RemoteOne wrote: ↑
Thu Dec 15, 2022 4:22 pm
Centos 8 epel has an openssl3 package available. It installs side-by-side with the default openssl 1.1.1k package.
Is there any way to have the new OpenVPN 2.6 beta1 utilise the openssl3 library?
I'm the Fedora and Fedora Copr package maintainer for the OpenVPN packages and have looked into the openssl3 package on EL8.
I have decided to not use the openssl3 package for a few reasons. First the packages themselves:
- The ordinary openssl package is maintained by Red Hat people, via the official RHEL repositories
- The openssl3 is maintained by a single Fedora community member, provided via the Fedora EPEL repositories.
I do see that openssl3 pulls in changes regularly and seems to up-to-date. But that it is a community effort. The official openssl package is maintained by Red Hat people, who I know works closely with the Red Hat security teams to ensure the criticical packages are up-to-date and carries the important backported security and bug fixes.
Since the OpenSSL library is a highly security sensitive package, I am very reluctant to build OpenVPN with a dependency on a not official distribution package.
This is not because I don't trust the openssl3 package maintainer; he may very well do a superb job. But it is an external package maintained by a single person plus being security sensitive. In that context, I don't think the Fedora Copr builds of OpenVPN is a good target for this this package.
Further, when the final OpenVPN 2.6.0 release happens, there will be Fedora Copr repositories for this release as well. Based on the arguments above, putting OpenVPN 2.6.0 into production servers with a third-party openssl3 package, it feels even more risky. And since I want to release the EL-8 builds using the distro provided openssl, we need that to be well tested with the distro provided openssl.
If you want the OpenSSL 3 features, I would rather encourage you to upgrade/migrate to EL-9. That ships OpenSSL 3, and the Fedora Copr builds of OpenVPN (all versions) are built against OpenSSL 3.