[SOLVED] OS X Lion: CommonCrypto and OpenVPN
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please report your experience with testing branch. Include what you were using and how
If there is a problem, the more info the better!
Please report your experience with testing branch. Include what you were using and how
If there is a problem, the more info the better!
-
- OpenVpn Newbie
- Posts: 8
- Joined: Thu Aug 18, 2011 3:38 am
[SOLVED] OS X Lion: CommonCrypto and OpenVPN
Attempts to build OpenVPN in OS X Lion fail due to OpenSSL deprecation warnings. How would one build OpenVPN against CommonCrypto headers and libraries (http://www.opensource.apple.com/release/mac-os-x-107/)? Any insight would be greatly appreciated! Would never consider using anything other than OpenVPN.
- janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
- Contact:
Re: OS X Lion: CommonCrypto and OpenVPN
compiling and linking openvpn against different crypto libraries is in the works, but is not expected to be released any time soon.
I don't run Mac OS but colleagues do, and I have not heard complaints from them so far about openssl not working on MacOS Lion; did you install the latest MacPorts version (1.0.0.d) ?
Exactly what kind of deprecation warnings are you getting?
I don't run Mac OS but colleagues do, and I have not heard complaints from them so far about openssl not working on MacOS Lion; did you install the latest MacPorts version (1.0.0.d) ?
Exactly what kind of deprecation warnings are you getting?
-
- OpenVpn Newbie
- Posts: 8
- Joined: Thu Aug 18, 2011 3:38 am
Re: OS X Lion: CommonCrypto and OpenVPN
Thank you for your reply!
I eventually got OpenVPN 2.2.1 to compile on Lion with OpenSSL 1.0.0d.
I had neglected to use "darwin64-x86_64-cc" during ./Configure.
I also had to apply a patch for syshead.h:
https://trac.macports.org/attachment/ti ... lion.patch
I do not use MacPorts.
Now my problem is that when I build OpenVPN on Snow Leopard (10.6.8), it won't give me support for Elliptic Curves (i.e., --show-tls), even though I point the build to OpenSSL 1.0.0d. Although I get support for EC when I build on Lion. Quite puzzling.
Any thoughts?
I eventually got OpenVPN 2.2.1 to compile on Lion with OpenSSL 1.0.0d.
I had neglected to use "darwin64-x86_64-cc" during ./Configure.
I also had to apply a patch for syshead.h:
https://trac.macports.org/attachment/ti ... lion.patch
I do not use MacPorts.
Now my problem is that when I build OpenVPN on Snow Leopard (10.6.8), it won't give me support for Elliptic Curves (i.e., --show-tls), even though I point the build to OpenSSL 1.0.0d. Although I get support for EC when I build on Lion. Quite puzzling.
Any thoughts?
- janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
- Contact:
Re: OS X Lion: CommonCrypto and OpenVPN
are you certain that your openssl 1.0.0 version on Snow Leopard supports EC? what happens if you run 'openssl ciphers' ? is the output the same as on Lion?
-
- OpenVpn Newbie
- Posts: 8
- Joined: Thu Aug 18, 2011 3:38 am
Re: OS X Lion: CommonCrypto and OpenVPN
Everything seems in place in Snow Leopard. I must be doing something wrong. Is there something within the OpenVPN configuration that I could change prior to building? Appreciate you help and quick response.
Code: Select all
Beta:sbin cyrus$ openssl ciphers
ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5
- janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
- Contact:
Re: OS X Lion: CommonCrypto and OpenVPN
the mistake I make most often when compiling and linking against a custom openssl version is that I get the --with-ssl-headesr flag right, but not the --with-ssl-lib flag. If you are linking against a dynamic lib then check that you are loading the right one - openvpn simply uses the ciphers and digests that openssl supplies.
-
- OpenVpn Newbie
- Posts: 8
- Joined: Thu Aug 18, 2011 3:38 am
Re: OS X Lion: CommonCrypto and OpenVPN
You may be right. Just checked and got these:
At least I'll have something fun to look forward to after work! Thanks again.
Code: Select all
/usr/lib/
Code: Select all
lrwxr-xr-x 1 root wheel 18 Aug 23 17:31 libssl.dylib -> libssl.0.9.8.dylib
Code: Select all
lrwxr-xr-x 1 root wheel 21 Aug 23 17:30 libcrypto.dylib -> libcrypto.0.9.8.dylib
-
- OpenVpn Newbie
- Posts: 8
- Joined: Thu Aug 18, 2011 3:38 am
Re: OS X Lion: CommonCrypto and OpenVPN
Success! And I owe it to you:D
This time around, I added the option when configuring OpenSSL, which afforded me *.dylib files. Now OpenVPN builds with EC support.
Again, thank you for your help and insight!
This time around, I added the
Code: Select all
shared
Code: Select all
./Configure darwin64-x86_64-cc shared
- dazo
- OpenVPN Inc.
- Posts: 155
- Joined: Mon Jan 11, 2010 10:14 am
- Location: dazo :: #openvpn-devel @ libera.chat
Re: OS X Lion: CommonCrypto and OpenVPN
I have just submitted a patch to the developers mailing list with a syshead.h fix. If reviewers ACKs it, it will go into OpenVPN 2.3 (and probably 2.2.2 as well).theovandoesburg wrote: I also had to apply a patch for syshead.h:
https://trac.macports.org/attachment/ti ... lion.patch
http://thread.gmane.org/gmane.network.o ... devel/4953
-
- OpenVpn Newbie
- Posts: 8
- Joined: Thu Aug 18, 2011 3:38 am
Re: OS X Lion: CommonCrypto and OpenVPN
You guys are just the best.