[SOLVED] OS X Lion: CommonCrypto and OpenVPN

Weekly dev snapshots are available for testing.
We talk about them here. Testing features in the dev snapshot helps the features make it to stable.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please report your experience with testing branch. Include what you were using and how
If there is a problem, the more info the better!
Locked
theovandoesburg
OpenVpn Newbie
Posts: 8
Joined: Thu Aug 18, 2011 3:38 am

[SOLVED] OS X Lion: CommonCrypto and OpenVPN

Post by theovandoesburg » Thu Aug 18, 2011 3:49 am

Attempts to build OpenVPN in OS X Lion fail due to OpenSSL deprecation warnings. How would one build OpenVPN against CommonCrypto headers and libraries (http://www.opensource.apple.com/release/mac-os-x-107/)? Any insight would be greatly appreciated! Would never consider using anything other than OpenVPN.

User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:

Re: OS X Lion: CommonCrypto and OpenVPN

Post by janjust » Fri Aug 19, 2011 6:46 am

compiling and linking openvpn against different crypto libraries is in the works, but is not expected to be released any time soon.

I don't run Mac OS but colleagues do, and I have not heard complaints from them so far about openssl not working on MacOS Lion; did you install the latest MacPorts version (1.0.0.d) ?

Exactly what kind of deprecation warnings are you getting?

theovandoesburg
OpenVpn Newbie
Posts: 8
Joined: Thu Aug 18, 2011 3:38 am

Re: OS X Lion: CommonCrypto and OpenVPN

Post by theovandoesburg » Wed Aug 24, 2011 10:23 pm

Thank you for your reply!

I eventually got OpenVPN 2.2.1 to compile on Lion with OpenSSL 1.0.0d.

I had neglected to use "darwin64-x86_64-cc" during ./Configure.

I also had to apply a patch for syshead.h:
https://trac.macports.org/attachment/ti ... lion.patch

I do not use MacPorts.

Now my problem is that when I build OpenVPN on Snow Leopard (10.6.8), it won't give me support for Elliptic Curves (i.e., --show-tls), even though I point the build to OpenSSL 1.0.0d. Although I get support for EC when I build on Lion. Quite puzzling.

Any thoughts?

User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:

Re: OS X Lion: CommonCrypto and OpenVPN

Post by janjust » Wed Aug 24, 2011 10:42 pm

are you certain that your openssl 1.0.0 version on Snow Leopard supports EC? what happens if you run 'openssl ciphers' ? is the output the same as on Lion?

theovandoesburg
OpenVpn Newbie
Posts: 8
Joined: Thu Aug 18, 2011 3:38 am

Re: OS X Lion: CommonCrypto and OpenVPN

Post by theovandoesburg » Wed Aug 24, 2011 11:20 pm

Everything seems in place in Snow Leopard. I must be doing something wrong. Is there something within the OpenVPN configuration that I could change prior to building? Appreciate you help and quick response.

Code: Select all

Beta:sbin cyrus$ openssl ciphers
ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5

User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:

Re: OS X Lion: CommonCrypto and OpenVPN

Post by janjust » Thu Aug 25, 2011 7:39 am

the mistake I make most often when compiling and linking against a custom openssl version is that I get the --with-ssl-headesr flag right, but not the --with-ssl-lib flag. If you are linking against a dynamic lib then check that you are loading the right one - openvpn simply uses the ciphers and digests that openssl supplies.

theovandoesburg
OpenVpn Newbie
Posts: 8
Joined: Thu Aug 18, 2011 3:38 am

Re: OS X Lion: CommonCrypto and OpenVPN

Post by theovandoesburg » Thu Aug 25, 2011 11:38 am

You may be right. Just checked

Code: Select all

/usr/lib/
and got these:

Code: Select all

lrwxr-xr-x    1 root  wheel        18 Aug 23 17:31 libssl.dylib -> libssl.0.9.8.dylib

Code: Select all

lrwxr-xr-x    1 root  wheel        21 Aug 23 17:30 libcrypto.dylib -> libcrypto.0.9.8.dylib
At least I'll have something fun to look forward to after work! Thanks again.

theovandoesburg
OpenVpn Newbie
Posts: 8
Joined: Thu Aug 18, 2011 3:38 am

Re: OS X Lion: CommonCrypto and OpenVPN

Post by theovandoesburg » Fri Aug 26, 2011 3:46 am

Success! And I owe it to you:D

This time around, I added the

Code: Select all

shared
option when configuring OpenSSL, which afforded me *.dylib files. Now OpenVPN builds with EC support.

Code: Select all

./Configure darwin64-x86_64-cc shared
Again, thank you for your help and insight!

User avatar
dazo
OpenVPN Inc.
Posts: 155
Joined: Mon Jan 11, 2010 10:14 am
Location: dazo :: #openvpn-devel @ libera.chat

Re: OS X Lion: CommonCrypto and OpenVPN

Post by dazo » Fri Aug 26, 2011 8:53 am

theovandoesburg wrote: I also had to apply a patch for syshead.h:
https://trac.macports.org/attachment/ti ... lion.patch
I have just submitted a patch to the developers mailing list with a syshead.h fix. If reviewers ACKs it, it will go into OpenVPN 2.3 (and probably 2.2.2 as well).

http://thread.gmane.org/gmane.network.o ... devel/4953

theovandoesburg
OpenVpn Newbie
Posts: 8
Joined: Thu Aug 18, 2011 3:38 am

Re: OS X Lion: CommonCrypto and OpenVPN

Post by theovandoesburg » Fri Aug 26, 2011 9:40 am

You guys are just the best.

Locked