Build OpenVPN with specific OpenSSL version

c linux compilation openssl openvpn
16,856

Solution 1

Below is the procedure I used to build OpenVPN with OpenSSL 1.0.2. OpenSSL 1.0.1 vs. 1.0.2 vs. 1.1.0 should not matter. However, some Configure scripts dies on OpenSSL 1.1.0 because 1.1.0 uses OPENSSL_init_ssl rather than SSL_library_init. Note the use of RPATH's on Linux (OS X would use a different technique).

OpenSSL configuration options are mostly documented at Compilation and Installation | Configure Options on their wiki. I did not find similar for OpenVPN, and ./configure --help was not very helpful. Often, for an Autools project, you need to --with-ssl=<path to ssl root>, but OpenVPN does not appear to have that option. For OpenVPN, the process below went adhoc using Autools CFLAGS.

Both libraries disabled compression because it can leak information. For more details, see Spot me if you can: Uncovering spoken phrases in encrypted VoIP conversations. The problem is the variable bit rate encoding, and the fundamental design is prevalent in other compression libraries (like zlib).

OpenSSL 1.0.2

$ wget https://www.openssl.org/source/openssl-1.0.2h.tar.gz
$ tar xzf openssl-1.0.2h.tar.gz
$ cd openssl-1.0.2h

$ ./config shared no-ssl2 no-ssl3 no-comp enable-ec_nistp_64_gcc_128 -Wl,-rpath=/usr/local/ssl/lib --prefix=/usr/local/ssl
$ make -j 4
$ make test
$ sudo make install

# clear program cache
$ hash -r

You can check the openssl program is using the expected shared objects with:

$ ldd /usr/local/ssl/bin/openssl
    linux-vdso.so.1 =>  (0x00007ffc36578000)
    libssl.so.1.0.0 => /usr/local/ssl/lib/libssl.so.1.0.0 (0x00007f94b48fb000)
    libcrypto.so.1.0.0 => /usr/local/ssl/lib/libcrypto.so.1.0.0 (0x00007f94b448b000)
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f94b40c6000)
    libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f94b3ec2000)
    /lib64/ld-linux-x86-64.so.2 (0x00007f94b4b6c000)

You can also make sure the new openssl is on-path with the following. Its not required for your issue, however.

$ sudo ln -s /usr/local/ssl/bin/openssl /usr/local/bin/openssl
$ hash -r
$ command -v openssl
/usr/local/bin/openssl

OpenVPN 2.3.11

$ wget https://swupdate.openvpn.org/community/releases/openvpn-2.3.11.tar.gz
$ tar xzf openvpn-2.3.11.tar.gz
$ cd openvpn-2.3.11

$ CFLAGS="-I/usr/local/ssl/include -Wl,-rpath=/usr/local/ssl/lib -L/usr/local/ssl/lib" ./configure --disable-lzo
$ make -j 4

Next, check the OpenVPN program to see what its linking to:

$ find . -type f -name openvpn
./src/openvpn/openvpn
$ ldd ./src/openvpn/openvpn
    linux-vdso.so.1 =>  (0x00007ffc8bfc4000)
    libssl.so.1.0.0 => /usr/local/ssl/lib/libssl.so.1.0.0 (0x00007f74f49f3000)
    libcrypto.so.1.0.0 => /usr/local/ssl/lib/libcrypto.so.1.0.0 (0x00007f74f4583000)
    libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f74f437f000)
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f74f3fba000)
    /lib64/ld-linux-x86-64.so.2 (0x00007f74f4c64000)

Next, run the self tests:

$ make check
...
make[3]: Entering directory `/home/jwalton/openvpn-2.3.11/tests'
./t_client.sh: cannot find 't_client.rc' in build dir ('..')
./t_client.sh: or source directory ('.'). SKIPPING TEST.
SKIP: t_client.sh
Testing cipher AES-128-CBC... OK
Testing cipher AES-128-CFB... OK
Testing cipher AES-128-CFB1... OK
...

Install OpenVPN if it tests OK:

$ sudo make install
$ hash -r
$ command -v openvpn
/usr/local/sbin/openvpn

Finally, check it:

$ /usr/local/sbin/openvpn --version
OpenVPN 2.3.11 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [EPOLL] [MH] [IPv6] built on Aug 17 2016
library versions: OpenSSL 1.0.2h  3 May 2016
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <[email protected]>
...

If interested, you can find a build script to automate the process at Noloader | Build-Scripts. It includes one for OpenVPN.

Solution 2

OpenVPN reports the version of the runtime library, so what you are seeing here is linking/dynamic library behaviour. Probably your ld.so.conf is setup to prefer /usr/lib/.so over /usr/local/lib/.so

Share:
16,856
Antony
Author by

Antony

Updated on June 05, 2022

Comments

  • Antony
    Antony almost 2 years

    Similar questions have been asked before, but the answers no longer seem to apply as the flags have changed for the configure script. I am trying to compile OpenVPN from the git source on Ubuntu 14.04.5 on both x86 and x64. I have OpenSSL 1.0.1t built and installed to /usr/local/ssl. I've tried various combinations of the configure options and the compiler seems to recognize since

    ./configure OPENSSL_LIBS="-L/usr/local/ssl/ -lssl -lcrypto" OPENSSL_CFLAGS="-I/usr/local/ssl/include/"

    finishes with no errors, but ./configure OPENSSL_LIBS="-L/usr/local/ssl/" OPENSSL_CFLAGS="-I/usr/local/ssl/include/" results in configure: error: openssl check failed. Once you do make and make install, it still reports the system version of OpenSSL: 

    root@anonymous:/usr/local/src/openvpn# openvpn --version
OpenVPN 2.3_git [git:master/d1bd37fd508ee046] x86_64-unknown-linux-gnu [SSL (OpenSSL)]
[LZO] [LZ4] [EPOLL] [MH] [IPv6] built on Aug 16 2016
library versions: OpenSSL 1.0.1f 6 Jan 2014, LZO 2.06
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <[email protected]>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes
enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown
enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes
enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes
enable_lzo=yes enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no
enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes
enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no
enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no
enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no
 enable_werror=no enable_win32_dll=yes enable_x509_alt_username=no with_crypto_library=openssl
with_gnu_ld=yes with_mem_check=no with_plugindir='$(libdir)/openvpn/plugins' with_sysroot=no

    System OpenSSL:

    root@anonymous:/usr/local/src/openvpn# openssl version

OpenSSL 1.0.1f 6 Jan 2014

    Compiled OpenSSL:

    root@anonymous:/usr/local/ssl/bin# ./openssl version

OpenSSL 1.0.1t  3 May 2016

    I know it has to be something simple, but I saw other users asking about this on the OpenVPN Forums with no responses as of yet.

  • Antony
    Antony over 7 years
    I think you're on the right path. /etc/ld.so.conf just includes the *.conf files in the /etc/ld.so.conf.d directory. In that directory, libc.conf points to /usr/local/lib, but the libraries for OpenSSL do not reside there, so it probably resorts to the system defaults. I'll see what else I can find out.
  • Antony
    Antony over 7 years
    I tried adding both "/usr/local/ssl" or "/usr/local/ssl/lib" to libc.conf and got the same results. At this point, I don't really think it matters since the security fixes in 1.0.1t were backported to 1.0.1f on Ubuntu anyway.
  • Antony
    Antony over 7 years
    I upvoted this, but my rep is too low. I didn't follow the steps exactly, but this got it working. The issue was, first that I didn't create the *.so files when I compiled OpenSSL the first time. Second, I wasn't linking them properly with configure during the OpenVPN build. I re-compiled OpenSSL with an edited form of the command you listed, checked that it was properly linked, skipped the symbolic link since I'd already done that, and compiled openvpn with the command you gave and it worked just fine. So thank you very much for the comprehensive and correct answer.
  • jww
    jww over 7 years
    @Antony - I'm guessing (and its only a guess) that this was not quite right: OPENSSL_CFLAGS="-I/usr/local/ssl/include/". Those CFLAGS needed to be applied to the entire OpenVPN build, and not just some portion of OpenSSL. I'm not even clear what OPENSSL_CFLAGS and OPENSSL_LIBS does because ./configure --help did not explain it; and Installation notes did not explain it.
  • Antony
    Antony over 7 years
    I figured it had to be something along those lines. The old flags used to be OPENSSL_SSL_FLAGS and OPENSSL_CRYPTO_FLAGS, but they were removed in later versions it would seem. The OpenVPN and configure documentation aren't very clear about what they're used for. Thanks again for your help. I'd been wracking my brain for about 2 days trying to figure out what I was doing wrong.
  • jww
    jww over 7 years
    @Antony - I'm thinking OPENSSL_SSL_FLAGS, OPENSSL_CRYPTO_FLAGS and friends may be for building OpenSSL in-tree. I.e., drop OpenSSL into the <openvpn src> directory, and the OpenVPN build system will build OpenSSL for you. But again, its only a guess. If its not that, then I can't think of other reasons those variables would be useful.
  • Duncan Jones
    Duncan Jones over 6 years
    Great write up, thanks. I had to add an additional flag to get the OpenSSL configuration to work: -Wl,--enable-new-dtags,-rpath....
  • jww
    jww over 6 years
    @DuncanJones - Yeah, Linux is pretty f**k'd up when it comes to library paths. They've been broken 30 years or so now. The Linux folks need to switch to a scheme like Apple's install_name. Things should "just work" for the typical user. Let those who want to swizzle and inject do something special.
  • YouHaveaBigEgo
    YouHaveaBigEgo over 6 years
    Do I use the same instructions to configure the newer openssl-1.0.2l ? I did: ./config shared no-ssl2 no-ssl3 no-comp enable-ec_nistp_64_gcc_128 -Wl,-rpath=/usr/local/ssl/lib --prefix=/usr/local/ssl but my build fails when I give the make command. make test fails too
  • erny
    erny over 5 years
    Great recipe! I just tried it (OpenVPN 2.4.6) with OS X (10.9.5), linking against openssl (1.0.2p) installed by homebrew. The "-Wl,-rpath=/usr/local/ssl/lib" CFLAGS must be removed: CFLAGS="-I/usr/local/opt/openssl/include -L/usr/local/opt/openssl/lib" ./configure --disable-lzo Check the build binary with otool -L ./src/openvpn/openvpn to see what dynamic libs are used. Thx.
  • Admin
    Admin about 5 years
    If going through this kind of trouble I always keep my libs separate for ease of future maintenance. So I would install openssl into /usr/local/openssl-<version>, openvpn onto /usr/local/openvpn-<version> and do the linking and RPATH'ing specifically to those locations. That way openvpn won't stop working if the /usr/local/ssl's library gets upgraded in the future.
  • Houman
    Houman almost 4 years
    @jww Thanks for this brilliant tutorial. After compiling it I get the binary inside /usr/local/sbin/openvpn. But where is the main folder? Do I place the binary and configs under /etc/openvpn/server/ ?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

No reference to BIO-functions when linking OpenSSL
How to compile PHP with new OpenSSL library
Can't link OpenSSL code
KEY_CONFIG pointing to the wrong version of openssl.cnf
How to compile C and Gtk+ with GCC on Linux?
OpenSSL Linking undefined reference 'EVP_MD_CTX_new' and '...fre'
Openssl compile error
OpenSSL using EVP vs. algorithm API for symmetric crypto
Cannot find libcrypto library error
error compiling: linux/module.h: No such file or directory