Re: [Openvpn-devel] [PATCH] Support for wolfSSL in OpenVPN

Arne Schwabe Wed, 03 Mar 2021 04:35:48 -0800

Am 22.02.21 um 16:28 schrieb Juliusz Sosinowicz:
> Hi Arne,
> 
> have you had any success in compiling OpenVPN with wolfSSL?
>


Yes, sorry for taking so long. However the client does not work with my
test config (those are on my mac):

2021-03-03 13:19:11 library versions: wolfSSL 4.7.1
2021-03-03 13:19:11 tls_ctx_set_tls_versions: failed to set minimum TLS
version
2021-03-03 13:19:11 Error: private key password verification failed
2021-03-03 13:19:11 Exiting due to fatal error

Note that this profile just has an inline <cert>, <key> and <ca> section.

Another profile, just with <ca> and without certificates fails with:

sudo ./src/openvpn/openvpn ~/dl/focal_generic.ovpn
2021-03-03 13:21:52 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but
missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN
version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC'
to --data-ciphers or change --cipher 'AES-256-CBC' to
--data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2021-03-03 13:21:52 OpenVPN 2.6_git
[git:review/wolfsll/5594040c534f20e3+] x86_64-apple-darwin20.3.0 [SSL
(OpenSSL)] [LZ4] [MH/RECVDA] [AEAD] built on Mar  3 2021
2021-03-03 13:21:52 library versions: wolfSSL 4.7.1
Enter Auth Username:arne
Enter Auth Password:
2021-03-03 13:21:58 Cannot load CA certificate file [[INLINE]] (no
entries were read)
2021-03-03 13:21:58 Exiting due to fatal error

To see if the problem is isolated to my macbook, I tried again on Ubuntu
20.10.

% make check
[...]
If the addresses are in use, this test will retry up to two times.
2021-03-03 12:28:25 Cipher negotiation is disabled since neither P2MP
client nor server mode is enabled
2021-03-03 12:28:25 WARNING: file 'sample-keys/server.key' is group or
others accessible
2021-03-03 12:28:25 WARNING: file 'sample-keys/ta.key' is group or
others accessible
2021-03-03 12:28:25 OpenVPN 2.6_git
[git:review/wolfsll/5594040c534f20e3+] x86_64-pc-linux-gnu [SSL
(OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Mar  3 2021
2021-03-03 12:28:25 library versions: wolfSSL 4.7.1, LZO 2.10
2021-03-03 12:28:25 net_route_v4_best_gw query: dst 0.0.0.0
2021-03-03 12:28:25 net_route_v4_best_gw result: via 192.168.188.1 dev eth0
2021-03-03 12:28:25 NOTE: the current --script-security setting may
allow this configuration to call user-defined scripts
2021-03-03 12:28:25 Cipher negotiation is disabled since neither P2MP
client nor server mode is enabled
2021-03-03 12:28:25 OpenVPN 2.6_git
[git:review/wolfsll/5594040c534f20e3+] x86_64-pc-linux-gnu [SSL
(OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Mar  3 2021
2021-03-03 12:28:25 library versions: wolfSSL 4.7.1, LZO 2.10
2021-03-03 12:28:25 NOTE: the current --script-security setting may
allow this configuration to call user-defined scripts
2021-03-03 12:28:25 tls_ctx_set_tls_versions: failed to set minimum TLS
version
2021-03-03 12:28:25 Error: private key password verification failed
2021-03-03 12:28:25 Exiting due to fatal error
FAIL: t_cltsrv.sh
Test 0: OK
Test 1: OK
Test 2: OK
Test 3: OK
Test 4: OK
Test 5: OK
Test 6: OK
Test 7: OK
PASS: t_net.sh
====================================================
1 of 3 tests failed
(1 test was not run)
Please report to openvpn-us...@lists.sourceforge.net
====================================================

Same result for the configs. I tested a config with an not inlined file
then:

[12:32]arne@bionic-client:~% ./wolfo2build/./src/openvpn/openvpn
focal_generic.ovpn
2021-03-03 12:32:54 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but
missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN
version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC'
to --data-ciphers or change --cipher 'AES-256-CBC' to
--data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2021-03-03 12:32:54 OpenVPN 2.6_git
[git:review/wolfsll/5594040c534f20e3+] x86_64-pc-linux-gnu [SSL
(OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Mar  3 2021
2021-03-03 12:32:54 library versions: wolfSSL 4.7.1, LZO 2.10
Enter Auth Username:j
Enter Auth Password:
2021-03-03 12:32:56 Cannot load CA certificate file focal-ca.pem (no
entries were read)
2021-03-03 12:32:56 Exiting due to fatal error
[12:32]{1}arne@bionic-client:~% openssl x509 -in focal-ca.pem
-----BEGIN CERTIFICATE-----
MIHzMIGmoAMCAQICAgDrMAUGAytlcDASMRAwDgYDVQQDDAdlZDI1IENBMB4XDTIx
MDEwNzE3MjQxNloXDTMxMDEwNjE3MjQxNlowEjEQMA4GA1UEAwwHZWQyNSBDQTAq
MAUGAytlcAMhAFP90d3bP9Bk49MFBtQEXqtdvGlymOped9L+X17paUfAoyAwHjAP
BgNVHRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAFBgMrZXADQQDbdEko8+2dsfgb
NSejIFv3JRw7FymlIH6dBnH9kN4qCkcm1/avhErxURGUJgounEn4UZtK5w1u+Wf8
y6/RvusO
-----END CERTIFICATE-----


And that also fails.

So it compiles now but in the past it got to a point that it connected
and worked.

Arne


_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Support for wolfSSL in OpenVPN

Reply via email to