#759 closed Bug / Defect (fixed)
openvpn fails to build with openssl 1.1
Reported by: | limburgher | Owned by: | Steffan Karger |
---|---|---|---|
Priority: | major | Milestone: | release 2.5 |
Component: | Generic / unclassified | Version: | OpenVPN git master branch (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
Cc: |
Description
https://kojipkgs.fedoraproject.org//work/tasks/2678/16282678/build.log
In file included from crypto.c:36:0:
crypto.h:437:12: error: field 'ctx' has incomplete type
md_ctx_t ctx;
and others. I'm the Fedora package maintainer. This is happening with 2.3.13, and this is also happening with older releases on Debian.
Change History (16)
comment:1 Changed 8 years ago by
Owner: | set to Steffan Karger |
---|---|
Status: | new → assigned |
comment:2 Changed 8 years ago by
Milestone: | release 2.3.14 → release 2.4 |
---|
comment:3 Changed 8 years ago by
Ok, thank you. I'll try to get by with our compat-openssl10 package for now.
comment:4 Changed 8 years ago by
That doesn't work, because openvpn requires pkcs11-helper, which is built against the new openssl.
comment:5 Changed 7 years ago by
Would openvpn 2.4 deprecate pkcs11-helper and use openssl's engine instead? If yes, we could only provide a pkcs11-helper for openssl 1.0.x.
comment:6 Changed 7 years ago by
We could consider that, but we'd still need a solution for mbed TLS, and try to keep the user experience similar for the two backends...
I haven't looked into openssl's pkcs11 engine yet, so I can't say up front whether I think that is a good solution.
comment:7 Changed 7 years ago by
Milestone: | release 2.4 → release 2.5 |
---|
We're too close to 2.4_rc1 to tackle this in 2.4. Moving to 2.5.
comment:8 Changed 7 years ago by
We are running into the same issue with the Arch Linux package. Currently this is one of the blockers on my openssl 1.1.0 rebuild list.
comment:9 Changed 7 years ago by
While pkcs11-help may provide consistency across openvpn, it does not provide consistency within an OS like Fedora. In Fedora all the PKCS#11 applications and libraries identify objects using PKCS#11 URIs. Pkcs11-helper is a library which does use custom identifiers for objects in smart cards, and thus any user would have to treat and think about smart card objects in openvpn differently. To avoid that, we keep a downstream patch which adds URIs to pkcs11-helper, but if you could switch to engine_pkcs11 for openssl, it would simplify many things for integrators.
comment:10 Changed 7 years ago by
Just to add the cross reference - a patch set has materialized on the openvpn-devel list and is under review. This will at least enable master (2.5) to be compiled with 1.1 - no decision on 2.4.x has been made yet.
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14075.html
comment:11 Changed 7 years ago by
I think this one can be closed now - 2.4.3 has been released a few weeks ago, and supposedly builds and works fine with openssl 1.1 (we have reports from Arch, at least).
comment:12 Changed 7 years ago by
Yes, can be close. The Arch package does not carry any patches and works without issues.
comment:13 Changed 7 years ago by
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
Many thanks to Emmanuel Deloget for working with us to get this in!
comment:14 Changed 7 years ago by
Building
git log | head commit 5fd8e94d311825571931414064e4d13ed808f9b5 Author: Szilárd Pfeiffer <coroner@pfeifferszilard.hu> Date: Mon Sep 4 10:10:12 2017 +0200 OpenSSL: Always set SSL_OP_CIPHER_SERVER_PREFERENCE flag * safe bet to say that server admins are better at updating their configs than client users are and if client do want to restrict their ciphers, they should simply evict the ciphers they don't want from their cipher suite
with
echo $OPENSSL_CFLAGS -I/usr/local/include -I/usr/local/openssl11/include -I/usr/include echo $OPENSSL_LIBS -L/usr/local/openssl11/lib64 -Wl,-rpath,/usr/local/openssl11/lib64 -lssl -lcrypto ./configure --enable-shared --disable-static --with-crypto-library=openssl
still FAILs
make ... /usr/bin/gcc-7 -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -O3 -Wall -fstack-protector -funwind-tables -fasynchronous-unwind-tables -fmessage-length=0 -grecord-gcc-switches -march=native -mtune=native -D_FORTIFY_SOURCE=2 -I/usr/local/include -I/usr/local/openssl11/include -I/usr/include -DPLUGIN_LIBDIR=\"/usr/local/openvpn/lib64/openvpn/plugins\" -O3 -Wall -fstack-protector -funwind-tables -fasynchronous-unwind-tables -fmessage-length=0 -grecord-gcc-switches -march=native -mtune=native -fPIC -DPIC -D_GNU_SOURCE -fno-strict-aliasing -Wall -std=c99 -MT ssl_verify.o -MD -MP -MF .deps/ssl_verify.Tpo -c -o ssl_verify.o ssl_verify.c ssl_openssl.c: In function ‘tls_init_lib’: ssl_openssl.c:74:5: warning: implicit declaration of function ‘SSL_library_init’; did you mean ‘SSL_in_init’? [-Wimplicit-function-declaration] SSL_library_init(); ^~~~~~~~~~~~~~~~ SSL_in_init ssl_openssl.c:76:5: warning: implicit declaration of function ‘SSL_load_error_strings’; did you mean ‘ERR_lib_error_string’? [-Wimplicit-function-declaration] SSL_load_error_strings(); ^~~~~~~~~~~~~~~~~~~~~~ ERR_lib_error_string ssl_openssl.c:78:5: warning: implicit declaration of function ‘OpenSSL_add_all_algorithms’; did you mean ‘OpenSSL_add_ssl_algorithms’? [-Wimplicit-function-declaration] OpenSSL_add_all_algorithms(); ^~~~~~~~~~~~~~~~~~~~~~~~~~ OpenSSL_add_ssl_algorithms ssl_openssl.c: In function ‘tls_free_lib’: ssl_openssl.c:87:5: warning: implicit declaration of function ‘EVP_cleanup’; did you mean ‘EVP_PBE_cleanup’? [-Wimplicit-function-declaration] EVP_cleanup(); ^~~~~~~~~~~ EVP_PBE_cleanup ssl_openssl.c:89:5: warning: implicit declaration of function ‘ERR_free_strings’; did you mean ‘ERR_load_strings’? [-Wimplicit-function-declaration] ERR_free_strings(); ^~~~~~~~~~~~~~~~ ERR_load_strings ssl_openssl.c: In function ‘tls_ctx_check_cert_time’: ssl_openssl.c:408:25: warning: implicit declaration of function ‘X509_get_notBefore’; did you mean ‘X509_getm_notBefore’? [-Wimplicit-function-declaration] ret = X509_cmp_time(X509_get_notBefore(cert), NULL); ^~~~~~~~~~~~~~~~~~ X509_getm_notBefore ssl_openssl.c:408:25: warning: passing argument 1 of ‘X509_cmp_time’ makes pointer from integer without a cast [-Wint-conversion] In file included from /usr/local/openssl11/include/openssl/pem.h:17:0, from /usr/local/openssl11/include/openssl/ssl.h:55, from ssl_openssl.h:32, from ssl_backend.h:36, from ssl_openssl.c:44: /usr/local/openssl11/include/openssl/x509.h:474:5: note: expected ‘const ASN1_TIME * {aka const struct asn1_string_st *}’ but argument is of type ‘int’ int X509_cmp_time(const ASN1_TIME *s, time_t *t); ^~~~~~~~~~~~~ ssl_openssl.c:418:25: warning: implicit declaration of function ‘X509_get_notAfter’; did you mean ‘X509_getm_notAfter’? [-Wimplicit-function-declaration] ret = X509_cmp_time(X509_get_notAfter(cert), NULL); ^~~~~~~~~~~~~~~~~ X509_getm_notAfter ssl_openssl.c:418:25: warning: passing argument 1 of ‘X509_cmp_time’ makes pointer from integer without a cast [-Wint-conversion] In file included from /usr/local/openssl11/include/openssl/pem.h:17:0, from /usr/local/openssl11/include/openssl/ssl.h:55, from ssl_openssl.h:32, from ssl_backend.h:36, from ssl_openssl.c:44: /usr/local/openssl11/include/openssl/x509.h:474:5: note: expected ‘const ASN1_TIME * {aka const struct asn1_string_st *}’ but argument is of type ‘int’ int X509_cmp_time(const ASN1_TIME *s, time_t *t); ^~~~~~~~~~~~~ In file included from errlevel.h:27:0, from ssl_openssl.c:39: ssl_openssl.c: In function ‘tls_ctx_load_dh_params’: ssl_openssl.c:474:13: warning: implicit declaration of function ‘DH_size’; did you mean ‘dysize’? [-Wimplicit-function-declaration] 8 * DH_size(dh)); ^ error.h:151:67: note: in definition of macro ‘msg’ #define msg(flags, ...) do { if (msg_test(flags)) {x_msg((flags), __VA_ARGS__);} EXIT_FATAL(flags); } while (false) ^~~~~~~~~~~ ssl_openssl.c:476:5: warning: implicit declaration of function ‘DH_free’; did you mean ‘gc_free’? [-Wimplicit-function-declaration] DH_free(dh); ^~~~~~~ gc_free ssl_openssl.c: In function ‘tls_ctx_load_ecdh_params’: ssl_openssl.c:502:9: warning: implicit declaration of function ‘SSL_CTX_set_ecdh_auto’; did you mean ‘SSL_CTX_set_dh_auto’? [-Wimplicit-function-declaration] SSL_CTX_set_ecdh_auto(ctx->ctx, 1); ^~~~~~~~~~~~~~~~~~~~~ SSL_CTX_set_dh_auto ssl_openssl.c: In function ‘openvpn_extkey_rsa_finish’: ssl_openssl.c:973:30: warning: implicit declaration of function ‘RSA_get_method’; did you mean ‘SSL_get_ssl_method’? [-Wimplicit-function-declaration] const RSA_METHOD *meth = RSA_get_method(rsa); ^~~~~~~~~~~~~~ SSL_get_ssl_method ssl_openssl.c:973:30: warning: initialization makes pointer from integer without a cast [-Wint-conversion] ssl_openssl.c:974:5: warning: implicit declaration of function ‘RSA_meth_free’; did you mean ‘BIO_meth_free’? [-Wimplicit-function-declaration] RSA_meth_free((RSA_METHOD *)meth); ^~~~~~~~~~~~~ BIO_meth_free ssl_openssl.c: In function ‘rsa_priv_enc’: ssl_openssl.c:988:20: error: ‘RSA_PKCS1_PADDING’ undeclared (first use in this function); did you mean ‘i2d_PKCS12_SAFEBAG’? if (padding != RSA_PKCS1_PADDING) ^~~~~~~~~~~~~~~~~ i2d_PKCS12_SAFEBAG ssl_openssl.c:988:20: note: each undeclared identifier is reported only once for each function it appears in In file included from ssl_openssl.c:55:0: openssl_compat.h:647:46: error: ‘RSA_F_RSA_EAY_PRIVATE_ENCRYPT’ undeclared (first use in this function); did you mean ‘RSA_F_RSA_OSSL_PRIVATE_ENCRYPT’? #define RSA_F_RSA_OSSL_PRIVATE_ENCRYPT RSA_F_RSA_EAY_PRIVATE_ENCRYPT ^ /usr/local/openssl11/include/openssl/err.h:29:59: note: in definition of macro ‘ERR_PUT_error’ # define ERR_PUT_error(a,b,c,d,e) ERR_put_error(a,b,c,d,e) ^ ssl_openssl.c:990:9: note: in expansion of macro ‘RSAerr’ RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE); ^~~~~~ ssl_openssl.c:990:16: note: in expansion of macro ‘RSA_F_RSA_OSSL_PRIVATE_ENCRYPT’ RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ssl_openssl.c:990:48: error: ‘RSA_R_UNKNOWN_PADDING_TYPE’ undeclared (first use in this function); did you mean ‘SSL_R_UNKNOWN_ALERT_TYPE’? RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE); ^ /usr/local/openssl11/include/openssl/err.h:29:61: note: in definition of macro ‘ERR_PUT_error’ # define ERR_PUT_error(a,b,c,d,e) ERR_put_error(a,b,c,d,e) ^ ssl_openssl.c:990:9: note: in expansion of macro ‘RSAerr’ RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE); ^~~~~~ ssl_openssl.c:1011:11: warning: implicit declaration of function ‘RSA_size’; did you mean ‘HMAC_size’? [-Wimplicit-function-declaration] len = RSA_size(rsa); ^~~~~~~~ HMAC_size ssl_openssl.c: In function ‘tls_ctx_use_external_private_key’: ssl_openssl.c:1048:16: warning: implicit declaration of function ‘RSA_meth_new’; did you mean ‘BIO_meth_new’? [-Wimplicit-function-declaration] rsa_meth = RSA_meth_new("OpenVPN external private key RSA Method", ^~~~~~~~~~~~ BIO_meth_new ssl_openssl.c:1049:29: error: ‘RSA_METHOD_FLAG_NO_CHECK’ undeclared (first use in this function); did you mean ‘SSL_SECOP_SIGALG_CHECK’? RSA_METHOD_FLAG_NO_CHECK); ^~~~~~~~~~~~~~~~~~~~~~~~ SSL_SECOP_SIGALG_CHECK ssl_openssl.c:1051:5: warning: implicit declaration of function ‘RSA_meth_set_pub_enc’; did you mean ‘BIO_meth_set_puts’? [-Wimplicit-function-declaration] RSA_meth_set_pub_enc(rsa_meth, rsa_pub_enc); ^~~~~~~~~~~~~~~~~~~~ BIO_meth_set_puts ssl_openssl.c:1052:5: warning: implicit declaration of function ‘RSA_meth_set_pub_dec’; did you mean ‘BIO_meth_set_puts’? [-Wimplicit-function-declaration] RSA_meth_set_pub_dec(rsa_meth, rsa_pub_dec); ^~~~~~~~~~~~~~~~~~~~ BIO_meth_set_puts ssl_openssl.c:1053:5: warning: implicit declaration of function ‘RSA_meth_set_priv_enc’; did you mean ‘BIO_meth_set_write’? [-Wimplicit-function-declaration] RSA_meth_set_priv_enc(rsa_meth, rsa_priv_enc); ^~~~~~~~~~~~~~~~~~~~~ BIO_meth_set_write ssl_openssl.c:1054:5: warning: implicit declaration of function ‘RSA_meth_set_priv_dec’; did you mean ‘BIO_meth_set_write’? [-Wimplicit-function-declaration] RSA_meth_set_priv_dec(rsa_meth, rsa_priv_dec); ^~~~~~~~~~~~~~~~~~~~~ BIO_meth_set_write ssl_openssl.c:1055:5: warning: implicit declaration of function ‘RSA_meth_set_init’; did you mean ‘EVP_MD_meth_set_init’? [-Wimplicit-function-declaration] RSA_meth_set_init(rsa_meth, NULL); ^~~~~~~~~~~~~~~~~ EVP_MD_meth_set_init ssl_openssl.c:1056:5: warning: implicit declaration of function ‘RSA_meth_set_finish’; did you mean ‘BIO_meth_set_gets’? [-Wimplicit-function-declaration] RSA_meth_set_finish(rsa_meth, openvpn_extkey_rsa_finish); ^~~~~~~~~~~~~~~~~~~ BIO_meth_set_gets ssl_openssl.c:1057:5: warning: implicit declaration of function ‘RSA_meth_set0_app_data’; did you mean ‘SSL_CTX_set_app_data’? [-Wimplicit-function-declaration] RSA_meth_set0_app_data(rsa_meth, NULL); ^~~~~~~~~~~~~~~~~~~~~~ SSL_CTX_set_app_data ssl_openssl.c:1060:11: warning: implicit declaration of function ‘RSA_new’; did you mean ‘SSL_new’? [-Wimplicit-function-declaration] rsa = RSA_new(); ^~~~~~~ SSL_new ssl_openssl.c:1060:9: warning: assignment makes pointer from integer without a cast [-Wint-conversion] rsa = RSA_new(); ^ ssl_openssl.c:1082:5: warning: implicit declaration of function ‘RSA_get0_key’; did you mean ‘SSL_get0_dane’? [-Wimplicit-function-declaration] RSA_get0_key(pub_rsa, &n, &e, NULL); ^~~~~~~~~~~~ SSL_get0_dane ssl_openssl.c:1083:5: warning: implicit declaration of function ‘RSA_set0_key’; did you mean ‘SSL_set_bio’? [-Wimplicit-function-declaration] RSA_set0_key(rsa, BN_dup(n), BN_dup(e), NULL); ^~~~~~~~~~~~ SSL_set_bio ssl_openssl.c:1083:23: warning: implicit declaration of function ‘BN_dup’; did you mean ‘OBJ_dup’? [-Wimplicit-function-declaration] RSA_set0_key(rsa, BN_dup(n), BN_dup(e), NULL); ^~~~~~ OBJ_dup ssl_openssl.c:1084:5: warning: implicit declaration of function ‘RSA_set_flags’; did you mean ‘BIO_set_flags’? [-Wimplicit-function-declaration] RSA_set_flags(rsa, RSA_flags(rsa) | RSA_FLAG_EXT_PKEY); ^~~~~~~~~~~~~ BIO_set_flags ssl_openssl.c:1084:24: warning: implicit declaration of function ‘RSA_flags’; did you mean ‘ifr_flags’? [-Wimplicit-function-declaration] RSA_set_flags(rsa, RSA_flags(rsa) | RSA_FLAG_EXT_PKEY); ^~~~~~~~~ ifr_flags ssl_openssl.c:1084:41: error: ‘RSA_FLAG_EXT_PKEY’ undeclared (first use in this function); did you mean ‘SSL_F_SSL_SET_PKEY’? RSA_set_flags(rsa, RSA_flags(rsa) | RSA_FLAG_EXT_PKEY); ^~~~~~~~~~~~~~~~~ SSL_F_SSL_SET_PKEY ssl_openssl.c:1085:10: warning: implicit declaration of function ‘RSA_set_method’; did you mean ‘SSL_set_ssl_method’? [-Wimplicit-function-declaration] if (!RSA_set_method(rsa, rsa_meth)) ^~~~~~~~~~~~~~ SSL_set_ssl_method ssl_openssl.c:1097:5: warning: implicit declaration of function ‘RSA_free’; did you mean ‘SSL_free’? [-Wimplicit-function-declaration] RSA_free(rsa); /* doesn't necessarily free, just decrements refcount */ ^~~~~~~~ SSL_free ssl_openssl.c: In function ‘key_state_ssl_init’: ssl_openssl.c:1542:30: warning: passing argument 1 of ‘getbio’ discards ‘const’ qualifier from pointer target type [-Wdiscarded-qualifiers] ks_ssl->ssl_bio = getbio(BIO_f_ssl(), "ssl_bio"); ^~~~~~~~~ ssl_openssl.c:1390:1: note: expected ‘BIO_METHOD * {aka struct bio_method_st *}’ but argument is of type ‘const BIO_METHOD * {aka const struct bio_method_st *}’ getbio(BIO_METHOD *type, const char *desc) ^~~~~~ ssl_openssl.c:1543:28: warning: passing argument 1 of ‘getbio’ discards ‘const’ qualifier from pointer target type [-Wdiscarded-qualifiers] ks_ssl->ct_in = getbio(BIO_s_mem(), "ct_in"); ^~~~~~~~~ ssl_openssl.c:1390:1: note: expected ‘BIO_METHOD * {aka struct bio_method_st *}’ but argument is of type ‘const BIO_METHOD * {aka const struct bio_method_st *}’ getbio(BIO_METHOD *type, const char *desc) ^~~~~~ ssl_openssl.c:1544:29: warning: passing argument 1 of ‘getbio’ discards ‘const’ qualifier from pointer target type [-Wdiscarded-qualifiers] ks_ssl->ct_out = getbio(BIO_s_mem(), "ct_out"); ^~~~~~~~~ ssl_openssl.c:1390:1: note: expected ‘BIO_METHOD * {aka struct bio_method_st *}’ but argument is of type ‘const BIO_METHOD * {aka const struct bio_method_st *}’ getbio(BIO_METHOD *type, const char *desc) ^~~~~~ ssl_openssl.c: In function ‘print_details’: ssl_openssl.c:1689:34: warning: implicit declaration of function ‘RSA_bits’ [-Wimplicit-function-declaration] RSA_bits(rsa)); ^~~~~~~~ ssl_openssl.c:1695:34: warning: implicit declaration of function ‘DSA_bits’ [-Wimplicit-function-declaration] DSA_bits(dsa)); ^~~~~~~~ ssl_openssl.c: In function ‘get_ssl_library_version’: ssl_openssl.c:1838:12: warning: implicit declaration of function ‘SSLeay_version’; did you mean ‘SSL_version’? [-Wimplicit-function-declaration] return SSLeay_version(SSLEAY_VERSION); ^~~~~~~~~~~~~~ SSL_version ssl_openssl.c:1838:27: error: ‘SSLEAY_VERSION’ undeclared (first use in this function); did you mean ‘SSL2_VERSION’? return SSLeay_version(SSLEAY_VERSION); ^~~~~~~~~~~~~~ SSL2_VERSION ssl_openssl.c:1839:1: warning: control reaches end of non-void function [-Wreturn-type] } ^ Makefile:673: recipe for target 'ssl_openssl.o' failed make[3]: *** [ssl_openssl.o] Error 1 make[3]: *** Waiting for unfinished jobs.... mv -f .deps/socket.Tpo .deps/socket.Po mv -f .deps/ssl_verify.Tpo .deps/ssl_verify.Po mv -f .deps/ssl.Tpo .deps/ssl.Po mv -f .deps/options.Tpo .deps/options.Po make[3]: Leaving directory '/usr/local/src/openvpn/src/openvpn' Makefile:429: recipe for target 'all-recursive' failed make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory '/usr/local/src/openvpn/src' Makefile:614: recipe for target 'all-recursive' failed make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory '/usr/local/src/openvpn' Makefile:502: recipe for target 'all' failed make: *** [all] Error 2
as code's still using clearly deprecated calls
https://www.openssl.org/docs/man1.1.0/crypto/OpenSSL_add_all_algorithms.html
comment:15 Changed 7 years ago by
these errors very much look like you have openssl 1.0 installed in /usr/{include,lib} or /usr/local/{include,lib} and configure is picking up the wrong library when searching for "which functions are available and which are not".
How are you calling configure? What does it output regarding openssl?
comment:16 Changed 7 years ago by
these errors very much look like you have openssl 1.0 installed in /usr/{include,lib} or /usr/local/{include,lib} and configure is picking up the wrong library when searching for "which functions are available and which are not".
Yep, there *is* a system-installed openssl.
I, OTOH, have 'external' instances of openssl v1.0.2 & v1.1.0 in
/usr/local/openssl10
&
/usr/local/openssl11
respectively, that I'm linking against.
I.e.,
find /usr/ | egrep "libssl.so|libcrypto.so" | grep -v "/src/" !! /usr/lib64/libcrypto.so !! /usr/lib64/libssl.so /usr/local/openssl10/lib64/libcrypto.so /usr/local/openssl10/lib64/libcrypto.so.1.0.0 /usr/local/openssl10/lib64/libssl.so /usr/local/openssl10/lib64/libssl.so.1.0.0 /usr/local/openssl11/lib64/libcrypto.so /usr/local/openssl11/lib64/libcrypto.so.1.1 /usr/local/openssl11/lib64/libssl.so /usr/local/openssl11/lib64/libssl.so.1.1
How are you calling configure? What does it output regarding openssl?
with either
case = openssl v1.0.2 export OPENSSL_CFLAGS="-I/usr/local/include -I/usr/local/openssl10/include -I/usr/include" export OPENSSL_LIBS="-L/usr/local/openssl10/lib64 -Wl,-rpath,/usr/local/openssl10/lib64 -lssl -lcrypto"
or
case = openssl v1.1.0 export OPENSSL_CFLAGS="-I/usr/local/include -I/usr/local/openssl11/include -I/usr/include" export OPENSSL_LIBS="-L/usr/local/openssl11/lib64 -Wl,-rpath,/usr/local/openssl11/lib64 -lssl -lcrypto"
I call configure as
./configure \ --prefix=/usr/local/openvpn \ --libdir=/usr/local/openvpn/lib64 \ --enable-shared --disable-static \ --with-gnu-ld \ --with-crypto-library=openssl \ --enable-crypto \ --enable-x509-alt-username \ --enable-systemd \ --disable-multihome \ --enable-iproute2 \ --with-mem-check=no \ --disable-selinux \ --enable-lzo \ --enable-lz4
then
make make install
In the openssl v1.0.2 case, all works well enough
ldd /usr/local/openvpn/sbin/openvpn | egrep -i "ssl|crypto" libssl.so.1.0.0 => /usr/local/openssl10/lib64/libssl.so.1.0.0 (0x00007fea5288f000) libcrypto.so.1.0.0 => /usr/local/openssl10/lib64/libcrypto.so.1.0.0 (0x00007fea52406000) /usr/local/openvpn/sbin/openvpn --version OpenVPN 2.5_git [git:master/5fd8e94d31182557] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [AEAD] built on Sep 9 2017 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.08 Originally developed by James Yonan Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net> Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=yes enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multihome=no enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_static=no enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no
but in the openssl v1.1.0 case, fails as reported above
'./configure ...' output for the v1.1.0 case includes
... checking for PKCS11_HELPER... no checking additionally if OpenSSL is available and version >= 1.0.1... ok checking for SSL_CTX_new... yes checking for EVP_CIPHER_CTX_set_key_length... yes checking for ENGINE_load_builtin_engines... yes checking for ENGINE_register_all_complete... yes checking for ENGINE_cleanup... no checking for EVP_aes_256_gcm... yes checking for HMAC_CTX_new... yes checking for HMAC_CTX_free... yes checking for HMAC_CTX_reset... yes checking for EVP_MD_CTX_new... yes checking for EVP_MD_CTX_free... yes checking for EVP_MD_CTX_reset... yes checking for SSL_CTX_get_default_passwd_cb... yes checking for SSL_CTX_get_default_passwd_cb_userdata... yes checking for X509_get0_pubkey... yes checking for X509_STORE_get0_objects... yes checking for X509_OBJECT_free... yes checking for X509_OBJECT_get_type... yes checking for EVP_PKEY_id... yes checking for EVP_PKEY_get0_RSA... yes checking for EVP_PKEY_get0_DSA... yes checking for EVP_PKEY_get0_EC_KEY... yes checking for RSA_set_flags... yes checking for RSA_bits... yes checking for RSA_get0_key... yes checking for RSA_set0_key... yes checking for DSA_get0_pqg... yes checking for DSA_bits... yes checking for RSA_meth_new... yes checking for RSA_meth_free... yes checking for RSA_meth_set_pub_enc... yes checking for RSA_meth_set_pub_dec... yes checking for RSA_meth_set_priv_enc... yes checking for RSA_meth_set_priv_dec... yes checking for RSA_meth_set_init... yes checking for RSA_meth_set_finish... yes checking for RSA_meth_set0_app_data... yes checking for EC_GROUP_order_bits... yes ...
and, config.log:
egrep -i "ssl|crypto" config.log | grep -vi fstack-protector $ ./configure --prefix=/usr/local/openvpn --libdir=/usr/local/openvpn/lib64 --enable-shared --disable-static --with-gnu-ld --with-crypto-library=openssl --enable-crypto --enable-x509-alt-username --enable-systemd --disable-multihome --enable-iproute2 --with-mem-check=no --disable-selinux --enable-lzo --enable-lz4 PATH: /usr/local/openssl11/bin configure:16555: checking additionally if OpenSSL is available and version >= 1.0.1 configure:16589: checking for SSL_CTX_new | #define HAVE_SSL_CTX_NEW 1 configure:16681: checking for SSL_CTX_get_default_passwd_cb configure:16681: checking for SSL_CTX_get_default_passwd_cb_userdata ac_cv_env_OPENSSL_CFLAGS_set=set ac_cv_env_OPENSSL_CFLAGS_value='-I/usr/local/include -I/usr/local/openssl11/include -I/usr/include' ac_cv_env_OPENSSL_LIBS_set=set ac_cv_env_OPENSSL_LIBS_value=' -L/usr/local/openssl11/lib64 -Wl,-rpath,/usr/local/openssl11/lib64 -lssl -lcrypto ' ac_cv_env_PKG_CONFIG_PATH_value=/usr/local/openssl11/lib64/pkgconfig:/usr/local/lib64/pkgconfig:/usr/local/lib/pkgconfig:/usr/lib64/pkgconfig:/usr/lib/pkgconfig ac_cv_func_SSL_CTX_get_default_passwd_cb=yes ac_cv_func_SSL_CTX_get_default_passwd_cb_userdata=yes ac_cv_func_SSL_CTX_new=yes ENABLE_CRYPTO_FALSE='#' ENABLE_CRYPTO_TRUE='' OPENSSL_CFLAGS='-I/usr/local/include -I/usr/local/openssl11/include -I/usr/include' OPENSSL_LIBS=' -L/usr/local/openssl11/lib64 -Wl,-rpath,/usr/local/openssl11/lib64 -lssl -lcrypto ' OPTIONAL_CRYPTO_CFLAGS=' -I/usr/local/include -I/usr/local/openssl11/include -I/usr/include' OPTIONAL_CRYPTO_LIBS=' -L/usr/local/openssl11/lib64 -Wl,-rpath,/usr/local/openssl11/lib64 -lssl -lcrypto ' PKG_CONFIG_PATH='/usr/local/openssl11/lib64/pkgconfig:/usr/local/lib64/pkgconfig:/usr/local/lib/pkgconfig:/usr/lib64/pkgconfig:/usr/lib/pkgconfig' #define HAVE_SSL_CTX_NEW 1 #define HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB 1 #define HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB_USERDATA 1 #define ENABLE_CRYPTO_OPENSSL 1 #define ENABLE_CRYPTO 1 #define CONFIGURE_DEFINES "enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=yes enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multihome=no enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_static=no enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no"
2.3 will never receive support for OpenSSL 1.1.x
2.4 might, but we haven't agreed on a timeline yet.