Implement OpenSSL 1.0.2l in current tunnelblick version

[dtv4251]

Hello all,

we have a Sophos Firewall and use the old outdated Sophos SSL VPN client for our Windows devices, which still relies on OpenSSL 1.0.2l. Since we do not want to swap the certificates of 150 employees and the security is ensured by OTP tokens, we have been running it this way for years.

Unfortunately, we are unable to connect on our Macs with Tunnelblick 3.8.8 because even the oldest selectable OpenVPN/SSL version (2.3.18 / 1.0.2u) no longer accepts our Sophos' certificates. The oldest supported version is OpenSSL 1.0.2l, which was last included in Tunnelblick 3.7.3.

Question: Is it somehow possible to implement this old OpenSSL version into the current Tunnelblick version at our own risk?

[Tunnelblick developer]

Although Tunnelblick usually uses one of the versions of OpenVPN that are embedded in the Tunnelblick.app, Tunnelblick will also allow the use of any OpenVPN versions that are contained in

     /Library/Application Support/Tunnelblick/Openvpn

and have a specific structure and naming convention.

You might be able to use the OpenVPN/OpenSSL version you want from Tunnelblick 3.7.3, which has the correct structure and naming convention.. Look in that version's Tunnelblick.app/Contents/Resources/openvpn folder for a folder with a name like "openvpn-.x.y.z-openssl-10.2l" (not sure what the x.y.z are). Copy that folder into /Library/Application Support/Tunnelblick/Openvpn. (Create it if necessary, and make sure the folder and all its contents are owned by root:wheel.)

The next time any version of Tunnelblick is launched you should see the additional OpenVPN version as a choice in the drop down list of OpenVPN versions..

Two possible catches:

1. This may not work if the digital signatures on the OpenVPN binaries are not accepted by more recent versions of macOS.
2. This might work without doing anything on M1 Macs, or it might be necessary to set Tunnelblick.app to "Open using Rosetta" (in the Finder's "Get Info" box for Tunnelblick.app).
   

Good luck, and please report back with your results.

[dtv4251]

Thank you very much! We use M1 Macs and Tunnelblick 3.8.8 supports the M1 natively, 3.7.3 logically does not. I would love to test it as you suggested.

Unfortunately, I can no longer find version 3.7.3 on the entire internet. Where could I possibly download it? Unfortunately I don't know anything about Github, compiling etc., so this method is out of the question.

[Tunnelblick developer]

Old versions of Tunnelblick can be obtained by emailing devel...@tunnelblick.net

[Tunnelblick developer]

Google Groups has added some obfuscation to email addresses. You should be able to click on the email address and prove you're human, but if that doesn't work, the address is "developers at tunnelblick.net".

[Jim Fracassa]

Hello,

I think I am having similar problems as described in this thread. I was able to install Tunnelblick 3.8.8 on my boss' new M1 Mac. It opens and it runs and it even connects to the Sophos firewall. But then it won't allow him to open any shared resources.

I have seen this before  and it was resolved by changing the Open SSL version to v1.0.2u. His Tunnelblick would not show 102u in the dropdown. I force fed 102u into the appropriate locations as outlined in this thread and it just won't show up. Everything else in that folder shows up. Tried quitting all openvpn processes and relaunching Tunnelblick to no avail. Any ideas? Thanks in advance.

On Friday, December 9, 2022 at 4:12:40 PM UTC-5 dtv4251 wrote:

[Tunnelblick developer]

We have not been able to get OpenSSL 1.0.2 to build for the Apple Silicon processor used in M1 Macs, so we can't build a version of OpenVPN with OpenSSL 1.0.2 that will run on the M1 Macs. For that reason, it doesn't show up as an option on M1 Macs.

Given that OpenSSL 1.0.2 is, according to the OpenSSL website, "out of support and should not be used", we do not plan to do anything about that.