_init... yes
	checking for RSA_meth_set_finish... yes
	checking for RSA_meth_set0_app_data... yes
	checking for EC_GROUP_order_bits... yes
	...

and, config.log:

	egrep -i "ssl|crypto" config.log  | grep -vi fstack-protector
		$ ./configure --prefix=/usr/local/openvpn --libdir=/usr/local/openvpn/lib64 --enable-shared --disable-static --with-gnu-ld --with-crypto-library=openssl --enable-crypto --enable-x509-alt-username --enable-systemd --disable-multihome --enable-iproute2 --with-mem-check=no --disable-selinux --enable-lzo --enable-lz4
		PATH: /usr/local/openssl11/bin
		configure:16555: checking additionally if OpenSSL is available and version >= 1.0.1
		configure:16589: checking for SSL_CTX_new
		| #define HAVE_SSL_CTX_NEW 1
		configure:16681: checking for SSL_CTX_get_default_passwd_cb
		configure:16681: checking for SSL_CTX_get_default_passwd_cb_userdata
		ac_cv_env_OPENSSL_CFLAGS_set=set
		ac_cv_env_OPENSSL_CFLAGS_value='-I/usr/local/include  -I/usr/local/openssl11/include  -I/usr/include'
		ac_cv_env_OPENSSL_LIBS_set=set
		ac_cv_env_OPENSSL_LIBS_value=' -L/usr/local/openssl11/lib64  -Wl,-rpath,/usr/local/openssl11/lib64   -lssl -lcrypto '
		ac_cv_env_PKG_CONFIG_PATH_value=/usr/local/openssl11/lib64/pkgconfig:/usr/local/lib64/pkgconfig:/usr/local/lib/pkgconfig:/usr/lib64/pkgconfig:/usr/lib/pkgconfig
		ac_cv_func_SSL_CTX_get_default_passwd_cb=yes
		ac_cv_func_SSL_CTX_get_default_passwd_cb_userdata=yes
		ac_cv_func_SSL_CTX_new=yes
		ENABLE_CRYPTO_FALSE='#'
		ENABLE_CRYPTO_TRUE=''
		OPENSSL_CFLAGS='-I/usr/local/include  -I/usr/local/openssl11/include  -I/usr/include'
		OPENSSL_LIBS=' -L/usr/local/openssl11/lib64  -Wl,-rpath,/usr/local/openssl11/lib64   -lssl -lcrypto '
		OPTIONAL_CRYPTO_CFLAGS=' -I/usr/local/include  -I/usr/local/openssl11/include  -I/usr/include'
		OPTIONAL_CRYPTO_LIBS='  -L/usr/local/openssl11/lib64  -Wl,-rpath,/usr/local/openssl11/lib64   -lssl -lcrypto '
		PKG_CONFIG_PATH='/usr/local/openssl11/lib64/pkgconfig:/usr/local/lib64/pkgconfig:/usr/local/lib/pkgconfig:/usr/lib64/pkgconfig:/usr/lib/pkgconfig'
		#define HAVE_SSL_CTX_NEW 1
		#define HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB 1
		#define HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB_USERDATA 1
		#define ENABLE_CRYPTO_OPENSSL 1
		#define ENABLE_CRYPTO 1
		#define CONFIGURE_DEFINES "enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=yes enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multihome=no enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_static=no enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no"
Last edited 2 years ago by pgnd (previous) (diff)
Note: See TracTickets for help on using tickets.