Re: [Openvpn-devel] [PATCH] Support for wolfSSL with OpenVPN v2.4.8

2019-11-25 Thread Juliusz Sosinowicz 

Hi David,

I apologize for the delayed response. I will rebase our OpenVPN work off 
of the master branch this week in anticipation for a possible inclusion 
in version 2.5.


Regarding your question "What kind of commitment will we see from the 
WolfSSL organization?":
We have a large customer driving the use of wolfSSL with OpenVPN. We've 
done the initial porting and testing. We will update the port when 
needed and continue to support this effort.
We will also be making public marketing posts and annoucements for 
OpenVPN support on our blog (https://www.wolfssl.com/blog/) and 
subscribed mailing lists.


We understand your concern about the intrusiveness of this patch. The 
majority of insertions occur in the configure and try to follow the 
structure of how other cryptographic backends are compiled against. The 
"Emulate X since these are defined as macros" additions are 
unfortunately necessary as these functions are defined as macros in our 
library. AC_CHECK_FUNCS will not check if the function exists behind a 
macro. Defining these macros in the configure script allows for minimal 
interference in the rest of OpenVPN code. The rest of the changes in the 
patch are library inclusions as some things are defined in slightly 
different locations than OpenSSL. The file  holds the 
configure options for the wolfSSL library. It is necessary to include so 
that the header files know what should be included and defined.


I hope this email clears things up as to why some changes were necessary.

Sincerely
Juliusz

On 14/11/2019 12:25, David Sommerseth wrote:

On 14/11/2019 11:22, Juliusz Sosinowicz wrote:

From: David Garske 

wolfSSL:

Support added in: https://github.com/wolfSSL/wolfssl/pull/2503

```sh
git clone https://github.com/wolfSSL/wolfssl.git
cd wolfssl
./autogen.sh
./configure --enable-opensslall --enable-des3 --enable-crl --enable-certgen 
--enable-certext --enable-aesctr --enable-sessioncerts CFLAGS="-DWOLFSSL_DES_ECB 
-DHAVE_EX_DATA"
make
sudo make install
```

OpenVPN:

```sh
autoreconf -i -v -f
./configure --with-crypto-library=wolfssl
make
make check
sudo make install
```

NAK.

This patch adds a new feature to the 2.4 branch.  We don't really want to do
that, especially if the change is intrusive (13 files changed, 108 insertions
<< that is intrusive).  WolfSSL support will at best see the light in the
coming 2.5 release (At the hackathon we aim for late 2020Q1 or 2020Q2)

In previous rounds we have asked a lot of questions; there has been no real
responses to those.  This has not even been touched in the relation to this 
patch.

One good thing I do see, is that it seems to try to use an OpenSSL support
layer in WolfSSL - which is good.  But then I wonder why we see additions like
this all over.

+#ifdef ENABLE_CRYPTO_WOLFSSL
+#include 
+#endif

In addition, the change in configure.ac with all the AC_DEFINE lines, tagged
with "Emulate X since these are defined as macros" is also making a lot of
mess.

And then comes the most critical point to all of this:  Who will maintain
WolfSSL support in OpenVPN once this has been applied?  What kind of
commitment will we see from the WolfSSL organization?

The OpenVPN developers community will have an IRC meeting next Thursday (Nov
21 @ 20:00 CET, #openvpn-meeting on FreeNode [1]).  I strongly recommend you
to attend this meeting to follow up your request.


[1] You need to have your nick registered to join
 





___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Support for wolfSSL with OpenVPN v2.4.8

2019-11-14 Thread David Sommerseth 
On 14/11/2019 11:22, Juliusz Sosinowicz wrote:
> From: David Garske 
> 
> wolfSSL:
> 
> Support added in: https://github.com/wolfSSL/wolfssl/pull/2503
> 
> ```sh
> git clone https://github.com/wolfSSL/wolfssl.git
> cd wolfssl
> ./autogen.sh
> ./configure --enable-opensslall --enable-des3 --enable-crl --enable-certgen 
> --enable-certext --enable-aesctr --enable-sessioncerts 
> CFLAGS="-DWOLFSSL_DES_ECB -DHAVE_EX_DATA"
> make
> sudo make install
> ```
> 
> OpenVPN:
> 
> ```sh
> autoreconf -i -v -f
> ./configure --with-crypto-library=wolfssl
> make
> make check
> sudo make install
> ```

NAK.

This patch adds a new feature to the 2.4 branch.  We don't really want to do
that, especially if the change is intrusive (13 files changed, 108 insertions
<< that is intrusive).  WolfSSL support will at best see the light in the
coming 2.5 release (At the hackathon we aim for late 2020Q1 or 2020Q2)

In previous rounds we have asked a lot of questions; there has been no real
responses to those.  This has not even been touched in the relation to this 
patch.

One good thing I do see, is that it seems to try to use an OpenSSL support
layer in WolfSSL - which is good.  But then I wonder why we see additions like
this all over.

+#ifdef ENABLE_CRYPTO_WOLFSSL
+#include 
+#endif

In addition, the change in configure.ac with all the AC_DEFINE lines, tagged
with "Emulate X since these are defined as macros" is also making a lot of
mess.

And then comes the most critical point to all of this:  Who will maintain
WolfSSL support in OpenVPN once this has been applied?  What kind of
commitment will we see from the WolfSSL organization?

The OpenVPN developers community will have an IRC meeting next Thursday (Nov
21 @ 20:00 CET, #openvpn-meeting on FreeNode [1]).  I strongly recommend you
to attend this meeting to follow up your request.


[1] You need to have your nick registered to join



-- 
kind regards,

David Sommerseth
OpenVPN Inc




signature.asc
Description: OpenPGP digital signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel