OpenSSL 3.0?
98 views
Skip to first unread message
Colin 't Hart
Feb 16, 2023, 9:27:33 AM2/16/23
to tunnelblick-discuss
OpenVPN 2.6 includes support for OpenSSL 3.0
Is there a reason why the beta build for Tunnelblick 4 doesn't include it?
Thanks,
Colin
Tunnelblick developer
Feb 16, 2023, 9:42:07 AM2/16/23
to tunnelblick-discuss
OpenSSL 1.1.1 is supported until 2023-11-11, so in my view there's no rush, and nobody else has done it yet.
Colin 't Hart
Feb 17, 2023, 3:07:47 AM2/17/23
to tunnelblick-discuss
What do you mean by "Nobody else has done it yet" ?
The community edition of OpenVPN for Windows includes OpenSSL 3.0.7
The community edition of OpenVPN for Windows includes OpenSSL 3.0.7
Ubuntu 22.04 still includes OpenVPN 2.5.5, but using OpenSSL 3.0.2
If you mean that nobody else has gotten it compiled for use with Tunnelblick and submitted necessary patches, I could give it a try.
/Colin
Tunnelblick developer
Feb 17, 2023, 6:04:03 AM2/17/23
to tunnelblick-discuss
Yes, I mean nobody else has gotten it compiled and integrated into Tunnelblick's build system.
It would be great if someone submits a pull request doing that.
To help get you started:
- OpenSSL 3 should be built and incorporated into OpenVPN 2.6 in addition to, not in place of OpenSSL 1.1.1. (That gives users an easy way to switch SSL libraries if/when there are unpatched vulnerabilities or bugs in one library or the other.)
- A copy of openssl-3.0.8.tar.gz (or whatever is current) should be added to third_party/sources (after verifying it's a good copy). (We don't use the now common practice of downloading source code at build time.)
- third_party/Makefile should define OPENSSL_3_0_NAME, OPENVPN_OPENSSL_3_0_TARGET_ARCHS, and OPENSSL_3_0_STAGING_DIR, and modify OPENVPN_2_6_SSL_LIBRARIES_TEST so it allows OpenVPN 2.6 to be built with OpenSSL 3 in addition to OpenSSL 1.1.1 (like OPENVPN_2_3_SSL_LIBRARIES_TEST allows both OpenVPN 2.3 to be built with both OpenSSL 1.0 and LibreSSL).
- third_party/Makefiles/Makefile-allssl should use those variables to build OpenSSL 3. (I'm hoping that no patches will need to be applied to OpenSSL 3, but if they are needed, please use the existing patch structure.)
- third_party/Makefiles/Makefile-openvpn should use those variables to build a copy of OpenVPN 2.6 using OpenSSL 3.
- In general, look for variables in those three files that contain "OPENSSL_1_1" and make corresponding additions or changes using OPEN_SSL_3_0_* variables.
Reply all
Reply to author
Forward
0 new messages