Hallo OpenVPN developers,
The last years i closely follow your advances in the source. When you release a
new version of the software, i will pull it, build it in different
configurations and ship it to a small userbase.
To allow the users to choose the flavor of SSL, one of the configurations is
'-libressl' and the other is '-openssl'. Personally i do not care, as they
should do the same thing - encrypt and decrypt byte arrays with advanced
mathematics - but there are situations and preferences where having a different
library can be handy.
In order to have the builds reproducible, i maintain a private fork of
openvpn/openvpn-build that adds support for libressl (and pulls all
dependencies with https and always uses the very latest openssl 1.0
patchlevel). This repository is used to build the openvpn executables for
archlinux, debian, fedora, ubuntu, osx and windows in appropriate VM's.
The release last week was different than the releases before. Usually all i
have to do is updating the version, rebuild and QA. The release notes state
'This is primarily a maintenance release, with further improved OpenSSL 1.1'.
To my surprise the build-openvpn repository now uses the OpenSSL 1.1
dependency, but why should OpenSSL 1.0 no longer work right?
It does not, and this is fine as it's reaching EOL soon anyway. And maybe it is
not breaking the OpenVPN API so its ok to increase only the last version digit.
This adds more patch to my openvpn-build repository as now the 2.3.18 version
_needs_ openssl 1.0 and cannot use 1.1 while 2.4.5 needs openssl 1.1 and does
no longer build with 1.0 - but thats my problem i guess.
After the OpenSSL switch worked with 2.3.18 and 2.4.5, LibreSSL had one compile
error - not what i experienced in the last years but ok, I can patch, and i
have a system for patches anyway (eg for xor). To save other people the trouble
- as long as they build the unmodified source - I'd like to contribute to your
project with a simple pull request, one that makes the latest OpenVPN version
work with the latest LibreSSL. Maybe you just do not build it this way, but
soon others may run into this. In the end its not more than a typo/broken link
on wikipedia.
I research other patches that 'fix LibreSSL' (not many) to make the change as
close as possible to your accepted standards.
I research the patch that causes the build error and evaluate if my change may
have any drawbacks.
I setup a GH identity to fork, apply the patch, push and create a Pull request,
just to learn, that this is not the 'right' way.
Then i get the response "See the release notes for 2.4.5." and "if LibreSSL is
then breaking the API
again, the active developers very much do not care."
Ok, bummer, the (german) wikipedia experience again - rejected. The second and
third read of the well distributed Changelog(s) and release note(s) does not
bring up a 'We do no longer support LibreSSL' note. The sourcecode contains
ifdefs that already take care about LibreSSL. There are recent patches that
handle mbedSSL, so you must be interested in supporting other crypto libraries.
Do i really have to write a email to the developer that made the last LibreSSL
patch, bribe her or him with *hugs* or *backrubs* (sorry!) to get the simplest
possible patch into upstream? What do i have to do then to get more complex
stuff approved? Weekly meetings?
Last try with the mailinglist, maybe someone copies the lines into the next
release so i can drop the patch, I do not want attribution, I do not want to
write emotional messages on a mailing list, nor do i want to have responses to
them. I want to interact technically using a pull request for a issue i see.
Gert Doering: thanks for the quick response on GH
Steffan Karger: When the introduced block in
0e8a30c0b05c1e2b59a1dea0a6eab5daa1d9d9a1 really is 'not really needed', can we
add a additional ifdef arround it to make it build with libressl?
Everyone reading: Sorry for the rant, thank you for the latest release and the
great work and have a nice sunday!
https://github.com/OpenVPN/openvpn/pull/102
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
