Build OpenVPN with specific OpenSSL version

by

Below is the procedure I used to build OpenVPN with OpenSSL 1.0.2. OpenSSL 1.0.1 vs. 1.0.2 vs. 1.1.0 should not matter. However, some Configure scripts dies on OpenSSL 1.1.0 because 1.1.0 uses OPENSSL_init_ssl rather than SSL_library_init. Note the use of RPATH’s on Linux (OS X would use a different technique).

OpenSSL configuration options are mostly documented at Compilation and Installation | Configure Options on their wiki. I did not find similar for OpenVPN, and ./configure --help was not very helpful. Often, for an Autools project, you need to --with-ssl=<path to ssl root>, but OpenVPN does not appear to have that option. For OpenVPN, the process below went adhoc using Autools CFLAGS.

Both libraries disabled compression because it can leak information. For more details, see Spot me if you can: Uncovering spoken phrases in encrypted VoIP conversations. The problem is the variable bit rate encoding, and the fundamental design is prevalent in other compression libraries (like zlib).

OpenSSL 1.0.2

$ wget https://www.openssl.org/source/openssl-1.0.2h.tar.gz
$ tar xzf openssl-1.0.2h.tar.gz
$ cd openssl-1.0.2h

$ ./config shared no-ssl2 no-ssl3 no-comp enable-ec_nistp_64_gcc_128 -Wl,-rpath=/usr/local/ssl/lib --prefix=/usr/local/ssl
$ make -j 4
$ make test
$ sudo make install

# clear program cache
$ hash -r

You can check the openssl program is using the expected shared objects with:

$ ldd /usr/local/ssl/bin/openssl
    linux-vdso.so.1 =>  (0x00007ffc36578000)
    libssl.so.1.0.0 => /usr/local/ssl/lib/libssl.so.1.0.0 (0x00007f94b48fb000)
    libcrypto.so.1.0.0 => /usr/local/ssl/lib/libcrypto.so.1.0.0 (0x00007f94b448b000)
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f94b40c6000)
    libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f94b3ec2000)
    /lib64/ld-linux-x86-64.so.2 (0x00007f94b4b6c000)

You can also make sure the new openssl is on-path with the following. Its not required for your issue, however.

$ sudo ln -s /usr/local/ssl/bin/openssl /usr/local/bin/openssl
$ hash -r
$ command -v openssl
/usr/local/bin/openssl

OpenVPN 2.3.11

$ wget https://swupdate.openvpn.org/community/releases/openvpn-2.3.11.tar.gz
$ tar xzf openvpn-2.3.11.tar.gz
$ cd openvpn-2.3.11

$ CFLAGS="-I/usr/local/ssl/include -Wl,-rpath=/usr/local/ssl/lib -L/usr/local/ssl/lib" ./configure --disable-lzo
$ make -j 4

Next, check the OpenVPN program to see what its linking to:

$ find . -type f -name openvpn
./src/openvpn/openvpn
$ ldd ./src/openvpn/openvpn
    linux-vdso.so.1 =>  (0x00007ffc8bfc4000)
    libssl.so.1.0.0 => /usr/local/ssl/lib/libssl.so.1.0.0 (0x00007f74f49f3000)
    libcrypto.so.1.0.0 => /usr/local/ssl/lib/libcrypto.so.1.0.0 (0x00007f74f4583000)
    libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f74f437f000)
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f74f3fba000)
    /lib64/ld-linux-x86-64.so.2 (0x00007f74f4c64000)

Next, run the self tests:

$ make check
...
make[3]: Entering directory `/home/jwalton/openvpn-2.3.11/tests'
./t_client.sh: cannot find 't_client.rc' in build dir ('..')
./t_client.sh: or source directory ('.'). SKIPPING TEST.
SKIP: t_client.sh
Testing cipher AES-128-CBC... OK
Testing cipher AES-128-CFB... OK
Testing cipher AES-128-CFB1... OK
...

Install OpenVPN if it tests OK:

$ sudo make install
$ hash -r
$ command -v openvpn
/usr/local/sbin/openvpn

Finally, check it:

$ /usr/local/sbin/openvpn --version
OpenVPN 2.3.11 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [EPOLL] [MH] [IPv6] built on Aug 17 2016
library versions: OpenSSL 1.0.2h  3 May 2016
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <[email protected]>
...

If interested, you can find a build script to automate the process at Noloader | Build-Scripts. It includes one for OpenVPN.

More Related Contents:

  1. How do I make this Linux program compile? [closed]
  2. How to compile .c file with OpenSSL includes?
  3. Is a Linux executable “compatible” with OS X?
  4. what the output of this code and why?
  5. How to make child process die after parent exits?
  6. What is time_t ultimately a typedef to?
  7. What is the equivalent to Posix popen() in the Win32 API?
  8. How to recursively list directories in C on Linux?
  9. How does kernel get an executable binary file running under linux?
  10. Measure time in Linux – time vs clock vs getrusage vs clock_gettime vs gettimeofday vs timespec_get?
  11. Is malloc/free a syscall or a library routine provided by libc?
  12. Building a kernel module from several source files which one of them has the same name as the module
  13. Turn a simple socket into an SSL socket
  14. How to check if a given file descriptor stored in a variable is still valid?
  15. Are file descriptors shared when fork()ing?
  16. how to call function in executable from my library?
  17. How does sig_atomic_t actually work?
  18. How to link to a static library in C?
  19. C function defined as int but having no return statement in the body still compiles
  20. Interprocess mutex with pthreads
  21. plain C: opening a directory with fopen()
  22. How do I pass a command line argument while starting up GDB in Linux? [duplicate]
  23. How to modify memory contents using GDB?
  24. undefined reference ‘shm_open’, already add -lrt flag here
  25. How do *nix pseudo-terminals work ? What’s the master/slave channel?
  26. Linux getting all network interface names
  27. Process Linkage Table and Global Offset Table
  28. Linux: Why is sig_atomic_t typedef’ed to int?
  29. How to use lockdep feature in linux kernel for deadlock detection
  30. How do I lock files using fopen()?

Leave a Comment