Build OpenVPN with specific OpenSSL version
Solution 1
Below is the procedure I used to build OpenVPN with OpenSSL 1.0.2. OpenSSL 1.0.1 vs. 1.0.2 vs. 1.1.0 should not matter. However, some Configure scripts dies on OpenSSL 1.1.0 because 1.1.0 uses OPENSSL_init_ssl
rather than SSL_library_init
. Note the use of RPATH's on Linux (OS X would use a different technique).
OpenSSL configuration options are mostly documented at Compilation and Installation | Configure Options on their wiki. I did not find similar for OpenVPN, and ./configure --help
was not very helpful. Often, for an Autools project, you need to --with-ssl=<path to ssl root>
, but OpenVPN does not appear to have that option. For OpenVPN, the process below went adhoc using Autools CFLAGS
.
Both libraries disabled compression because it can leak information. For more details, see Spot me if you can: Uncovering spoken phrases in encrypted VoIP conversations. The problem is the variable bit rate encoding, and the fundamental design is prevalent in other compression libraries (like zlib).
OpenSSL 1.0.2
$ wget https://www.openssl.org/source/openssl-1.0.2h.tar.gz
$ tar xzf openssl-1.0.2h.tar.gz
$ cd openssl-1.0.2h
$ ./config shared no-ssl2 no-ssl3 no-comp enable-ec_nistp_64_gcc_128 -Wl,-rpath=/usr/local/ssl/lib --prefix=/usr/local/ssl
$ make -j 4
$ make test
$ sudo make install
# clear program cache
$ hash -r
You can check the openssl
program is using the expected shared objects with:
$ ldd /usr/local/ssl/bin/openssl
linux-vdso.so.1 => (0x00007ffc36578000)
libssl.so.1.0.0 => /usr/local/ssl/lib/libssl.so.1.0.0 (0x00007f94b48fb000)
libcrypto.so.1.0.0 => /usr/local/ssl/lib/libcrypto.so.1.0.0 (0x00007f94b448b000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f94b40c6000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f94b3ec2000)
/lib64/ld-linux-x86-64.so.2 (0x00007f94b4b6c000)
You can also make sure the new openssl
is on-path with the following. Its not required for your issue, however.
$ sudo ln -s /usr/local/ssl/bin/openssl /usr/local/bin/openssl
$ hash -r
$ command -v openssl
/usr/local/bin/openssl
OpenVPN 2.3.11
$ wget https://swupdate.openvpn.org/community/releases/openvpn-2.3.11.tar.gz
$ tar xzf openvpn-2.3.11.tar.gz
$ cd openvpn-2.3.11
$ CFLAGS="-I/usr/local/ssl/include -Wl,-rpath=/usr/local/ssl/lib -L/usr/local/ssl/lib" ./configure --disable-lzo
$ make -j 4
Next, check the OpenVPN program to see what its linking to:
$ find . -type f -name openvpn
./src/openvpn/openvpn
$ ldd ./src/openvpn/openvpn
linux-vdso.so.1 => (0x00007ffc8bfc4000)
libssl.so.1.0.0 => /usr/local/ssl/lib/libssl.so.1.0.0 (0x00007f74f49f3000)
libcrypto.so.1.0.0 => /usr/local/ssl/lib/libcrypto.so.1.0.0 (0x00007f74f4583000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f74f437f000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f74f3fba000)
/lib64/ld-linux-x86-64.so.2 (0x00007f74f4c64000)
Next, run the self tests:
$ make check
...
make[3]: Entering directory `/home/jwalton/openvpn-2.3.11/tests'
./t_client.sh: cannot find 't_client.rc' in build dir ('..')
./t_client.sh: or source directory ('.'). SKIPPING TEST.
SKIP: t_client.sh
Testing cipher AES-128-CBC... OK
Testing cipher AES-128-CFB... OK
Testing cipher AES-128-CFB1... OK
...
Install OpenVPN if it tests OK:
$ sudo make install
$ hash -r
$ command -v openvpn
/usr/local/sbin/openvpn
Finally, check it:
$ /usr/local/sbin/openvpn --version
OpenVPN 2.3.11 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [EPOLL] [MH] [IPv6] built on Aug 17 2016
library versions: OpenSSL 1.0.2h 3 May 2016
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <[email protected]>
...
If interested, you can find a build script to automate the process at Noloader | Build-Scripts. It includes one for OpenVPN.
Solution 2
OpenVPN reports the version of the runtime library, so what you are seeing here is linking/dynamic library behaviour. Probably your ld.so.conf is setup to prefer /usr/lib/.so over /usr/local/lib/.so
Antony
Updated on June 05, 2022Comments
-
Antony almost 2 years
Similar questions have been asked before, but the answers no longer seem to apply as the flags have changed for the configure script. I am trying to compile OpenVPN from the git source on Ubuntu 14.04.5 on both x86 and x64. I have OpenSSL 1.0.1t built and installed to /usr/local/ssl. I've tried various combinations of the configure options and the compiler seems to recognize since
./configure OPENSSL_LIBS="-L/usr/local/ssl/ -lssl -lcrypto" OPENSSL_CFLAGS="-I/usr/local/ssl/include/"
finishes with no errors, but
./configure OPENSSL_LIBS="-L/usr/local/ssl/" OPENSSL_CFLAGS="-I/usr/local/ssl/include/"
results inconfigure: error: openssl check failed
. Once you do make and make install, it still reports the system version of OpenSSL:root@anonymous:/usr/local/src/openvpn# openvpn --version OpenVPN 2.3_git [git:master/d1bd37fd508ee046] x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH] [IPv6] built on Aug 16 2016 library versions: OpenSSL 1.0.1f 6 Jan 2014, LZO 2.06 Originally developed by James Yonan Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <[email protected]> Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no enable_werror=no enable_win32_dll=yes enable_x509_alt_username=no with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_plugindir='$(libdir)/openvpn/plugins' with_sysroot=no
System OpenSSL:
root@anonymous:/usr/local/src/openvpn# openssl version OpenSSL 1.0.1f 6 Jan 2014
Compiled OpenSSL:
root@anonymous:/usr/local/ssl/bin# ./openssl version OpenSSL 1.0.1t 3 May 2016
I know it has to be something simple, but I saw other users asking about this on the OpenVPN Forums with no responses as of yet.
-
Antony over 7 yearsI think you're on the right path. /etc/ld.so.conf just includes the *.conf files in the /etc/ld.so.conf.d directory. In that directory, libc.conf points to /usr/local/lib, but the libraries for OpenSSL do not reside there, so it probably resorts to the system defaults. I'll see what else I can find out.
-
Antony over 7 yearsI tried adding both "/usr/local/ssl" or "/usr/local/ssl/lib" to libc.conf and got the same results. At this point, I don't really think it matters since the security fixes in 1.0.1t were backported to 1.0.1f on Ubuntu anyway.
-
Antony over 7 yearsI upvoted this, but my rep is too low. I didn't follow the steps exactly, but this got it working. The issue was, first that I didn't create the *.so files when I compiled OpenSSL the first time. Second, I wasn't linking them properly with configure during the OpenVPN build. I re-compiled OpenSSL with an edited form of the command you listed, checked that it was properly linked, skipped the symbolic link since I'd already done that, and compiled openvpn with the command you gave and it worked just fine. So thank you very much for the comprehensive and correct answer.
-
jww over 7 years@Antony - I'm guessing (and its only a guess) that this was not quite right:
OPENSSL_CFLAGS="-I/usr/local/ssl/include/"
. ThoseCFLAGS
needed to be applied to the entire OpenVPN build, and not just some portion of OpenSSL. I'm not even clear whatOPENSSL_CFLAGS
andOPENSSL_LIBS
does because./configure --help
did not explain it; and Installation notes did not explain it. -
Antony over 7 yearsI figured it had to be something along those lines. The old flags used to be
OPENSSL_SSL_FLAGS
andOPENSSL_CRYPTO_FLAGS
, but they were removed in later versions it would seem. The OpenVPN and configure documentation aren't very clear about what they're used for. Thanks again for your help. I'd been wracking my brain for about 2 days trying to figure out what I was doing wrong. -
jww over 7 years@Antony - I'm thinking
OPENSSL_SSL_FLAGS
,OPENSSL_CRYPTO_FLAGS
and friends may be for building OpenSSL in-tree. I.e., drop OpenSSL into the<openvpn src>
directory, and the OpenVPN build system will build OpenSSL for you. But again, its only a guess. If its not that, then I can't think of other reasons those variables would be useful. -
Duncan Jones over 6 yearsGreat write up, thanks. I had to add an additional flag to get the OpenSSL configuration to work:
-Wl,--enable-new-dtags,-rpath...
. -
jww over 6 years@DuncanJones - Yeah, Linux is pretty f**k'd up when it comes to library paths. They've been broken 30 years or so now. The Linux folks need to switch to a scheme like Apple's
install_name
. Things should "just work" for the typical user. Let those who want to swizzle and inject do something special. -
YouHaveaBigEgo over 6 yearsDo I use the same instructions to configure the newer openssl-1.0.2l ? I did:
./config shared no-ssl2 no-ssl3 no-comp enable-ec_nistp_64_gcc_128 -Wl,-rpath=/usr/local/ssl/lib --prefix=/usr/local/ssl
but my build fails when I give the make command. make test fails too -
erny over 5 yearsGreat recipe! I just tried it (OpenVPN 2.4.6) with OS X (10.9.5), linking against openssl (1.0.2p) installed by homebrew. The "-Wl,-rpath=/usr/local/ssl/lib" CFLAGS must be removed:
CFLAGS="-I/usr/local/opt/openssl/include -L/usr/local/opt/openssl/lib" ./configure --disable-lzo
Check the build binary withotool -L ./src/openvpn/openvpn
to see what dynamic libs are used. Thx. -
Admin about 5 yearsIf going through this kind of trouble I always keep my libs separate for ease of future maintenance. So I would install openssl into /usr/local/openssl-<version>, openvpn onto /usr/local/openvpn-<version> and do the linking and RPATH'ing specifically to those locations. That way openvpn won't stop working if the /usr/local/ssl's library gets upgraded in the future.
-
Houman almost 4 years@jww Thanks for this brilliant tutorial. After compiling it I get the binary inside
/usr/local/sbin/openvpn
. But where is the main folder? Do I place the binary and configs under/etc/openvpn/server/
?