Page 1 of 1
[SOLVED] OS X Lion: CommonCrypto and OpenVPN
Posted: Thu Aug 18, 2011 3:49 am
by theovandoesburg
Attempts to build OpenVPN in OS X Lion fail due to OpenSSL deprecation warnings. How would one build OpenVPN against CommonCrypto headers and libraries (
http://www.opensource.apple.com/release/mac-os-x-107/)? Any insight would be greatly appreciated! Would never consider using anything other than OpenVPN.
Re: OS X Lion: CommonCrypto and OpenVPN
Posted: Fri Aug 19, 2011 6:46 am
by janjust
compiling and linking openvpn against different crypto libraries is in the works, but is not expected to be released any time soon.
I don't run Mac OS but colleagues do, and I have not heard complaints from them so far about openssl not working on MacOS Lion; did you install the latest MacPorts version (1.0.0.d) ?
Exactly what kind of deprecation warnings are you getting?
Re: OS X Lion: CommonCrypto and OpenVPN
Posted: Wed Aug 24, 2011 10:23 pm
by theovandoesburg
Thank you for your reply!
I eventually got OpenVPN 2.2.1 to compile on Lion with OpenSSL 1.0.0d.
I had neglected to use "darwin64-x86_64-cc" during ./Configure.
I also had to apply a patch for syshead.h:
https://trac.macports.org/attachment/ti ... lion.patch
I do not use MacPorts.
Now my problem is that when I build OpenVPN on Snow Leopard (10.6.8), it won't give me support for Elliptic Curves (i.e., --show-tls), even though I point the build to OpenSSL 1.0.0d. Although I get support for EC when I build on Lion. Quite puzzling.
Any thoughts?
Re: OS X Lion: CommonCrypto and OpenVPN
Posted: Wed Aug 24, 2011 10:42 pm
by janjust
are you certain that your openssl 1.0.0 version on Snow Leopard supports EC? what happens if you run 'openssl ciphers' ? is the output the same as on Lion?
Re: OS X Lion: CommonCrypto and OpenVPN
Posted: Wed Aug 24, 2011 11:20 pm
by theovandoesburg
Everything seems in place in Snow Leopard. I must be doing something wrong. Is there something within the OpenVPN configuration that I could change prior to building? Appreciate you help and quick response.
Code: Select all
Beta:sbin cyrus$ openssl ciphers
ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5
Re: OS X Lion: CommonCrypto and OpenVPN
Posted: Thu Aug 25, 2011 7:39 am
by janjust
the mistake I make most often when compiling and linking against a custom openssl version is that I get the --with-ssl-headesr flag right, but not the --with-ssl-lib flag. If you are linking against a dynamic lib then check that you are loading the right one - openvpn simply uses the ciphers and digests that openssl supplies.
Re: OS X Lion: CommonCrypto and OpenVPN
Posted: Thu Aug 25, 2011 11:38 am
by theovandoesburg
You may be right. Just checked
and got these:
Code: Select all
lrwxr-xr-x 1 root wheel 18 Aug 23 17:31 libssl.dylib -> libssl.0.9.8.dylib
Code: Select all
lrwxr-xr-x 1 root wheel 21 Aug 23 17:30 libcrypto.dylib -> libcrypto.0.9.8.dylib
At least I'll have something fun to look forward to after work! Thanks again.
Re: OS X Lion: CommonCrypto and OpenVPN
Posted: Fri Aug 26, 2011 3:46 am
by theovandoesburg
Success! And I owe it to you:D
This time around, I added the
option when configuring OpenSSL, which afforded me *.dylib files. Now OpenVPN builds with EC support.
Code: Select all
./Configure darwin64-x86_64-cc shared
Again, thank you for your help and insight!
Re: OS X Lion: CommonCrypto and OpenVPN
Posted: Fri Aug 26, 2011 8:53 am
by dazo
I have just submitted a patch to the developers mailing list with a syshead.h fix. If reviewers ACKs it, it will go into OpenVPN 2.3 (and probably 2.2.2 as well).
http://thread.gmane.org/gmane.network.o ... devel/4953
Re: OS X Lion: CommonCrypto and OpenVPN
Posted: Fri Aug 26, 2011 9:40 am
by theovandoesburg
You guys are just the best.