[SOLVED] OS X Lion: CommonCrypto and OpenVPN

Weekly dev snapshots are available for testing.
We talk about them here. Testing features in the dev snapshot helps the features make it to stable.
Forum rules
Please report your experience with testing branch. Include what you were using and how
If there is a problem, the more info the better!
Locked
theovandoesburg
OpenVpn Newbie
Posts: 8
Joined: Thu Aug 18, 2011 3:38 am

[SOLVED] OS X Lion: CommonCrypto and OpenVPN

Post by theovandoesburg » Thu Aug 18, 2011 3:49 am

Attempts to build OpenVPN in OS X Lion fail due to OpenSSL deprecation warnings. How would one build OpenVPN against CommonCrypto headers and libraries (http://www.opensource.apple.com/release/mac-os-x-107/)? Any insight would be greatly appreciated! Would never consider using anything other than OpenVPN.

User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:

Re: OS X Lion: CommonCrypto and OpenVPN

Post by janjust » Fri Aug 19, 2011 6:46 am

compiling and linking openvpn against different crypto libraries is in the works, but is not expected to be released any time soon.

I don't run Mac OS but colleagues do, and I have not heard complaints from them so far about openssl not working on MacOS Lion; did you install the latest MacPorts version (1.0.0.d) ?

Exactly what kind of deprecation warnings are you getting?

theovandoesburg
OpenVpn Newbie
Posts: 8
Joined: Thu Aug 18, 2011 3:38 am

Re: OS X Lion: CommonCrypto and OpenVPN

Post by theovandoesburg » Wed Aug 24, 2011 10:23 pm

Thank you for your reply!

I eventually got OpenVPN 2.2.1 to compile on Lion with OpenSSL 1.0.0d.

I had neglected to use "darwin64-x86_64-cc" during ./Configure.

I also had to apply a patch for syshead.h:
https://trac.macports.org/attachment/ti ... lion.patch

I do not use MacPorts.

Now my problem is that when I build OpenVPN on Snow Leopard (10.6.8), it won't give me support for Elliptic Curves (i.e., --show-tls), even though I point the build to OpenSSL 1.0.0d. Although I get support for EC when I build on Lion. Quite puzzling.

Any thoughts?

User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:

Re: OS X Lion: CommonCrypto and OpenVPN

Post by janjust » Wed Aug 24, 2011 10:42 pm

are you certain that your openssl 1.0.0 version on Snow Leopard supports EC? what happens if you run 'openssl ciphers' ? is the output the same as on Lion?

theovandoesburg
OpenVpn Newbie
Posts: 8
Joined: Thu Aug 18, 2011 3:38 am

Re: OS X Lion: CommonCrypto and OpenVPN

Post by theovandoesburg » Wed Aug 24, 2011 11:20 pm

Everything seems in place in Snow Leopard. I must be doing something wrong. Is there something within the OpenVPN configuration that I could change prior to building? Appreciate you help and quick response.

Code: Select all

Beta:sbin cyrus$ openssl ciphers
ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5

User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:

Re: OS X Lion: CommonCrypto and OpenVPN

Post by janjust » Thu Aug 25, 2011 7:39 am

the mistake I make most often when compiling and linking against a custom openssl version is that I get the --with-ssl-headesr flag right, but not the --with-ssl-lib flag. If you are linking against a dynamic lib then check that you are loading the right one - openvpn simply uses the ciphers and digests that openssl supplies.

theovandoesburg
OpenVpn Newbie
Posts: 8
Joined: Thu Aug 18, 2011 3:38 am

Re: OS X Lion: CommonCrypto and OpenVPN

Post by theovandoesburg » Thu Aug 25, 2011 11:38 am

You may be right. Just checked

Code: Select all

/usr/lib/
and got these:

Code: Select all

lrwxr-xr-x    1 root  wheel        18 Aug 23 17:31 libssl.dylib -> libssl.0.9.8.dylib

Code: Select all

lrwxr-xr-x    1 root  wheel        21 Aug 23 17:30 libcrypto.dylib -> libcrypto.0.9.8.dylib
At least I'll have something fun to look forward to after work! Thanks again.

theovandoesburg
OpenVpn Newbie
Posts: 8
Joined: Thu Aug 18, 2011 3:38 am

Re: OS X Lion: CommonCrypto and OpenVPN

Post by theovandoesburg » Fri Aug 26, 2011 3:46 am

Success! And I owe it to you:D

This time around, I added the

Code: Select all

shared
option when configuring OpenSSL, which afforded me *.dylib files. Now OpenVPN builds with EC support.

Code: Select all

./Configure darwin64-x86_64-cc shared
Again, thank you for your help and insight!

dazo
OpenVPN Inc.
Posts: 141
Joined: Mon Jan 11, 2010 10:14 am
Location: dazo :: #openvpn-devel @ irc.freenode.net

Re: OS X Lion: CommonCrypto and OpenVPN

Post by dazo » Fri Aug 26, 2011 8:53 am

theovandoesburg wrote: I also had to apply a patch for syshead.h:
https://trac.macports.org/attachment/ti ... lion.patch
I have just submitted a patch to the developers mailing list with a syshead.h fix. If reviewers ACKs it, it will go into OpenVPN 2.3 (and probably 2.2.2 as well).

http://thread.gmane.org/gmane.network.o ... devel/4953

theovandoesburg
OpenVpn Newbie
Posts: 8
Joined: Thu Aug 18, 2011 3:38 am

Re: OS X Lion: CommonCrypto and OpenVPN

Post by theovandoesburg » Fri Aug 26, 2011 9:40 am

You guys are just the best.

Locked