Request for feature

[Molina-Bulla Harold]

Hi Jonathan and Everybody!

This is a feature request (if it is possible!).

Since macOS High Sierra and the incompatibility between LibreSSL and OpenSSL versions, when my Users update the TunnelBlick program, they have to reconfigure the profiles in order to re-select the OpenSSL's openvpn versions.

It is possible, when a new version is installed, it automatically check the last library version in order to setup the correct openvpn client?

Thanks in advance

H.

-----------------------------------------------------------------
- "¿Existe el Gran Hermano?" - Winston
- "Claro que existe. El Partido existe. El Gran Hermano es la 
  encarnación del partido." - O'Brien
- "¿Existe en el mismo sentido en que yo existo?" - Winston
- "Tú no existes." - O'Brien 

George Orwell (1984)
-----------------------------------------------------------------
Recuerda: PRISM te está vigilando!!! X)
Y tu no existes!!!
-----------------------------------------------------------------
Harold Molina-Bulla Ph.D.
h.mo...@gmail.org
Clave GnuPG: 9D781176

[Tunnelblick developer]

Hi Harold -- it's good to hear from you.

The fact that macOS High Sierra uses LibreSSL instead of OpenSSL shouldn't matter, because Tunnelblick includes its own copies of both libraries and uses them. It does not use the OpenSSL or LibreSSL provided by macOS.

Does it help that the latest Tunnelblick beta defaults to use OpenVPN 2.4 with OpenSSL? The latest stable version will also default to 2.4, too, and I expect to release it later this month.

Perhaps I should be quicker to switch the default to new versions of OpenVPN when they appear. The problem with that is that lots of people need to use older versions because their configurations are old. They tend to be the less sophisticated users, too, so often just think that a Tunnelblick update is broken when it uses a different minor version of OpenVPN (e.g. 2.2 vs. 2.1, 2.3 vs 2.2, and now 2.4 vs. 2.3) as the default. So they end up using an old version of Tunnelblick, which contains old versions of OpenSSL or LibreSSL with vulnerabilities.

When OpenVPN drops support for LibreSSL this whole discussion will be moot. Support for LibreSSL will be dropped in OpenVPN 2.6, according to the latest OpenVPN developers chat (https://sourceforge.net/p/openvpn/mailman/message/36156383).

That said, I will continue thinking about your suggestion, which I am interpreting as follows:

If the user specifies a specific version of OpenVPN (as opposed to the "default" or "latest" versions), and that version is not available, Tunnelblick will change to use the latest version of OpenVPN with OpenSSL if the specified version used OpenSSL, or the latest version of OpenVPN with LibreSSL if the specified version used LibreSSL.

As long as I'm doing that, I could have Tunnelblick try to use a version of OpenVPN that is the same minor version as the old version. (That is, use 2.3.18 if 2.3.17 isn't available, or 2.4.4 if 2.4.3 isn't available.)

An alternative would be splitting the "Latest" choice into "Latest with OpenSSL" and "Latest with LibreSSL". As long as I'm doing that, I'd change "Default" to "Default with OpenSSL" and add "Default with LibreSSL" for completeness. That's less automatic but more transparent about what is going on.

I'm not sure I want to do any of this, but I'll think about it.

[Tunnelblick developer]

The latest Tunnelblick beta includes better selection of a "best match" for a version of OpenVPN and SSL library when the user has specified a specific OpenVPN/SSL which is not available in the new version of Tunnelblick.

[Tunnelblick developer]

Actually, the latest beta has a bug such that Tunnelblick says it is selecting a better version, but actually, it just selects the last version : (

Fixed in the source code, it will be in the next release.