Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

openvpn: add mbedtls build option. #23429

Merged
merged 1 commit into from
Jul 12, 2020
Merged

openvpn: add mbedtls build option. #23429

merged 1 commit into from
Jul 12, 2020

Conversation

travankor
Copy link
Contributor

Default to it since openvpn is broken with libressl-3.1.X.

@travankor
openvpn: add mbedtls build option.
ab534b5 
Default to it since openvpn is broken with libressl-3.1.X.
@travankor
Copy link
Contributor Author

@jkoderu-git This should fix the issue with openvpn.

@mobinmob
Copy link
Contributor

mobinmob commented Jul 7, 2020

That is nice - mbedtls has LTS releases ;)

@jkoderu-git
Copy link
Contributor

Thank you so much @travankor for your help!

@Johnnynator
Copy link
Member

Did you check if this fixes the problematic servers? (only aware of ProtonVPN confis so far)

@ericonr
Copy link
Member

ericonr commented Jul 10, 2020

Can we be sure this doesn't break other uses of OpenVPN as well?

@travankor
Copy link
Contributor Author

mbedtls is officially supported by openvpn. This should be 100% interoperable with other openvpn instances. (Some trivia: This version of openvpn was sponsored by the Dutch government for their restricted communication channels.)

The features that don't work compared to the openssl build:

 * PKCS#12 file support
 * --capath support - Loading certificate authorities from a directory
 * Windows CryptoAPI support
 * X.509 alternative username fields (must be "CN")

This is why the mbedtls and pkcs12 options conflict since the build fails with both turned on.

Admittedly, I don't know the reason why libressl is causing problems and to what extent things are broken with openvpn. And yes, I tested protonovpn, which seems to work.

@travankor
Copy link
Contributor Author

Can we be sure this doesn't break other uses of OpenVPN as well?

Can you suggest some to test? Keep in mind that I can't really test every use case (like the ones involving corporate networks).

So far, I think the main difference is that the mbedtls version is a little slower and less responsive than the openssl/libressl version.

@ericonr
Copy link
Member

ericonr commented Jul 11, 2020

Can you suggest some to test?

I have no idea, because I don't use it myself. Just want to avoid a regression for OpenVPN users whose setup is working with the latest LibreSSL version.

@travankor
Copy link
Contributor Author

The best solution is to use Openssl. The other options are either 1) mbedtls or 2) patch libressl and/or openvpn to work.

@Johnnynator Johnnynator merged commit 2d69bd0 into void-linux:master Jul 12, 2020
@Redcroft
Copy link

Hi,

This has broken pcks12 for me, is there anyway we can re-enable this option?

Thanks

@ericonr
Copy link
Member

ericonr commented Jul 14, 2020
edited
Loading

@Redcroft could you open a separate issue, please? That way it's easier to track. If you know how to build the package yourself, you can build it with the pcks11 build option.

@travankor travankor deleted the openvpn branch July 16, 2020 03:02
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 25, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@travankor @mobinmob @jkoderu-git @Johnnynator @ericonr @Redcroft