* [PATCH 1/3] ovpnmain.cgi: Define OpenSSL configuration globally @ 2024-04-18 21:36 Michael Tremer 2024-04-18 21:36 ` [PATCH 2/3] OpenVPN: Move the OpenSSL configuration file out of /var/ipfire Michael Tremer 2024-04-18 21:36 ` [PATCH 3/3] openvpn-crl-updater: Update for the changed configuration file Michael Tremer 0 siblings, 2 replies; 19+ messages in thread From: Michael Tremer @ 2024-04-18 21:36 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 5708 bytes --] This makes commands shorter and therefore easier to read. Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org> --- html/cgi-bin/ovpnmain.cgi | 30 +++++++++++++----------------- 1 file changed, 13 insertions(+), 17 deletions(-) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index c92d0237d..9b8ff5aa5 100755 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -53,6 +53,9 @@ my %mainsettings = (); &General::readhash("${General::swroot}/main/settings", \%mainsettings); &General::readhash("/srv/web/ipfire/html/themes/ipfire/include/colors.txt", \%color); +# Use a custom OpenSSL configuration file for all operations +$ENV["OPENSSL_CONF"] = "${General::swroot}/ovpn/ca/cacert.pem"; + ### ### Initialize variables ### @@ -1835,8 +1838,7 @@ END unless (exec ('/usr/bin/openssl', 'req', '-x509', '-nodes', '-days', '999999', '-newkey', 'rsa:4096', '-sha512', '-keyout', "${General::swroot}/ovpn/ca/cakey.pem", - '-out', "${General::swroot}/ovpn/ca/cacert.pem", - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) { + '-out', "${General::swroot}/ovpn/ca/cacert.pem")) { $errormessage = "$Lang::tr{'cant start openssl'}: $!"; goto ROOTCERT_ERROR; } @@ -1867,8 +1869,7 @@ END '-newkey', 'rsa:4096', '-keyout', "${General::swroot}/ovpn/certs/serverkey.pem", '-out', "${General::swroot}/ovpn/certs/serverreq.pem", - '-extensions', 'server', - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" )) { + '-extensions', 'server')) { $errormessage = "$Lang::tr{'cant start openssl'}: $!"; unlink ("${General::swroot}/ovpn/certs/serverkey.pem"); unlink ("${General::swroot}/ovpn/certs/serverreq.pem"); @@ -1884,8 +1885,7 @@ END '-batch', '-notext', '-in', "${General::swroot}/ovpn/certs/serverreq.pem", '-out', "${General::swroot}/ovpn/certs/servercert.pem", - '-extensions', 'server', - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf"); + '-extensions', 'server'); if ($?) { $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; unlink ("${General::swroot}/ovpn/ca/cakey.pem"); @@ -1903,8 +1903,7 @@ END # Create an empty CRL # System call is safe, because all arguments are passed as array. system('/usr/bin/openssl', 'ca', '-gencrl', - '-out', "${General::swroot}/ovpn/crls/cacrl.pem", - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" ); + '-out', "${General::swroot}/ovpn/crls/cacrl.pem"); if ($?) { $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; unlink ("${General::swroot}/ovpn/certs/serverkey.pem"); @@ -2426,8 +2425,8 @@ else if ($confighash{$cgiparams{'KEY'}}) { # Revoke certificate if certificate was deleted and rewrite the CRL - &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); - &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); + &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem"); + &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem"); ### # m.a.d net2net @@ -2480,7 +2479,7 @@ else &General::system("/usr/local/bin/openvpnctrl", "-drrd", "$confighash{$cgiparams{'KEY'}}[1]"); delete $confighash{$cgiparams{'KEY'}}; - &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); + &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem"); &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); } else { @@ -4052,8 +4051,7 @@ if ($cgiparams{'TYPE'} eq 'net') { system('/usr/bin/openssl', 'ca', '-days', "$cgiparams{'DAYS_VALID'}", '-batch', '-notext', '-in', $filename, - '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf"); + '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem"); if ($?) { $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; unlink ($filename); @@ -4265,8 +4263,7 @@ if ($cgiparams{'TYPE'} eq 'net') { unless (exec ('/usr/bin/openssl', 'req', '-nodes', '-newkey', 'rsa:4096', '-keyout', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem", - '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) { + '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem")) { $errormessage = "$Lang::tr{'cant start openssl'}: $!"; unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem"); @@ -4279,8 +4276,7 @@ if ($cgiparams{'TYPE'} eq 'net') { system('/usr/bin/openssl', 'ca', '-days', "$cgiparams{'DAYS_VALID'}", '-batch', '-notext', '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", - '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf"); + '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem"); if ($?) { $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); -- 2.39.2 ^ permalink raw reply [flat|nested] 19+ messages in thread
* [PATCH 2/3] OpenVPN: Move the OpenSSL configuration file out of /var/ipfire 2024-04-18 21:36 [PATCH 1/3] ovpnmain.cgi: Define OpenSSL configuration globally Michael Tremer @ 2024-04-18 21:36 ` Michael Tremer 2024-06-05 11:26 ` Adolf Belka 2024-04-18 21:36 ` [PATCH 3/3] openvpn-crl-updater: Update for the changed configuration file Michael Tremer 1 sibling, 1 reply; 19+ messages in thread From: Michael Tremer @ 2024-04-18 21:36 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 2317 bytes --] We should not have any configuration files that we share in this place, therefore this patch is moving it into /usr/share/openvpn where we should be able to update it without any issues. Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org> --- config/rootfiles/common/openvpn | 2 +- html/cgi-bin/ovpnmain.cgi | 2 +- lfs/openvpn | 6 ++++++ 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn index d9848a579..c0d49bfad 100644 --- a/config/rootfiles/common/openvpn +++ b/config/rootfiles/common/openvpn @@ -25,6 +25,7 @@ usr/sbin/openvpn-authenticator #usr/share/doc/openvpn/openvpn.8.html #usr/share/man/man5/openvpn-examples.5 #usr/share/man/man8/openvpn.8 +usr/share/openvpn/openssl.cnf var/ipfire/ovpn/ca var/ipfire/ovpn/caconfig var/ipfire/ovpn/ccd @@ -35,7 +36,6 @@ var/ipfire/ovpn/certs/serial var/ipfire/ovpn/crls var/ipfire/ovpn/n2nconf #var/ipfire/ovpn/openssl -var/ipfire/ovpn/openssl/ovpn.cnf var/ipfire/ovpn/openvpn-authenticator var/ipfire/ovpn/ovpn-leases.db var/ipfire/ovpn/ovpnconfig diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 9b8ff5aa5..ed80fef7d 100755 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -54,7 +54,7 @@ my %mainsettings = (); &General::readhash("/srv/web/ipfire/html/themes/ipfire/include/colors.txt", \%color); # Use a custom OpenSSL configuration file for all operations -$ENV["OPENSSL_CONF"] = "${General::swroot}/ovpn/ca/cacert.pem"; +$ENV["OPENSSL_CONF"] = "/usr/share/openvpn/openssl.cnf"; ### ### Initialize variables diff --git a/lfs/openvpn b/lfs/openvpn index b71b4ccc9..0704aa438 100644 --- a/lfs/openvpn +++ b/lfs/openvpn @@ -101,6 +101,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) chown root:root /etc/fcron.daily/openvpn-crl-updater chmod 750 /etc/fcron.daily/openvpn-crl-updater + # Move the OpenSSL configuration file out of /var/ipfire + mkdir -pv /usr/share/openvpn + mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \ + /usr/share/openvpn/ + rmdir -v /usr/share/openvpn + # Install authenticator install -v -m 755 $(DIR_SRC)/config/ovpn/openvpn-authenticator \ /usr/sbin/openvpn-authenticator -- 2.39.2 ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH 2/3] OpenVPN: Move the OpenSSL configuration file out of /var/ipfire 2024-04-18 21:36 ` [PATCH 2/3] OpenVPN: Move the OpenSSL configuration file out of /var/ipfire Michael Tremer @ 2024-06-05 11:26 ` Adolf Belka 2024-06-05 11:33 ` Adolf Belka 0 siblings, 1 reply; 19+ messages in thread From: Adolf Belka @ 2024-06-05 11:26 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 3452 bytes --] Hi Michael, Here is my feedback on these three patches and the issues I found when I tried to use them. I had to manually apply them so there is also the possibility that I made a typo somewhere. On 18/04/2024 23:36, Michael Tremer wrote: > We should not have any configuration files that we share in this place, > therefore this patch is moving it into /usr/share/openvpn where we > should be able to update it without any issues. > > Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org> > --- > config/rootfiles/common/openvpn | 2 +- > html/cgi-bin/ovpnmain.cgi | 2 +- > lfs/openvpn | 6 ++++++ > 3 files changed, 8 insertions(+), 2 deletions(-) > > diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn > index d9848a579..c0d49bfad 100644 > --- a/config/rootfiles/common/openvpn > +++ b/config/rootfiles/common/openvpn These changes were no problem. > @@ -25,6 +25,7 @@ usr/sbin/openvpn-authenticator > #usr/share/doc/openvpn/openvpn.8.html > #usr/share/man/man5/openvpn-examples.5 > #usr/share/man/man8/openvpn.8 > +usr/share/openvpn/openssl.cnf > var/ipfire/ovpn/ca > var/ipfire/ovpn/caconfig > var/ipfire/ovpn/ccd > @@ -35,7 +36,6 @@ var/ipfire/ovpn/certs/serial > var/ipfire/ovpn/crls > var/ipfire/ovpn/n2nconf > #var/ipfire/ovpn/openssl > -var/ipfire/ovpn/openssl/ovpn.cnf > var/ipfire/ovpn/openvpn-authenticator > var/ipfire/ovpn/ovpn-leases.db > var/ipfire/ovpn/ovpnconfig > diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi > index 9b8ff5aa5..ed80fef7d 100755 > --- a/html/cgi-bin/ovpnmain.cgi > +++ b/html/cgi-bin/ovpnmain.cgi Also this change no problem. > @@ -54,7 +54,7 @@ my %mainsettings = (); > &General::readhash("/srv/web/ipfire/html/themes/ipfire/include/colors.txt", \%color); > > # Use a custom OpenSSL configuration file for all operations > -$ENV["OPENSSL_CONF"] = "${General::swroot}/ovpn/ca/cacert.pem"; > +$ENV["OPENSSL_CONF"] = "/usr/share/openvpn/openssl.cnf"; > > ### > ### Initialize variables > diff --git a/lfs/openvpn b/lfs/openvpn > index b71b4ccc9..0704aa438 100644 > --- a/lfs/openvpn > +++ b/lfs/openvpn This change refused to build as it said the directory removal was for a non empty directory. When I looked at it I believe that it needed to be different. > @@ -101,6 +101,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > chown root:root /etc/fcron.daily/openvpn-crl-updater > chmod 750 /etc/fcron.daily/openvpn-crl-updater > > + # Move the OpenSSL configuration file out of /var/ipfire > + mkdir -pv /usr/share/openvpn > + mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \ > + /usr/share/openvpn/ > + rmdir -v /usr/share/openvpn > + The above lines I changed to + # Move the OpenSSL configuration file out of /var/ipfire + mkdir -pv /usr/share/openvpn + mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \ + /usr/share/openvpn/openssl.cnf + rmdir -v /var/ipfire/ovpn/openssl/ + with my changes in the last two lines. When I changed just the last line to start with then the openvpn lfs built but then later on in the cdrom stage it complained about openssl.cnf not being found, hence I also then added the change to the one before last line. Regards, Adolf. > # Install authenticator > install -v -m 755 $(DIR_SRC)/config/ovpn/openvpn-authenticator \ > /usr/sbin/openvpn-authenticator ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH 2/3] OpenVPN: Move the OpenSSL configuration file out of /var/ipfire 2024-06-05 11:26 ` Adolf Belka @ 2024-06-05 11:33 ` Adolf Belka 2024-06-05 11:52 ` Adolf Belka 0 siblings, 1 reply; 19+ messages in thread From: Adolf Belka @ 2024-06-05 11:33 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 4212 bytes --] Hi All, I should have also added to the end of this message that patches 1 and 3 were applied, as far as I could tell as per the patch. I then installed the built iso into a vm machine and ran the x509 install and got the root certificate and no host certificate with the standard openssl error message. In the httpd/error_log file it had the following message Email Address []:Error checking request extension section server Regards, Adolf. On 05/06/2024 13:26, Adolf Belka wrote: > Hi Michael, > > Here is my feedback on these three patches and the issues I found when I tried to use them. > > I had to manually apply them so there is also the possibility that I made a typo somewhere. > > On 18/04/2024 23:36, Michael Tremer wrote: >> We should not have any configuration files that we share in this place, >> therefore this patch is moving it into /usr/share/openvpn where we >> should be able to update it without any issues. >> >> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org> >> --- >> config/rootfiles/common/openvpn | 2 +- >> html/cgi-bin/ovpnmain.cgi | 2 +- >> lfs/openvpn | 6 ++++++ >> 3 files changed, 8 insertions(+), 2 deletions(-) >> >> diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn >> index d9848a579..c0d49bfad 100644 >> --- a/config/rootfiles/common/openvpn >> +++ b/config/rootfiles/common/openvpn > These changes were no problem. >> @@ -25,6 +25,7 @@ usr/sbin/openvpn-authenticator >> #usr/share/doc/openvpn/openvpn.8.html >> #usr/share/man/man5/openvpn-examples.5 >> #usr/share/man/man8/openvpn.8 >> +usr/share/openvpn/openssl.cnf >> var/ipfire/ovpn/ca >> var/ipfire/ovpn/caconfig >> var/ipfire/ovpn/ccd >> @@ -35,7 +36,6 @@ var/ipfire/ovpn/certs/serial >> var/ipfire/ovpn/crls >> var/ipfire/ovpn/n2nconf >> #var/ipfire/ovpn/openssl >> -var/ipfire/ovpn/openssl/ovpn.cnf >> var/ipfire/ovpn/openvpn-authenticator >> var/ipfire/ovpn/ovpn-leases.db >> var/ipfire/ovpn/ovpnconfig >> diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi >> index 9b8ff5aa5..ed80fef7d 100755 >> --- a/html/cgi-bin/ovpnmain.cgi >> +++ b/html/cgi-bin/ovpnmain.cgi > Also this change no problem. >> @@ -54,7 +54,7 @@ my %mainsettings = (); >> &General::readhash("/srv/web/ipfire/html/themes/ipfire/include/colors.txt", \%color); >> # Use a custom OpenSSL configuration file for all operations >> -$ENV["OPENSSL_CONF"] = "${General::swroot}/ovpn/ca/cacert.pem"; >> +$ENV["OPENSSL_CONF"] = "/usr/share/openvpn/openssl.cnf"; >> ### >> ### Initialize variables >> diff --git a/lfs/openvpn b/lfs/openvpn >> index b71b4ccc9..0704aa438 100644 >> --- a/lfs/openvpn >> +++ b/lfs/openvpn > This change refused to build as it said the directory removal was for a non empty directory. When I looked at it I believe that it needed to be different. >> @@ -101,6 +101,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >> chown root:root /etc/fcron.daily/openvpn-crl-updater >> chmod 750 /etc/fcron.daily/openvpn-crl-updater >> + # Move the OpenSSL configuration file out of /var/ipfire >> + mkdir -pv /usr/share/openvpn >> + mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \ >> + /usr/share/openvpn/ >> + rmdir -v /usr/share/openvpn >> + > > The above lines I changed to > > + # Move the OpenSSL configuration file out of /var/ipfire > + mkdir -pv /usr/share/openvpn > + mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \ > + /usr/share/openvpn/openssl.cnf > + rmdir -v /var/ipfire/ovpn/openssl/ > + > with my changes in the last two lines. > When I changed just the last line to start with then the openvpn lfs built but then later on in the cdrom stage it complained about openssl.cnf not being found, hence I also then added the change to the one before last line. > > Regards, > Adolf. > >> # Install authenticator >> install -v -m 755 $(DIR_SRC)/config/ovpn/openvpn-authenticator \ >> /usr/sbin/openvpn-authenticator ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH 2/3] OpenVPN: Move the OpenSSL configuration file out of /var/ipfire 2024-06-05 11:33 ` Adolf Belka @ 2024-06-05 11:52 ` Adolf Belka 2024-06-07 8:22 ` Adolf Belka 0 siblings, 1 reply; 19+ messages in thread From: Adolf Belka @ 2024-06-05 11:52 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 8122 bytes --] I re-did the vm build and first did a restore of my system so I could access the logs via ssh. Then I cleared the x509 system and cleared the error_log and then ran the x509 create and the following is the output in the error_log file ...+.......+..+....+..+.......+..+.+...+.........+..................+........+.......+...+.....+.+.....+.........+....+..+...+..........+..+.........+.........+............+....+..+.......+......+..+++++++++++++++++++++++++++++++++++++++++++++*.+.........+...+...............+........+....+++++++++++++++++++++++++++++++++++++++++++++*...+...............+...+....+..............+.+......+.....+....+........+...+.........................+....................+....+......+........+.........+......+......+...+..........+..+.+..+......+....+......+.........+...+.........+.....+..........+...+........+............+............+......+...+.......+............+..+.........+...........................+............+...............+.+............+.....+...+......+.+........+......+...............+.+..............+................+..+.+...........+.+..+......+++++ ..+.+........+..........+..+.+........+.+.....+.+.....+....+...+...+..............+.........+.......+..+...+.........+....+......+........+.+..+...+....+..+...............+...+...+...+......+.+++++++++++++++++++++++++++++++++++++++++++++*..+..+...+.+.........+........+..........+..+.+..+....+...+..+.+..+.......+.....+......+...+.+..............+.......+...+.....+............+............+.+......+...+.....+.+..+...+....+..+.........+...............+.+...+..+...+++++++++++++++++++++++++++++++++++++++++++++*.......+....................+....+..............+.+.....+.+...+..+...+......+.+.........+.........+......+..............+...............+.........+.............+..+.......+.........+..............+.+..+.........+...+.+.....+..........+..+...+......+....+............+........+.+.................................+......+......+........+...............+......+.........+.............+..+.+.........+..+..........+...........+...+......+...+.........................+.....+...............+.+............+...+..+.......+.....+......+......+...............+...................+......+......+..+...+.........+.........................+...+..+......+...+...............+.......+...+......+...+..+.........+....+.....+..........+...+..+...............+......+......+...+..................+.......+...............+......+..+............+...+...+....+...+.........+.....+..........+...+..+.........+.......+............+.....+..........+..+......+....+........................+.....+......+...+..........+...+.....+....+......+........+.......+..+...+............+......+....+...+............+..+....+...........+...+......+.+.....+..........+..........................+............+.+..+...+.........+.................................+....+..............+....+...+..............+......+.......+..+................+...+.....+.+........+............+.............+...............+......+..+.......+...+.....+.......+++++ ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [DE]:State or Province Name (full name) []:Locality Name (eg, city) []:Organization Name (eg, company) [IPFire]:Organizational Unit Name (eg, section) []:Common Name (eg, your name or your server's hostname) []:Email Address []:Error checking request extension section server So you can see explicitly what it came back with. Regards, Adolf On 05/06/2024 13:33, Adolf Belka wrote: > Hi All, > > I should have also added to the end of this message that patches 1 and 3 were applied, as far as I could tell as per the patch. > > I then installed the built iso into a vm machine and ran the x509 install and got the root certificate and no host certificate with the standard openssl error message. > > In the httpd/error_log file it had the following message > > Email Address []:Error checking request extension section server > > Regards, > > Adolf. > > On 05/06/2024 13:26, Adolf Belka wrote: >> Hi Michael, >> >> Here is my feedback on these three patches and the issues I found when I tried to use them. >> >> I had to manually apply them so there is also the possibility that I made a typo somewhere. >> >> On 18/04/2024 23:36, Michael Tremer wrote: >>> We should not have any configuration files that we share in this place, >>> therefore this patch is moving it into /usr/share/openvpn where we >>> should be able to update it without any issues. >>> >>> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org> >>> --- >>> config/rootfiles/common/openvpn | 2 +- >>> html/cgi-bin/ovpnmain.cgi | 2 +- >>> lfs/openvpn | 6 ++++++ >>> 3 files changed, 8 insertions(+), 2 deletions(-) >>> >>> diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn >>> index d9848a579..c0d49bfad 100644 >>> --- a/config/rootfiles/common/openvpn >>> +++ b/config/rootfiles/common/openvpn >> These changes were no problem. >>> @@ -25,6 +25,7 @@ usr/sbin/openvpn-authenticator >>> #usr/share/doc/openvpn/openvpn.8.html >>> #usr/share/man/man5/openvpn-examples.5 >>> #usr/share/man/man8/openvpn.8 >>> +usr/share/openvpn/openssl.cnf >>> var/ipfire/ovpn/ca >>> var/ipfire/ovpn/caconfig >>> var/ipfire/ovpn/ccd >>> @@ -35,7 +36,6 @@ var/ipfire/ovpn/certs/serial >>> var/ipfire/ovpn/crls >>> var/ipfire/ovpn/n2nconf >>> #var/ipfire/ovpn/openssl >>> -var/ipfire/ovpn/openssl/ovpn.cnf >>> var/ipfire/ovpn/openvpn-authenticator >>> var/ipfire/ovpn/ovpn-leases.db >>> var/ipfire/ovpn/ovpnconfig >>> diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi >>> index 9b8ff5aa5..ed80fef7d 100755 >>> --- a/html/cgi-bin/ovpnmain.cgi >>> +++ b/html/cgi-bin/ovpnmain.cgi >> Also this change no problem. >>> @@ -54,7 +54,7 @@ my %mainsettings = (); >>> &General::readhash("/srv/web/ipfire/html/themes/ipfire/include/colors.txt", \%color); >>> # Use a custom OpenSSL configuration file for all operations >>> -$ENV["OPENSSL_CONF"] = "${General::swroot}/ovpn/ca/cacert.pem"; >>> +$ENV["OPENSSL_CONF"] = "/usr/share/openvpn/openssl.cnf"; >>> ### >>> ### Initialize variables >>> diff --git a/lfs/openvpn b/lfs/openvpn >>> index b71b4ccc9..0704aa438 100644 >>> --- a/lfs/openvpn >>> +++ b/lfs/openvpn >> This change refused to build as it said the directory removal was for a non empty directory. When I looked at it I believe that it needed to be different. >>> @@ -101,6 +101,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >>> chown root:root /etc/fcron.daily/openvpn-crl-updater >>> chmod 750 /etc/fcron.daily/openvpn-crl-updater >>> + # Move the OpenSSL configuration file out of /var/ipfire >>> + mkdir -pv /usr/share/openvpn >>> + mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \ >>> + /usr/share/openvpn/ >>> + rmdir -v /usr/share/openvpn >>> + >> >> The above lines I changed to >> >> + # Move the OpenSSL configuration file out of /var/ipfire >> + mkdir -pv /usr/share/openvpn >> + mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \ >> + /usr/share/openvpn/openssl.cnf >> + rmdir -v /var/ipfire/ovpn/openssl/ >> + >> with my changes in the last two lines. >> When I changed just the last line to start with then the openvpn lfs built but then later on in the cdrom stage it complained about openssl.cnf not being found, hence I also then added the change to the one before last line. >> >> Regards, >> Adolf. >> >>> # Install authenticator >>> install -v -m 755 $(DIR_SRC)/config/ovpn/openvpn-authenticator \ >>> /usr/sbin/openvpn-authenticator ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH 2/3] OpenVPN: Move the OpenSSL configuration file out of /var/ipfire 2024-06-05 11:52 ` Adolf Belka @ 2024-06-07 8:22 ` Adolf Belka 2024-06-07 16:01 ` [PATCH] " Michael Tremer 2024-06-07 16:03 ` [PATCH 2/3] " Michael Tremer 0 siblings, 2 replies; 19+ messages in thread From: Adolf Belka @ 2024-06-07 8:22 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 8618 bytes --] Hi Michael, Any comments on my feedback, did I make some errors or were there some issues with the code not working as intended? It sounded like you wanted to get any fix from this added into CU186 which would mean giving it some good testing, which I am willing and available to do. Regards, Adolf. On 05/06/2024 13:52, Adolf Belka wrote: > I re-did the vm build and first did a restore of my system so I could access the logs via ssh. > > Then I cleared the x509 system and cleared the error_log and then ran the x509 create and the following is the output in the error_log file > > ...+.......+..+....+..+.......+..+.+...+.........+..................+........+.......+...+.....+.+.....+.........+....+..+...+..........+..+.........+.........+............+....+..+.......+......+..+++++++++++++++++++++++++++++++++++++++++++++*.+.........+...+...............+........+....+++++++++++++++++++++++++++++++++++++++++++++*...+...............+...+....+..............+.+......+.....+....+........+...+.........................+....................+....+......+........+.........+......+......+...+..........+..+.+..+......+....+......+.........+...+.........+.....+..........+...+........+............+............+......+...+.......+............+..+.........+...........................+............+...............+.+............+.....+...+......+.+........+......+...............+.+..............+................+..+.+...........+.+..+......+++++ > ..+.+........+..........+..+.+........+.+.....+.+.....+....+...+...+..............+.........+.......+..+...+.........+....+......+........+.+..+...+....+..+...............+...+...+...+......+.+++++++++++++++++++++++++++++++++++++++++++++*..+..+...+.+.........+........+..........+..+.+..+....+...+..+.+..+.......+.....+......+...+.+..............+.......+...+.....+............+............+.+......+...+.....+.+..+...+....+..+.........+...............+.+...+..+...+++++++++++++++++++++++++++++++++++++++++++++*.......+....................+....+..............+.+.....+.+...+..+...+......+.+.........+.........+......+..............+...............+.........+.............+..+.......+.........+..............+.+..+.........+...+.+.....+..........+..+...+......+....+............+........+.+.................................+......+......+........+...............+......+.........+.............+..+.+.........+..+..........+...........+...+......+...+.........................+.....+...............+.+............+...+..+.......+.....+......+......+...............+...................+......+......+..+...+.........+.........................+...+..+......+...+...............+.......+...+......+...+..+.........+....+.....+..........+...+..+...............+......+......+...+..................+.......+...............+......+..+............+...+...+....+...+.........+.....+..........+...+..+.........+.......+............+.....+..........+..+......+....+........................+.....+......+...+..........+...+.....+....+......+........+.......+..+...+............+......+....+...+............+..+....+...........+...+......+.+.....+..........+..........................+............+.+..+...+.........+.................................+....+..............+....+...+..............+......+.......+..+................+...+.....+.+........+............+.............+...............+......+..+.......+...+.....+.......+++++ > > ----- > You are about to be asked to enter information that will be incorporated > into your certificate request. > What you are about to enter is what is called a Distinguished Name or a DN. > There are quite a few fields but you can leave some blank > For some fields there will be a default value, > If you enter '.', the field will be left blank. > ----- > Country Name (2 letter code) [DE]:State or Province Name (full name) []:Locality Name (eg, city) []:Organization Name (eg, company) [IPFire]:Organizational Unit Name (eg, section) []:Common Name (eg, your name or your server's hostname) []:Email Address []:Error checking request extension section server > > So you can see explicitly what it came back with. > > Regards, > > Adolf > > > On 05/06/2024 13:33, Adolf Belka wrote: >> Hi All, >> >> I should have also added to the end of this message that patches 1 and 3 were applied, as far as I could tell as per the patch. >> >> I then installed the built iso into a vm machine and ran the x509 install and got the root certificate and no host certificate with the standard openssl error message. >> >> In the httpd/error_log file it had the following message >> >> Email Address []:Error checking request extension section server >> >> Regards, >> >> Adolf. >> >> On 05/06/2024 13:26, Adolf Belka wrote: >>> Hi Michael, >>> >>> Here is my feedback on these three patches and the issues I found when I tried to use them. >>> >>> I had to manually apply them so there is also the possibility that I made a typo somewhere. >>> >>> On 18/04/2024 23:36, Michael Tremer wrote: >>>> We should not have any configuration files that we share in this place, >>>> therefore this patch is moving it into /usr/share/openvpn where we >>>> should be able to update it without any issues. >>>> >>>> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org> >>>> --- >>>> config/rootfiles/common/openvpn | 2 +- >>>> html/cgi-bin/ovpnmain.cgi | 2 +- >>>> lfs/openvpn | 6 ++++++ >>>> 3 files changed, 8 insertions(+), 2 deletions(-) >>>> >>>> diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn >>>> index d9848a579..c0d49bfad 100644 >>>> --- a/config/rootfiles/common/openvpn >>>> +++ b/config/rootfiles/common/openvpn >>> These changes were no problem. >>>> @@ -25,6 +25,7 @@ usr/sbin/openvpn-authenticator >>>> #usr/share/doc/openvpn/openvpn.8.html >>>> #usr/share/man/man5/openvpn-examples.5 >>>> #usr/share/man/man8/openvpn.8 >>>> +usr/share/openvpn/openssl.cnf >>>> var/ipfire/ovpn/ca >>>> var/ipfire/ovpn/caconfig >>>> var/ipfire/ovpn/ccd >>>> @@ -35,7 +36,6 @@ var/ipfire/ovpn/certs/serial >>>> var/ipfire/ovpn/crls >>>> var/ipfire/ovpn/n2nconf >>>> #var/ipfire/ovpn/openssl >>>> -var/ipfire/ovpn/openssl/ovpn.cnf >>>> var/ipfire/ovpn/openvpn-authenticator >>>> var/ipfire/ovpn/ovpn-leases.db >>>> var/ipfire/ovpn/ovpnconfig >>>> diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi >>>> index 9b8ff5aa5..ed80fef7d 100755 >>>> --- a/html/cgi-bin/ovpnmain.cgi >>>> +++ b/html/cgi-bin/ovpnmain.cgi >>> Also this change no problem. >>>> @@ -54,7 +54,7 @@ my %mainsettings = (); >>>> &General::readhash("/srv/web/ipfire/html/themes/ipfire/include/colors.txt", \%color); >>>> # Use a custom OpenSSL configuration file for all operations >>>> -$ENV["OPENSSL_CONF"] = "${General::swroot}/ovpn/ca/cacert.pem"; >>>> +$ENV["OPENSSL_CONF"] = "/usr/share/openvpn/openssl.cnf"; >>>> ### >>>> ### Initialize variables >>>> diff --git a/lfs/openvpn b/lfs/openvpn >>>> index b71b4ccc9..0704aa438 100644 >>>> --- a/lfs/openvpn >>>> +++ b/lfs/openvpn >>> This change refused to build as it said the directory removal was for a non empty directory. When I looked at it I believe that it needed to be different. >>>> @@ -101,6 +101,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >>>> chown root:root /etc/fcron.daily/openvpn-crl-updater >>>> chmod 750 /etc/fcron.daily/openvpn-crl-updater >>>> + # Move the OpenSSL configuration file out of /var/ipfire >>>> + mkdir -pv /usr/share/openvpn >>>> + mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \ >>>> + /usr/share/openvpn/ >>>> + rmdir -v /usr/share/openvpn >>>> + >>> >>> The above lines I changed to >>> >>> + # Move the OpenSSL configuration file out of /var/ipfire >>> + mkdir -pv /usr/share/openvpn >>> + mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \ >>> + /usr/share/openvpn/openssl.cnf >>> + rmdir -v /var/ipfire/ovpn/openssl/ >>> + >>> with my changes in the last two lines. >>> When I changed just the last line to start with then the openvpn lfs built but then later on in the cdrom stage it complained about openssl.cnf not being found, hence I also then added the change to the one before last line. >>> >>> Regards, >>> Adolf. >>> >>>> # Install authenticator >>>> install -v -m 755 $(DIR_SRC)/config/ovpn/openvpn-authenticator \ >>>> /usr/sbin/openvpn-authenticator ^ permalink raw reply [flat|nested] 19+ messages in thread
* [PATCH] OpenVPN: Move the OpenSSL configuration file out of /var/ipfire 2024-06-07 8:22 ` Adolf Belka @ 2024-06-07 16:01 ` Michael Tremer 2024-06-08 8:40 ` Adolf Belka 2024-06-07 16:03 ` [PATCH 2/3] " Michael Tremer 1 sibling, 1 reply; 19+ messages in thread From: Michael Tremer @ 2024-06-07 16:01 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 7578 bytes --] We should not have any configuration files that we share in this place, therefore this patch is moving it into /usr/share/openvpn where we should be able to update it without any issues. Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org> --- config/ovpn/openvpn-crl-updater | 3 +-- config/rootfiles/common/openvpn | 2 +- html/cgi-bin/ovpnmain.cgi | 20 ++++++++++---------- lfs/openvpn | 6 ++++++ 4 files changed, 18 insertions(+), 13 deletions(-) diff --git a/config/ovpn/openvpn-crl-updater b/config/ovpn/openvpn-crl-updater index 5fbe21080..5008d6725 100644 --- a/config/ovpn/openvpn-crl-updater +++ b/config/ovpn/openvpn-crl-updater @@ -43,7 +43,6 @@ OVPN="/var/ipfire/ovpn" CRL="${OVPN}/crls/cacrl.pem" CAKEY="${OVPN}/ca/cakey.pem" CACERT="${OVPN}/ca/cacert.pem" -OPENSSLCONF="${OVPN}/openssl/ovpn.cnf" # Check if CRL is presant or if OpenVPN is active if [ ! -e "${CAKEY}" ]; then @@ -76,7 +75,7 @@ UPDATE="14" ## Mainpart # Check if OpenVPNs CRL needs to be renewed if [ ${NEXTUPDATE} -le ${UPDATE} ]; then - if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "${OPENSSLCONF}"; then + if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "/usr/share/openvpn/ovpn.cnf"; then logger -t openvpn "CRL has been updated" else logger -t openvpn "error: Could not update CRL" diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn index d9848a579..c0d49bfad 100644 --- a/config/rootfiles/common/openvpn +++ b/config/rootfiles/common/openvpn @@ -25,6 +25,7 @@ usr/sbin/openvpn-authenticator #usr/share/doc/openvpn/openvpn.8.html #usr/share/man/man5/openvpn-examples.5 #usr/share/man/man8/openvpn.8 +usr/share/openvpn/openssl.cnf var/ipfire/ovpn/ca var/ipfire/ovpn/caconfig var/ipfire/ovpn/ccd @@ -35,7 +36,6 @@ var/ipfire/ovpn/certs/serial var/ipfire/ovpn/crls var/ipfire/ovpn/n2nconf #var/ipfire/ovpn/openssl -var/ipfire/ovpn/openssl/ovpn.cnf var/ipfire/ovpn/openvpn-authenticator var/ipfire/ovpn/ovpn-leases.db var/ipfire/ovpn/ovpnconfig diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index c92d0237d..f0172978f 100755 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -1836,7 +1836,7 @@ END '-days', '999999', '-newkey', 'rsa:4096', '-sha512', '-keyout', "${General::swroot}/ovpn/ca/cakey.pem", '-out', "${General::swroot}/ovpn/ca/cacert.pem", - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) { + '-config', "/usr/share/openvpn/ovpn.cnf")) { $errormessage = "$Lang::tr{'cant start openssl'}: $!"; goto ROOTCERT_ERROR; } @@ -1868,7 +1868,7 @@ END '-keyout', "${General::swroot}/ovpn/certs/serverkey.pem", '-out', "${General::swroot}/ovpn/certs/serverreq.pem", '-extensions', 'server', - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" )) { + '-config', "/usr/share/openvpn/ovpn.cnf" )) { $errormessage = "$Lang::tr{'cant start openssl'}: $!"; unlink ("${General::swroot}/ovpn/certs/serverkey.pem"); unlink ("${General::swroot}/ovpn/certs/serverreq.pem"); @@ -1885,7 +1885,7 @@ END '-in', "${General::swroot}/ovpn/certs/serverreq.pem", '-out', "${General::swroot}/ovpn/certs/servercert.pem", '-extensions', 'server', - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf"); + '-config', "/usr/share/openvpn/ovpn.cnf"); if ($?) { $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; unlink ("${General::swroot}/ovpn/ca/cakey.pem"); @@ -1904,7 +1904,7 @@ END # System call is safe, because all arguments are passed as array. system('/usr/bin/openssl', 'ca', '-gencrl', '-out', "${General::swroot}/ovpn/crls/cacrl.pem", - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" ); + '-config', "/usr/share/openvpn/ovpn.cnf" ); if ($?) { $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; unlink ("${General::swroot}/ovpn/certs/serverkey.pem"); @@ -2426,8 +2426,8 @@ else if ($confighash{$cgiparams{'KEY'}}) { # Revoke certificate if certificate was deleted and rewrite the CRL - &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); - &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); + &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "/usr/share/openvpn/ovpn.cnf"); + &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "/usr/share/openvpn/ovpn.cnf"); ### # m.a.d net2net @@ -2480,7 +2480,7 @@ else &General::system("/usr/local/bin/openvpnctrl", "-drrd", "$confighash{$cgiparams{'KEY'}}[1]"); delete $confighash{$cgiparams{'KEY'}}; - &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); + &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "/usr/share/openvpn/ovpn.cnf"); &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); } else { @@ -4053,7 +4053,7 @@ if ($cgiparams{'TYPE'} eq 'net') { '-batch', '-notext', '-in', $filename, '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf"); + '-config', "/usr/share/openvpn/ovpn.cnf"); if ($?) { $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; unlink ($filename); @@ -4266,7 +4266,7 @@ if ($cgiparams{'TYPE'} eq 'net') { '-newkey', 'rsa:4096', '-keyout', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem", '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) { + '-config', "/usr/share/openvpn/ovpn.cnf")) { $errormessage = "$Lang::tr{'cant start openssl'}: $!"; unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem"); @@ -4280,7 +4280,7 @@ if ($cgiparams{'TYPE'} eq 'net') { '-batch', '-notext', '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf"); + '-config', "/usr/share/openvpn/ovpn.cnf"); if ($?) { $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); diff --git a/lfs/openvpn b/lfs/openvpn index b71b4ccc9..0704aa438 100644 --- a/lfs/openvpn +++ b/lfs/openvpn @@ -101,6 +101,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) chown root:root /etc/fcron.daily/openvpn-crl-updater chmod 750 /etc/fcron.daily/openvpn-crl-updater + # Move the OpenSSL configuration file out of /var/ipfire + mkdir -pv /usr/share/openvpn + mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \ + /usr/share/openvpn/ + rmdir -v /usr/share/openvpn + # Install authenticator install -v -m 755 $(DIR_SRC)/config/ovpn/openvpn-authenticator \ /usr/sbin/openvpn-authenticator -- 2.39.2 ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH] OpenVPN: Move the OpenSSL configuration file out of /var/ipfire 2024-06-07 16:01 ` [PATCH] " Michael Tremer @ 2024-06-08 8:40 ` Adolf Belka 2024-06-08 10:14 ` Michael Tremer 0 siblings, 1 reply; 19+ messages in thread From: Adolf Belka @ 2024-06-08 8:40 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 8661 bytes --] Hi Michael, On 07/06/2024 18:01, Michael Tremer wrote: > We should not have any configuration files that we share in this place, > therefore this patch is moving it into /usr/share/openvpn where we > should be able to update it without any issues. > > Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org> > --- > config/ovpn/openvpn-crl-updater | 3 +-- > config/rootfiles/common/openvpn | 2 +- > html/cgi-bin/ovpnmain.cgi | 20 ++++++++++---------- > lfs/openvpn | 6 ++++++ > 4 files changed, 18 insertions(+), 13 deletions(-) > > diff --git a/config/ovpn/openvpn-crl-updater b/config/ovpn/openvpn-crl-updater > index 5fbe21080..5008d6725 100644 > --- a/config/ovpn/openvpn-crl-updater > +++ b/config/ovpn/openvpn-crl-updater > @@ -43,7 +43,6 @@ OVPN="/var/ipfire/ovpn" > CRL="${OVPN}/crls/cacrl.pem" > CAKEY="${OVPN}/ca/cakey.pem" > CACERT="${OVPN}/ca/cacert.pem" > -OPENSSLCONF="${OVPN}/openssl/ovpn.cnf" > > # Check if CRL is presant or if OpenVPN is active > if [ ! -e "${CAKEY}" ]; then > @@ -76,7 +75,7 @@ UPDATE="14" > ## Mainpart > # Check if OpenVPNs CRL needs to be renewed > if [ ${NEXTUPDATE} -le ${UPDATE} ]; then > - if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "${OPENSSLCONF}"; then > + if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "/usr/share/openvpn/ovpn.cnf"; then > logger -t openvpn "CRL has been updated" > else > logger -t openvpn "error: Could not update CRL" > diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn > index d9848a579..c0d49bfad 100644 > --- a/config/rootfiles/common/openvpn > +++ b/config/rootfiles/common/openvpn > @@ -25,6 +25,7 @@ usr/sbin/openvpn-authenticator > #usr/share/doc/openvpn/openvpn.8.html > #usr/share/man/man5/openvpn-examples.5 > #usr/share/man/man8/openvpn.8 > +usr/share/openvpn/openssl.cnf In the rootfile the file name is not only moved from /var/ipfire/ovpn/openssl/ but also renamed from ovpn.cnf to openssl.cnf but all the rest of the code continues to use ovpn.cnf > var/ipfire/ovpn/ca > var/ipfire/ovpn/caconfig > var/ipfire/ovpn/ccd > @@ -35,7 +36,6 @@ var/ipfire/ovpn/certs/serial > var/ipfire/ovpn/crls > var/ipfire/ovpn/n2nconf > #var/ipfire/ovpn/openssl > -var/ipfire/ovpn/openssl/ovpn.cnf > var/ipfire/ovpn/openvpn-authenticator > var/ipfire/ovpn/ovpn-leases.db > var/ipfire/ovpn/ovpnconfig > diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi > index c92d0237d..f0172978f 100755 > --- a/html/cgi-bin/ovpnmain.cgi > +++ b/html/cgi-bin/ovpnmain.cgi > @@ -1836,7 +1836,7 @@ END > '-days', '999999', '-newkey', 'rsa:4096', '-sha512', > '-keyout', "${General::swroot}/ovpn/ca/cakey.pem", > '-out', "${General::swroot}/ovpn/ca/cacert.pem", > - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) { > + '-config', "/usr/share/openvpn/ovpn.cnf")) { > $errormessage = "$Lang::tr{'cant start openssl'}: $!"; > goto ROOTCERT_ERROR; > } > @@ -1868,7 +1868,7 @@ END > '-keyout', "${General::swroot}/ovpn/certs/serverkey.pem", > '-out', "${General::swroot}/ovpn/certs/serverreq.pem", > '-extensions', 'server', > - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" )) { > + '-config', "/usr/share/openvpn/ovpn.cnf" )) { > $errormessage = "$Lang::tr{'cant start openssl'}: $!"; > unlink ("${General::swroot}/ovpn/certs/serverkey.pem"); > unlink ("${General::swroot}/ovpn/certs/serverreq.pem"); > @@ -1885,7 +1885,7 @@ END > '-in', "${General::swroot}/ovpn/certs/serverreq.pem", > '-out', "${General::swroot}/ovpn/certs/servercert.pem", > '-extensions', 'server', > - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf"); > + '-config', "/usr/share/openvpn/ovpn.cnf"); > if ($?) { > $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; > unlink ("${General::swroot}/ovpn/ca/cakey.pem"); > @@ -1904,7 +1904,7 @@ END > # System call is safe, because all arguments are passed as array. > system('/usr/bin/openssl', 'ca', '-gencrl', > '-out', "${General::swroot}/ovpn/crls/cacrl.pem", > - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" ); > + '-config', "/usr/share/openvpn/ovpn.cnf" ); > if ($?) { > $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; > unlink ("${General::swroot}/ovpn/certs/serverkey.pem"); > @@ -2426,8 +2426,8 @@ else > > if ($confighash{$cgiparams{'KEY'}}) { > # Revoke certificate if certificate was deleted and rewrite the CRL > - &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); > - &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); > + &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "/usr/share/openvpn/ovpn.cnf"); > + &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "/usr/share/openvpn/ovpn.cnf"); > > ### > # m.a.d net2net > @@ -2480,7 +2480,7 @@ else > &General::system("/usr/local/bin/openvpnctrl", "-drrd", "$confighash{$cgiparams{'KEY'}}[1]"); > > delete $confighash{$cgiparams{'KEY'}}; > - &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); > + &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "/usr/share/openvpn/ovpn.cnf"); > &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); > > } else { > @@ -4053,7 +4053,7 @@ if ($cgiparams{'TYPE'} eq 'net') { > '-batch', '-notext', > '-in', $filename, > '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", > - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf"); > + '-config', "/usr/share/openvpn/ovpn.cnf"); > if ($?) { > $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; > unlink ($filename); > @@ -4266,7 +4266,7 @@ if ($cgiparams{'TYPE'} eq 'net') { > '-newkey', 'rsa:4096', > '-keyout', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem", > '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", > - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) { > + '-config', "/usr/share/openvpn/ovpn.cnf")) { > $errormessage = "$Lang::tr{'cant start openssl'}: $!"; > unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); > unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem"); > @@ -4280,7 +4280,7 @@ if ($cgiparams{'TYPE'} eq 'net') { > '-batch', '-notext', > '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", > '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", > - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf"); > + '-config', "/usr/share/openvpn/ovpn.cnf"); > if ($?) { > $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; > unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); > diff --git a/lfs/openvpn b/lfs/openvpn > index b71b4ccc9..0704aa438 100644 > --- a/lfs/openvpn > +++ b/lfs/openvpn > @@ -101,6 +101,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > chown root:root /etc/fcron.daily/openvpn-crl-updater > chmod 750 /etc/fcron.daily/openvpn-crl-updater > > + # Move the OpenSSL configuration file out of /var/ipfire > + mkdir -pv /usr/share/openvpn This creates the new directory. > + mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \ > + /usr/share/openvpn/ This then moves the ovpn.cnf file from the old location to the new one but keeps the name the same. This will then mismatch with the rootfile change. > + rmdir -v /usr/share/openvpn This then seems to me to be trying to delete the newly created directory which seems incorrect to me unless I have misunderstood what is trying to be done with this overall patch, which could also be the case. Regards, Adolf. > + > # Install authenticator > install -v -m 755 $(DIR_SRC)/config/ovpn/openvpn-authenticator \ > /usr/sbin/openvpn-authenticator -- Sent from my laptop ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH] OpenVPN: Move the OpenSSL configuration file out of /var/ipfire 2024-06-08 8:40 ` Adolf Belka @ 2024-06-08 10:14 ` Michael Tremer 2024-06-08 10:43 ` Adolf Belka 0 siblings, 1 reply; 19+ messages in thread From: Michael Tremer @ 2024-06-08 10:14 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 8903 bytes --] Hello, Thanks for testing this. > On 8 Jun 2024, at 09:40, Adolf Belka <adolf.belka(a)ipfire.org> wrote: > > Hi Michael, > > On 07/06/2024 18:01, Michael Tremer wrote: >> We should not have any configuration files that we share in this place, >> therefore this patch is moving it into /usr/share/openvpn where we >> should be able to update it without any issues. >> >> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org> >> --- >> config/ovpn/openvpn-crl-updater | 3 +-- >> config/rootfiles/common/openvpn | 2 +- >> html/cgi-bin/ovpnmain.cgi | 20 ++++++++++---------- >> lfs/openvpn | 6 ++++++ >> 4 files changed, 18 insertions(+), 13 deletions(-) >> >> diff --git a/config/ovpn/openvpn-crl-updater b/config/ovpn/openvpn-crl-updater >> index 5fbe21080..5008d6725 100644 >> --- a/config/ovpn/openvpn-crl-updater >> +++ b/config/ovpn/openvpn-crl-updater >> @@ -43,7 +43,6 @@ OVPN="/var/ipfire/ovpn" >> CRL="${OVPN}/crls/cacrl.pem" >> CAKEY="${OVPN}/ca/cakey.pem" >> CACERT="${OVPN}/ca/cacert.pem" >> -OPENSSLCONF="${OVPN}/openssl/ovpn.cnf" >> # Check if CRL is presant or if OpenVPN is active >> if [ ! -e "${CAKEY}" ]; then >> @@ -76,7 +75,7 @@ UPDATE="14" >> ## Mainpart >> # Check if OpenVPNs CRL needs to be renewed >> if [ ${NEXTUPDATE} -le ${UPDATE} ]; then >> - if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "${OPENSSLCONF}"; then >> + if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "/usr/share/openvpn/ovpn.cnf"; then >> logger -t openvpn "CRL has been updated" >> else >> logger -t openvpn "error: Could not update CRL" >> diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn >> index d9848a579..c0d49bfad 100644 >> --- a/config/rootfiles/common/openvpn >> +++ b/config/rootfiles/common/openvpn >> @@ -25,6 +25,7 @@ usr/sbin/openvpn-authenticator >> #usr/share/doc/openvpn/openvpn.8.html >> #usr/share/man/man5/openvpn-examples.5 >> #usr/share/man/man8/openvpn.8 >> +usr/share/openvpn/openssl.cnf > In the rootfile the file name is not only moved from /var/ipfire/ovpn/openssl/ but also renamed from ovpn.cnf to openssl.cnf but all the rest of the code continues to use ovpn.cnf Oh. >> var/ipfire/ovpn/ca >> var/ipfire/ovpn/caconfig >> var/ipfire/ovpn/ccd >> @@ -35,7 +36,6 @@ var/ipfire/ovpn/certs/serial >> var/ipfire/ovpn/crls >> var/ipfire/ovpn/n2nconf >> #var/ipfire/ovpn/openssl >> -var/ipfire/ovpn/openssl/ovpn.cnf >> var/ipfire/ovpn/openvpn-authenticator >> var/ipfire/ovpn/ovpn-leases.db >> var/ipfire/ovpn/ovpnconfig >> diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi >> index c92d0237d..f0172978f 100755 >> --- a/html/cgi-bin/ovpnmain.cgi >> +++ b/html/cgi-bin/ovpnmain.cgi >> @@ -1836,7 +1836,7 @@ END >> '-days', '999999', '-newkey', 'rsa:4096', '-sha512', >> '-keyout', "${General::swroot}/ovpn/ca/cakey.pem", >> '-out', "${General::swroot}/ovpn/ca/cacert.pem", >> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) { >> + '-config', "/usr/share/openvpn/ovpn.cnf")) { >> $errormessage = "$Lang::tr{'cant start openssl'}: $!"; >> goto ROOTCERT_ERROR; >> } >> @@ -1868,7 +1868,7 @@ END >> '-keyout', "${General::swroot}/ovpn/certs/serverkey.pem", >> '-out', "${General::swroot}/ovpn/certs/serverreq.pem", >> '-extensions', 'server', >> - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" )) { >> + '-config', "/usr/share/openvpn/ovpn.cnf" )) { >> $errormessage = "$Lang::tr{'cant start openssl'}: $!"; >> unlink ("${General::swroot}/ovpn/certs/serverkey.pem"); >> unlink ("${General::swroot}/ovpn/certs/serverreq.pem"); >> @@ -1885,7 +1885,7 @@ END >> '-in', "${General::swroot}/ovpn/certs/serverreq.pem", >> '-out', "${General::swroot}/ovpn/certs/servercert.pem", >> '-extensions', 'server', >> - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf"); >> + '-config', "/usr/share/openvpn/ovpn.cnf"); >> if ($?) { >> $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; >> unlink ("${General::swroot}/ovpn/ca/cakey.pem"); >> @@ -1904,7 +1904,7 @@ END >> # System call is safe, because all arguments are passed as array. >> system('/usr/bin/openssl', 'ca', '-gencrl', >> '-out', "${General::swroot}/ovpn/crls/cacrl.pem", >> - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" ); >> + '-config', "/usr/share/openvpn/ovpn.cnf" ); >> if ($?) { >> $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; >> unlink ("${General::swroot}/ovpn/certs/serverkey.pem"); >> @@ -2426,8 +2426,8 @@ else >> if ($confighash{$cgiparams{'KEY'}}) { >> # Revoke certificate if certificate was deleted and rewrite the CRL >> - &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); >> - &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); >> + &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "/usr/share/openvpn/ovpn.cnf"); >> + &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "/usr/share/openvpn/ovpn.cnf"); >> ### >> # m.a.d net2net >> @@ -2480,7 +2480,7 @@ else >> &General::system("/usr/local/bin/openvpnctrl", "-drrd", "$confighash{$cgiparams{'KEY'}}[1]"); >> delete $confighash{$cgiparams{'KEY'}}; >> - &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); >> + &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "/usr/share/openvpn/ovpn.cnf"); >> &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); >> } else { >> @@ -4053,7 +4053,7 @@ if ($cgiparams{'TYPE'} eq 'net') { >> '-batch', '-notext', >> '-in', $filename, >> '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", >> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf"); >> + '-config', "/usr/share/openvpn/ovpn.cnf"); >> if ($?) { >> $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; >> unlink ($filename); >> @@ -4266,7 +4266,7 @@ if ($cgiparams{'TYPE'} eq 'net') { >> '-newkey', 'rsa:4096', >> '-keyout', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem", >> '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", >> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) { >> + '-config', "/usr/share/openvpn/ovpn.cnf")) { >> $errormessage = "$Lang::tr{'cant start openssl'}: $!"; >> unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); >> unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem"); >> @@ -4280,7 +4280,7 @@ if ($cgiparams{'TYPE'} eq 'net') { >> '-batch', '-notext', >> '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", >> '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", >> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf"); >> + '-config', "/usr/share/openvpn/ovpn.cnf"); >> if ($?) { >> $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; >> unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); >> diff --git a/lfs/openvpn b/lfs/openvpn >> index b71b4ccc9..0704aa438 100644 >> --- a/lfs/openvpn >> +++ b/lfs/openvpn >> @@ -101,6 +101,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >> chown root:root /etc/fcron.daily/openvpn-crl-updater >> chmod 750 /etc/fcron.daily/openvpn-crl-updater >> + # Move the OpenSSL configuration file out of /var/ipfire >> + mkdir -pv /usr/share/openvpn > This creates the new directory. >> + mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \ >> + /usr/share/openvpn/ > This then moves the ovpn.cnf file from the old location to the new one but keeps the name the same. This will then mismatch with the rootfile change. >> + rmdir -v /usr/share/openvpn > This then seems to me to be trying to delete the newly created directory which seems incorrect to me unless I have misunderstood what is trying to be done with this overall patch, which could also be the case. Yes, I have no idea what I did when I developed this the first time. Nothing good obviously. I will send patches. -Michael > Regards, > Adolf. >> + >> # Install authenticator >> install -v -m 755 $(DIR_SRC)/config/ovpn/openvpn-authenticator \ >> /usr/sbin/openvpn-authenticator > > -- > Sent from my laptop ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH] OpenVPN: Move the OpenSSL configuration file out of /var/ipfire 2024-06-08 10:14 ` Michael Tremer @ 2024-06-08 10:43 ` Adolf Belka 2024-06-08 11:00 ` Adolf Belka 2024-06-08 11:16 ` Adolf Belka 0 siblings, 2 replies; 19+ messages in thread From: Adolf Belka @ 2024-06-08 10:43 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 9501 bytes --] Hi Michael, I have made a change to the rootfile and the lfs file only and that has now successfully built. That will only have ovpn.cnf in the new location. am now doing a build on my vm and will see if that then creates the certificates or not. Regards, Adolf. On 08/06/2024 12:14, Michael Tremer wrote: > Hello, > > Thanks for testing this. > >> On 8 Jun 2024, at 09:40, Adolf Belka <adolf.belka(a)ipfire.org> wrote: >> >> Hi Michael, >> >> On 07/06/2024 18:01, Michael Tremer wrote: >>> We should not have any configuration files that we share in this place, >>> therefore this patch is moving it into /usr/share/openvpn where we >>> should be able to update it without any issues. >>> >>> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org> >>> --- >>> config/ovpn/openvpn-crl-updater | 3 +-- >>> config/rootfiles/common/openvpn | 2 +- >>> html/cgi-bin/ovpnmain.cgi | 20 ++++++++++---------- >>> lfs/openvpn | 6 ++++++ >>> 4 files changed, 18 insertions(+), 13 deletions(-) >>> >>> diff --git a/config/ovpn/openvpn-crl-updater b/config/ovpn/openvpn-crl-updater >>> index 5fbe21080..5008d6725 100644 >>> --- a/config/ovpn/openvpn-crl-updater >>> +++ b/config/ovpn/openvpn-crl-updater >>> @@ -43,7 +43,6 @@ OVPN="/var/ipfire/ovpn" >>> CRL="${OVPN}/crls/cacrl.pem" >>> CAKEY="${OVPN}/ca/cakey.pem" >>> CACERT="${OVPN}/ca/cacert.pem" >>> -OPENSSLCONF="${OVPN}/openssl/ovpn.cnf" >>> # Check if CRL is presant or if OpenVPN is active >>> if [ ! -e "${CAKEY}" ]; then >>> @@ -76,7 +75,7 @@ UPDATE="14" >>> ## Mainpart >>> # Check if OpenVPNs CRL needs to be renewed >>> if [ ${NEXTUPDATE} -le ${UPDATE} ]; then >>> - if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "${OPENSSLCONF}"; then >>> + if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "/usr/share/openvpn/ovpn.cnf"; then >>> logger -t openvpn "CRL has been updated" >>> else >>> logger -t openvpn "error: Could not update CRL" >>> diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn >>> index d9848a579..c0d49bfad 100644 >>> --- a/config/rootfiles/common/openvpn >>> +++ b/config/rootfiles/common/openvpn >>> @@ -25,6 +25,7 @@ usr/sbin/openvpn-authenticator >>> #usr/share/doc/openvpn/openvpn.8.html >>> #usr/share/man/man5/openvpn-examples.5 >>> #usr/share/man/man8/openvpn.8 >>> +usr/share/openvpn/openssl.cnf >> In the rootfile the file name is not only moved from /var/ipfire/ovpn/openssl/ but also renamed from ovpn.cnf to openssl.cnf but all the rest of the code continues to use ovpn.cnf > > Oh. > >>> var/ipfire/ovpn/ca >>> var/ipfire/ovpn/caconfig >>> var/ipfire/ovpn/ccd >>> @@ -35,7 +36,6 @@ var/ipfire/ovpn/certs/serial >>> var/ipfire/ovpn/crls >>> var/ipfire/ovpn/n2nconf >>> #var/ipfire/ovpn/openssl >>> -var/ipfire/ovpn/openssl/ovpn.cnf >>> var/ipfire/ovpn/openvpn-authenticator >>> var/ipfire/ovpn/ovpn-leases.db >>> var/ipfire/ovpn/ovpnconfig >>> diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi >>> index c92d0237d..f0172978f 100755 >>> --- a/html/cgi-bin/ovpnmain.cgi >>> +++ b/html/cgi-bin/ovpnmain.cgi >>> @@ -1836,7 +1836,7 @@ END >>> '-days', '999999', '-newkey', 'rsa:4096', '-sha512', >>> '-keyout', "${General::swroot}/ovpn/ca/cakey.pem", >>> '-out', "${General::swroot}/ovpn/ca/cacert.pem", >>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) { >>> + '-config', "/usr/share/openvpn/ovpn.cnf")) { >>> $errormessage = "$Lang::tr{'cant start openssl'}: $!"; >>> goto ROOTCERT_ERROR; >>> } >>> @@ -1868,7 +1868,7 @@ END >>> '-keyout', "${General::swroot}/ovpn/certs/serverkey.pem", >>> '-out', "${General::swroot}/ovpn/certs/serverreq.pem", >>> '-extensions', 'server', >>> - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" )) { >>> + '-config', "/usr/share/openvpn/ovpn.cnf" )) { >>> $errormessage = "$Lang::tr{'cant start openssl'}: $!"; >>> unlink ("${General::swroot}/ovpn/certs/serverkey.pem"); >>> unlink ("${General::swroot}/ovpn/certs/serverreq.pem"); >>> @@ -1885,7 +1885,7 @@ END >>> '-in', "${General::swroot}/ovpn/certs/serverreq.pem", >>> '-out', "${General::swroot}/ovpn/certs/servercert.pem", >>> '-extensions', 'server', >>> - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf"); >>> + '-config', "/usr/share/openvpn/ovpn.cnf"); >>> if ($?) { >>> $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; >>> unlink ("${General::swroot}/ovpn/ca/cakey.pem"); >>> @@ -1904,7 +1904,7 @@ END >>> # System call is safe, because all arguments are passed as array. >>> system('/usr/bin/openssl', 'ca', '-gencrl', >>> '-out', "${General::swroot}/ovpn/crls/cacrl.pem", >>> - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" ); >>> + '-config', "/usr/share/openvpn/ovpn.cnf" ); >>> if ($?) { >>> $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; >>> unlink ("${General::swroot}/ovpn/certs/serverkey.pem"); >>> @@ -2426,8 +2426,8 @@ else >>> if ($confighash{$cgiparams{'KEY'}}) { >>> # Revoke certificate if certificate was deleted and rewrite the CRL >>> - &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); >>> - &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); >>> + &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "/usr/share/openvpn/ovpn.cnf"); >>> + &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "/usr/share/openvpn/ovpn.cnf"); >>> ### >>> # m.a.d net2net >>> @@ -2480,7 +2480,7 @@ else >>> &General::system("/usr/local/bin/openvpnctrl", "-drrd", "$confighash{$cgiparams{'KEY'}}[1]"); >>> delete $confighash{$cgiparams{'KEY'}}; >>> - &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); >>> + &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "/usr/share/openvpn/ovpn.cnf"); >>> &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); >>> } else { >>> @@ -4053,7 +4053,7 @@ if ($cgiparams{'TYPE'} eq 'net') { >>> '-batch', '-notext', >>> '-in', $filename, >>> '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", >>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf"); >>> + '-config', "/usr/share/openvpn/ovpn.cnf"); >>> if ($?) { >>> $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; >>> unlink ($filename); >>> @@ -4266,7 +4266,7 @@ if ($cgiparams{'TYPE'} eq 'net') { >>> '-newkey', 'rsa:4096', >>> '-keyout', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem", >>> '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", >>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) { >>> + '-config', "/usr/share/openvpn/ovpn.cnf")) { >>> $errormessage = "$Lang::tr{'cant start openssl'}: $!"; >>> unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); >>> unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem"); >>> @@ -4280,7 +4280,7 @@ if ($cgiparams{'TYPE'} eq 'net') { >>> '-batch', '-notext', >>> '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", >>> '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", >>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf"); >>> + '-config', "/usr/share/openvpn/ovpn.cnf"); >>> if ($?) { >>> $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; >>> unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); >>> diff --git a/lfs/openvpn b/lfs/openvpn >>> index b71b4ccc9..0704aa438 100644 >>> --- a/lfs/openvpn >>> +++ b/lfs/openvpn >>> @@ -101,6 +101,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >>> chown root:root /etc/fcron.daily/openvpn-crl-updater >>> chmod 750 /etc/fcron.daily/openvpn-crl-updater >>> + # Move the OpenSSL configuration file out of /var/ipfire >>> + mkdir -pv /usr/share/openvpn >> This creates the new directory. >>> + mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \ >>> + /usr/share/openvpn/ >> This then moves the ovpn.cnf file from the old location to the new one but keeps the name the same. This will then mismatch with the rootfile change. >>> + rmdir -v /usr/share/openvpn >> This then seems to me to be trying to delete the newly created directory which seems incorrect to me unless I have misunderstood what is trying to be done with this overall patch, which could also be the case. > > Yes, I have no idea what I did when I developed this the first time. Nothing good obviously. > > I will send patches. > > -Michael > >> Regards, >> Adolf. >>> + >>> # Install authenticator >>> install -v -m 755 $(DIR_SRC)/config/ovpn/openvpn-authenticator \ >>> /usr/sbin/openvpn-authenticator >> >> -- >> Sent from my laptop > > ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH] OpenVPN: Move the OpenSSL configuration file out of /var/ipfire 2024-06-08 10:43 ` Adolf Belka @ 2024-06-08 11:00 ` Adolf Belka 2024-06-08 11:16 ` Adolf Belka 1 sibling, 0 replies; 19+ messages in thread From: Adolf Belka @ 2024-06-08 11:00 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 12167 bytes --] Hi Michael, With the small changes I made it now successfully built and also after installing in a vm it has built the x509 certificate set. I suspect successfully as I didn't change any of the changes you made to the ovpnmain.cgi or the openvpn-crl-updater. The minor changes I made, compared to the existing openvpn lfs and rootfile are the following --- config/rootfiles/common/openvpn | 2 +- lfs/openvpn | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn index d9848a579..8a36d4bb4 100644 --- a/config/rootfiles/common/openvpn +++ b/config/rootfiles/common/openvpn @@ -25,6 +25,7 @@ usr/sbin/openvpn-authenticator #usr/share/doc/openvpn/openvpn.8.html #usr/share/man/man5/openvpn-examples.5 #usr/share/man/man8/openvpn.8 +usr/share/openvpn/ovpn.cnf var/ipfire/ovpn/ca var/ipfire/ovpn/caconfig var/ipfire/ovpn/ccd @@ -35,7 +36,6 @@ var/ipfire/ovpn/certs/serial var/ipfire/ovpn/crls var/ipfire/ovpn/n2nconf #var/ipfire/ovpn/openssl -var/ipfire/ovpn/openssl/ovpn.cnf var/ipfire/ovpn/openvpn-authenticator var/ipfire/ovpn/ovpn-leases.db var/ipfire/ovpn/ovpnconfig diff --git a/lfs/openvpn b/lfs/openvpn index b71b4ccc9..b686cc930 100644 --- a/lfs/openvpn +++ b/lfs/openvpn @@ -101,6 +101,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) chown root:root /etc/fcron.daily/openvpn-crl-updater chmod 750 /etc/fcron.daily/openvpn-crl-updater + # Move the OpenSSL configuration file out of /var/ipfire + mkdir -pv /usr/share/openvpn + mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \ + /usr/share/openvpn/ + rmdir -v /var/ipfire/ovpn/openssl + # Install authenticator install -v -m 755 $(DIR_SRC)/config/ovpn/openvpn-authenticator \ /usr/sbin/openvpn-authenticator -- So I think we are close to having it working. I will create an OpenVPN Roadwarrior connection with the x509 certificate set that has been created to confirm that it is all working properly now. Regards, Adolf. On 08/06/2024 12:43, Adolf Belka wrote: > Hi Michael, > > I have made a change to the rootfile and the lfs file only and that has now successfully built. That will only have ovpn.cnf in the new location. > > am now doing a build on my vm and will see if that then creates the certificates or not. > > Regards, > Adolf. > > On 08/06/2024 12:14, Michael Tremer wrote: >> Hello, >> >> Thanks for testing this. >> >>> On 8 Jun 2024, at 09:40, Adolf Belka <adolf.belka(a)ipfire.org> wrote: >>> >>> Hi Michael, >>> >>> On 07/06/2024 18:01, Michael Tremer wrote: >>>> We should not have any configuration files that we share in this place, >>>> therefore this patch is moving it into /usr/share/openvpn where we >>>> should be able to update it without any issues. >>>> >>>> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org> >>>> --- >>>> config/ovpn/openvpn-crl-updater | 3 +-- >>>> config/rootfiles/common/openvpn | 2 +- >>>> html/cgi-bin/ovpnmain.cgi | 20 ++++++++++---------- >>>> lfs/openvpn | 6 ++++++ >>>> 4 files changed, 18 insertions(+), 13 deletions(-) >>>> >>>> diff --git a/config/ovpn/openvpn-crl-updater b/config/ovpn/openvpn-crl-updater >>>> index 5fbe21080..5008d6725 100644 >>>> --- a/config/ovpn/openvpn-crl-updater >>>> +++ b/config/ovpn/openvpn-crl-updater >>>> @@ -43,7 +43,6 @@ OVPN="/var/ipfire/ovpn" >>>> CRL="${OVPN}/crls/cacrl.pem" >>>> CAKEY="${OVPN}/ca/cakey.pem" >>>> CACERT="${OVPN}/ca/cacert.pem" >>>> -OPENSSLCONF="${OVPN}/openssl/ovpn.cnf" >>>> # Check if CRL is presant or if OpenVPN is active >>>> if [ ! -e "${CAKEY}" ]; then >>>> @@ -76,7 +75,7 @@ UPDATE="14" >>>> ## Mainpart >>>> # Check if OpenVPNs CRL needs to be renewed >>>> if [ ${NEXTUPDATE} -le ${UPDATE} ]; then >>>> - if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "${OPENSSLCONF}"; then >>>> + if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "/usr/share/openvpn/ovpn.cnf"; then >>>> logger -t openvpn "CRL has been updated" >>>> else >>>> logger -t openvpn "error: Could not update CRL" >>>> diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn >>>> index d9848a579..c0d49bfad 100644 >>>> --- a/config/rootfiles/common/openvpn >>>> +++ b/config/rootfiles/common/openvpn >>>> @@ -25,6 +25,7 @@ usr/sbin/openvpn-authenticator >>>> #usr/share/doc/openvpn/openvpn.8.html >>>> #usr/share/man/man5/openvpn-examples.5 >>>> #usr/share/man/man8/openvpn.8 >>>> +usr/share/openvpn/openssl.cnf >>> In the rootfile the file name is not only moved from /var/ipfire/ovpn/openssl/ but also renamed from ovpn.cnf to openssl.cnf but all the rest of the code continues to use ovpn.cnf >> >> Oh. >> >>>> var/ipfire/ovpn/ca >>>> var/ipfire/ovpn/caconfig >>>> var/ipfire/ovpn/ccd >>>> @@ -35,7 +36,6 @@ var/ipfire/ovpn/certs/serial >>>> var/ipfire/ovpn/crls >>>> var/ipfire/ovpn/n2nconf >>>> #var/ipfire/ovpn/openssl >>>> -var/ipfire/ovpn/openssl/ovpn.cnf >>>> var/ipfire/ovpn/openvpn-authenticator >>>> var/ipfire/ovpn/ovpn-leases.db >>>> var/ipfire/ovpn/ovpnconfig >>>> diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi >>>> index c92d0237d..f0172978f 100755 >>>> --- a/html/cgi-bin/ovpnmain.cgi >>>> +++ b/html/cgi-bin/ovpnmain.cgi >>>> @@ -1836,7 +1836,7 @@ END >>>> '-days', '999999', '-newkey', 'rsa:4096', '-sha512', >>>> '-keyout', "${General::swroot}/ovpn/ca/cakey.pem", >>>> '-out', "${General::swroot}/ovpn/ca/cacert.pem", >>>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) { >>>> + '-config', "/usr/share/openvpn/ovpn.cnf")) { >>>> $errormessage = "$Lang::tr{'cant start openssl'}: $!"; >>>> goto ROOTCERT_ERROR; >>>> } >>>> @@ -1868,7 +1868,7 @@ END >>>> '-keyout', "${General::swroot}/ovpn/certs/serverkey.pem", >>>> '-out', "${General::swroot}/ovpn/certs/serverreq.pem", >>>> '-extensions', 'server', >>>> - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" )) { >>>> + '-config', "/usr/share/openvpn/ovpn.cnf" )) { >>>> $errormessage = "$Lang::tr{'cant start openssl'}: $!"; >>>> unlink ("${General::swroot}/ovpn/certs/serverkey.pem"); >>>> unlink ("${General::swroot}/ovpn/certs/serverreq.pem"); >>>> @@ -1885,7 +1885,7 @@ END >>>> '-in', "${General::swroot}/ovpn/certs/serverreq.pem", >>>> '-out', "${General::swroot}/ovpn/certs/servercert.pem", >>>> '-extensions', 'server', >>>> - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf"); >>>> + '-config', "/usr/share/openvpn/ovpn.cnf"); >>>> if ($?) { >>>> $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; >>>> unlink ("${General::swroot}/ovpn/ca/cakey.pem"); >>>> @@ -1904,7 +1904,7 @@ END >>>> # System call is safe, because all arguments are passed as array. >>>> system('/usr/bin/openssl', 'ca', '-gencrl', >>>> '-out', "${General::swroot}/ovpn/crls/cacrl.pem", >>>> - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" ); >>>> + '-config', "/usr/share/openvpn/ovpn.cnf" ); >>>> if ($?) { >>>> $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; >>>> unlink ("${General::swroot}/ovpn/certs/serverkey.pem"); >>>> @@ -2426,8 +2426,8 @@ else >>>> if ($confighash{$cgiparams{'KEY'}}) { >>>> # Revoke certificate if certificate was deleted and rewrite the CRL >>>> - &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); >>>> - &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); >>>> + &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "/usr/share/openvpn/ovpn.cnf"); >>>> + &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "/usr/share/openvpn/ovpn.cnf"); >>>> ### >>>> # m.a.d net2net >>>> @@ -2480,7 +2480,7 @@ else >>>> &General::system("/usr/local/bin/openvpnctrl", "-drrd", "$confighash{$cgiparams{'KEY'}}[1]"); >>>> delete $confighash{$cgiparams{'KEY'}}; >>>> - &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); >>>> + &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "/usr/share/openvpn/ovpn.cnf"); >>>> &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); >>>> } else { >>>> @@ -4053,7 +4053,7 @@ if ($cgiparams{'TYPE'} eq 'net') { >>>> '-batch', '-notext', >>>> '-in', $filename, >>>> '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", >>>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf"); >>>> + '-config', "/usr/share/openvpn/ovpn.cnf"); >>>> if ($?) { >>>> $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; >>>> unlink ($filename); >>>> @@ -4266,7 +4266,7 @@ if ($cgiparams{'TYPE'} eq 'net') { >>>> '-newkey', 'rsa:4096', >>>> '-keyout', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem", >>>> '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", >>>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) { >>>> + '-config', "/usr/share/openvpn/ovpn.cnf")) { >>>> $errormessage = "$Lang::tr{'cant start openssl'}: $!"; >>>> unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); >>>> unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem"); >>>> @@ -4280,7 +4280,7 @@ if ($cgiparams{'TYPE'} eq 'net') { >>>> '-batch', '-notext', >>>> '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", >>>> '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", >>>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf"); >>>> + '-config', "/usr/share/openvpn/ovpn.cnf"); >>>> if ($?) { >>>> $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; >>>> unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); >>>> diff --git a/lfs/openvpn b/lfs/openvpn >>>> index b71b4ccc9..0704aa438 100644 >>>> --- a/lfs/openvpn >>>> +++ b/lfs/openvpn >>>> @@ -101,6 +101,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >>>> chown root:root /etc/fcron.daily/openvpn-crl-updater >>>> chmod 750 /etc/fcron.daily/openvpn-crl-updater >>>> + # Move the OpenSSL configuration file out of /var/ipfire >>>> + mkdir -pv /usr/share/openvpn >>> This creates the new directory. >>>> + mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \ >>>> + /usr/share/openvpn/ >>> This then moves the ovpn.cnf file from the old location to the new one but keeps the name the same. This will then mismatch with the rootfile change. >>>> + rmdir -v /usr/share/openvpn >>> This then seems to me to be trying to delete the newly created directory which seems incorrect to me unless I have misunderstood what is trying to be done with this overall patch, which could also be the case. >> >> Yes, I have no idea what I did when I developed this the first time. Nothing good obviously. >> >> I will send patches. >> >> -Michael >> >>> Regards, >>> Adolf. >>>> + >>>> # Install authenticator >>>> install -v -m 755 $(DIR_SRC)/config/ovpn/openvpn-authenticator \ >>>> /usr/sbin/openvpn-authenticator >>> >>> -- >>> Sent from my laptop >> >> ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH] OpenVPN: Move the OpenSSL configuration file out of /var/ipfire 2024-06-08 10:43 ` Adolf Belka 2024-06-08 11:00 ` Adolf Belka @ 2024-06-08 11:16 ` Adolf Belka 2024-06-09 7:58 ` Adolf Belka 1 sibling, 1 reply; 19+ messages in thread From: Adolf Belka @ 2024-06-08 11:16 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 12422 bytes --] Re-sending with minor change as I think I left some bits in that made the mail server miss a section out. Hi Michael, With the small changes I made it now successfully built and also after installing in a vm it has built the x509 certificate set. I suspect successfully as I didn't change any of the changes you made to the ovpnmain.cgi or the openvpn-crl-updater. The minor changes I made, compared to the existing openvpn lfs and rootfile are the following config/rootfiles/common/openvpn | 2 +- lfs/openvpn | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn index d9848a579..8a36d4bb4 100644 --- a/config/rootfiles/common/openvpn +++ b/config/rootfiles/common/openvpn @@ -25,6 +25,7 @@ usr/sbin/openvpn-authenticator #usr/share/doc/openvpn/openvpn.8.html #usr/share/man/man5/openvpn-examples.5 #usr/share/man/man8/openvpn.8 +usr/share/openvpn/ovpn.cnf var/ipfire/ovpn/ca var/ipfire/ovpn/caconfig var/ipfire/ovpn/ccd @@ -35,7 +36,6 @@ var/ipfire/ovpn/certs/serial var/ipfire/ovpn/crls var/ipfire/ovpn/n2nconf #var/ipfire/ovpn/openssl -var/ipfire/ovpn/openssl/ovpn.cnf var/ipfire/ovpn/openvpn-authenticator var/ipfire/ovpn/ovpn-leases.db var/ipfire/ovpn/ovpnconfig diff --git a/lfs/openvpn b/lfs/openvpn index b71b4ccc9..b686cc930 100644 --- a/lfs/openvpn +++ b/lfs/openvpn @@ -101,6 +101,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) chown root:root /etc/fcron.daily/openvpn-crl-updater chmod 750 /etc/fcron.daily/openvpn-crl-updater + # Move the OpenSSL configuration file out of /var/ipfire + mkdir -pv /usr/share/openvpn + mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \ + /usr/share/openvpn/ + rmdir -v /var/ipfire/ovpn/openssl + # Install authenticator install -v -m 755 $(DIR_SRC)/config/ovpn/openvpn-authenticator \ /usr/sbin/openvpn-authenticator So I think we are close to having it working. I will create an OpenVPN Roadwarrior connection with the x509 certificate set that has been created to confirm that it is all working properly now. I can in fact confirm that a successful road warrior connection was able to be made with the x509 cert set that was created with the modified patch. Regards, Adolf. On 08/06/2024 12:43, Adolf Belka wrote: > Hi Michael, > > I have made a change to the rootfile and the lfs file only and that has now successfully built. That will only have ovpn.cnf in the new location. > > am now doing a build on my vm and will see if that then creates the certificates or not. > > Regards, > Adolf. > > On 08/06/2024 12:14, Michael Tremer wrote: >> Hello, >> >> Thanks for testing this. >> >>> On 8 Jun 2024, at 09:40, Adolf Belka <adolf.belka(a)ipfire.org> wrote: >>> >>> Hi Michael, >>> >>> On 07/06/2024 18:01, Michael Tremer wrote: >>>> We should not have any configuration files that we share in this place, >>>> therefore this patch is moving it into /usr/share/openvpn where we >>>> should be able to update it without any issues. >>>> >>>> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org> >>>> --- >>>> config/ovpn/openvpn-crl-updater | 3 +-- >>>> config/rootfiles/common/openvpn | 2 +- >>>> html/cgi-bin/ovpnmain.cgi | 20 ++++++++++---------- >>>> lfs/openvpn | 6 ++++++ >>>> 4 files changed, 18 insertions(+), 13 deletions(-) >>>> >>>> diff --git a/config/ovpn/openvpn-crl-updater b/config/ovpn/openvpn-crl-updater >>>> index 5fbe21080..5008d6725 100644 >>>> --- a/config/ovpn/openvpn-crl-updater >>>> +++ b/config/ovpn/openvpn-crl-updater >>>> @@ -43,7 +43,6 @@ OVPN="/var/ipfire/ovpn" >>>> CRL="${OVPN}/crls/cacrl.pem" >>>> CAKEY="${OVPN}/ca/cakey.pem" >>>> CACERT="${OVPN}/ca/cacert.pem" >>>> -OPENSSLCONF="${OVPN}/openssl/ovpn.cnf" >>>> # Check if CRL is presant or if OpenVPN is active >>>> if [ ! -e "${CAKEY}" ]; then >>>> @@ -76,7 +75,7 @@ UPDATE="14" >>>> ## Mainpart >>>> # Check if OpenVPNs CRL needs to be renewed >>>> if [ ${NEXTUPDATE} -le ${UPDATE} ]; then >>>> - if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "${OPENSSLCONF}"; then >>>> + if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "/usr/share/openvpn/ovpn.cnf"; then >>>> logger -t openvpn "CRL has been updated" >>>> else >>>> logger -t openvpn "error: Could not update CRL" >>>> diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn >>>> index d9848a579..c0d49bfad 100644 >>>> --- a/config/rootfiles/common/openvpn >>>> +++ b/config/rootfiles/common/openvpn >>>> @@ -25,6 +25,7 @@ usr/sbin/openvpn-authenticator >>>> #usr/share/doc/openvpn/openvpn.8.html >>>> #usr/share/man/man5/openvpn-examples.5 >>>> #usr/share/man/man8/openvpn.8 >>>> +usr/share/openvpn/openssl.cnf >>> In the rootfile the file name is not only moved from /var/ipfire/ovpn/openssl/ but also renamed from ovpn.cnf to openssl.cnf but all the rest of the code continues to use ovpn.cnf >> >> Oh. >> >>>> var/ipfire/ovpn/ca >>>> var/ipfire/ovpn/caconfig >>>> var/ipfire/ovpn/ccd >>>> @@ -35,7 +36,6 @@ var/ipfire/ovpn/certs/serial >>>> var/ipfire/ovpn/crls >>>> var/ipfire/ovpn/n2nconf >>>> #var/ipfire/ovpn/openssl >>>> -var/ipfire/ovpn/openssl/ovpn.cnf >>>> var/ipfire/ovpn/openvpn-authenticator >>>> var/ipfire/ovpn/ovpn-leases.db >>>> var/ipfire/ovpn/ovpnconfig >>>> diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi >>>> index c92d0237d..f0172978f 100755 >>>> --- a/html/cgi-bin/ovpnmain.cgi >>>> +++ b/html/cgi-bin/ovpnmain.cgi >>>> @@ -1836,7 +1836,7 @@ END >>>> '-days', '999999', '-newkey', 'rsa:4096', '-sha512', >>>> '-keyout', "${General::swroot}/ovpn/ca/cakey.pem", >>>> '-out', "${General::swroot}/ovpn/ca/cacert.pem", >>>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) { >>>> + '-config', "/usr/share/openvpn/ovpn.cnf")) { >>>> $errormessage = "$Lang::tr{'cant start openssl'}: $!"; >>>> goto ROOTCERT_ERROR; >>>> } >>>> @@ -1868,7 +1868,7 @@ END >>>> '-keyout', "${General::swroot}/ovpn/certs/serverkey.pem", >>>> '-out', "${General::swroot}/ovpn/certs/serverreq.pem", >>>> '-extensions', 'server', >>>> - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" )) { >>>> + '-config', "/usr/share/openvpn/ovpn.cnf" )) { >>>> $errormessage = "$Lang::tr{'cant start openssl'}: $!"; >>>> unlink ("${General::swroot}/ovpn/certs/serverkey.pem"); >>>> unlink ("${General::swroot}/ovpn/certs/serverreq.pem"); >>>> @@ -1885,7 +1885,7 @@ END >>>> '-in', "${General::swroot}/ovpn/certs/serverreq.pem", >>>> '-out', "${General::swroot}/ovpn/certs/servercert.pem", >>>> '-extensions', 'server', >>>> - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf"); >>>> + '-config', "/usr/share/openvpn/ovpn.cnf"); >>>> if ($?) { >>>> $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; >>>> unlink ("${General::swroot}/ovpn/ca/cakey.pem"); >>>> @@ -1904,7 +1904,7 @@ END >>>> # System call is safe, because all arguments are passed as array. >>>> system('/usr/bin/openssl', 'ca', '-gencrl', >>>> '-out', "${General::swroot}/ovpn/crls/cacrl.pem", >>>> - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" ); >>>> + '-config', "/usr/share/openvpn/ovpn.cnf" ); >>>> if ($?) { >>>> $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; >>>> unlink ("${General::swroot}/ovpn/certs/serverkey.pem"); >>>> @@ -2426,8 +2426,8 @@ else >>>> if ($confighash{$cgiparams{'KEY'}}) { >>>> # Revoke certificate if certificate was deleted and rewrite the CRL >>>> - &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); >>>> - &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); >>>> + &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "/usr/share/openvpn/ovpn.cnf"); >>>> + &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "/usr/share/openvpn/ovpn.cnf"); >>>> ### >>>> # m.a.d net2net >>>> @@ -2480,7 +2480,7 @@ else >>>> &General::system("/usr/local/bin/openvpnctrl", "-drrd", "$confighash{$cgiparams{'KEY'}}[1]"); >>>> delete $confighash{$cgiparams{'KEY'}}; >>>> - &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); >>>> + &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "/usr/share/openvpn/ovpn.cnf"); >>>> &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); >>>> } else { >>>> @@ -4053,7 +4053,7 @@ if ($cgiparams{'TYPE'} eq 'net') { >>>> '-batch', '-notext', >>>> '-in', $filename, >>>> '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", >>>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf"); >>>> + '-config', "/usr/share/openvpn/ovpn.cnf"); >>>> if ($?) { >>>> $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; >>>> unlink ($filename); >>>> @@ -4266,7 +4266,7 @@ if ($cgiparams{'TYPE'} eq 'net') { >>>> '-newkey', 'rsa:4096', >>>> '-keyout', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem", >>>> '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", >>>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) { >>>> + '-config', "/usr/share/openvpn/ovpn.cnf")) { >>>> $errormessage = "$Lang::tr{'cant start openssl'}: $!"; >>>> unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); >>>> unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem"); >>>> @@ -4280,7 +4280,7 @@ if ($cgiparams{'TYPE'} eq 'net') { >>>> '-batch', '-notext', >>>> '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", >>>> '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", >>>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf"); >>>> + '-config', "/usr/share/openvpn/ovpn.cnf"); >>>> if ($?) { >>>> $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; >>>> unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); >>>> diff --git a/lfs/openvpn b/lfs/openvpn >>>> index b71b4ccc9..0704aa438 100644 >>>> --- a/lfs/openvpn >>>> +++ b/lfs/openvpn >>>> @@ -101,6 +101,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >>>> chown root:root /etc/fcron.daily/openvpn-crl-updater >>>> chmod 750 /etc/fcron.daily/openvpn-crl-updater >>>> + # Move the OpenSSL configuration file out of /var/ipfire >>>> + mkdir -pv /usr/share/openvpn >>> This creates the new directory. >>>> + mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \ >>>> + /usr/share/openvpn/ >>> This then moves the ovpn.cnf file from the old location to the new one but keeps the name the same. This will then mismatch with the rootfile change. >>>> + rmdir -v /usr/share/openvpn >>> This then seems to me to be trying to delete the newly created directory which seems incorrect to me unless I have misunderstood what is trying to be done with this overall patch, which could also be the case. >> >> Yes, I have no idea what I did when I developed this the first time. Nothing good obviously. >> >> I will send patches. >> >> -Michael >> >>> Regards, >>> Adolf. >>>> + >>>> # Install authenticator >>>> install -v -m 755 $(DIR_SRC)/config/ovpn/openvpn-authenticator \ >>>> /usr/sbin/openvpn-authenticator >>> >>> -- >>> Sent from my laptop >> >> ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH] OpenVPN: Move the OpenSSL configuration file out of /var/ipfire 2024-06-08 11:16 ` Adolf Belka @ 2024-06-09 7:58 ` Adolf Belka 2024-06-10 16:02 ` Michael Tremer 0 siblings, 1 reply; 19+ messages in thread From: Adolf Belka @ 2024-06-09 7:58 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 13163 bytes --] Hi Michael, I saw that updated patches for the path changes had been merged into Core Update 186 and the nightly run. As soon as I see that the nightly for the master x86_64 has also been run then I will test out the latest Core Update 186 Testing with those changes on an update from 185 to 186 and confirm that afterwards the x509 certificate set can be successfully created. Regards, Adolf. On 08/06/2024 13:16, Adolf Belka wrote: > Re-sending with minor change as I think I left some bits in that made the mail server miss a section out. > > Hi Michael, > > With the small changes I made it now successfully built and also after installing in a vm it has built the x509 certificate set. > > I suspect successfully as I didn't change any of the changes you made to the ovpnmain.cgi or the openvpn-crl-updater. > > The minor changes I made, compared to the existing openvpn lfs and rootfile are the following > > > > config/rootfiles/common/openvpn | 2 +- > lfs/openvpn | 6 ++++++ > 2 files changed, 7 insertions(+), 1 deletion(-) > > diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn > index d9848a579..8a36d4bb4 100644 > --- a/config/rootfiles/common/openvpn > +++ b/config/rootfiles/common/openvpn > @@ -25,6 +25,7 @@ usr/sbin/openvpn-authenticator > #usr/share/doc/openvpn/openvpn.8.html > #usr/share/man/man5/openvpn-examples.5 > #usr/share/man/man8/openvpn.8 > +usr/share/openvpn/ovpn.cnf > var/ipfire/ovpn/ca > var/ipfire/ovpn/caconfig > var/ipfire/ovpn/ccd > @@ -35,7 +36,6 @@ var/ipfire/ovpn/certs/serial > var/ipfire/ovpn/crls > var/ipfire/ovpn/n2nconf > #var/ipfire/ovpn/openssl > -var/ipfire/ovpn/openssl/ovpn.cnf > var/ipfire/ovpn/openvpn-authenticator > var/ipfire/ovpn/ovpn-leases.db > var/ipfire/ovpn/ovpnconfig > diff --git a/lfs/openvpn b/lfs/openvpn > index b71b4ccc9..b686cc930 100644 > --- a/lfs/openvpn > +++ b/lfs/openvpn > @@ -101,6 +101,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > chown root:root /etc/fcron.daily/openvpn-crl-updater > chmod 750 /etc/fcron.daily/openvpn-crl-updater > > + # Move the OpenSSL configuration file out of /var/ipfire > + mkdir -pv /usr/share/openvpn > + mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \ > + /usr/share/openvpn/ > + rmdir -v /var/ipfire/ovpn/openssl > + > # Install authenticator > install -v -m 755 $(DIR_SRC)/config/ovpn/openvpn-authenticator \ > /usr/sbin/openvpn-authenticator > > > So I think we are close to having it working. > > I will create an OpenVPN Roadwarrior connection with the x509 certificate set that has been created to confirm that it is all working properly now. > > I can in fact confirm that a successful road warrior connection was able to be made with the x509 cert set that was created with the modified patch. > > > Regards, > > Adolf. > > > On 08/06/2024 12:43, Adolf Belka wrote: >> Hi Michael, >> >> I have made a change to the rootfile and the lfs file only and that has now successfully built. That will only have ovpn.cnf in the new location. >> >> am now doing a build on my vm and will see if that then creates the certificates or not. >> >> Regards, >> Adolf. >> >> On 08/06/2024 12:14, Michael Tremer wrote: >>> Hello, >>> >>> Thanks for testing this. >>> >>>> On 8 Jun 2024, at 09:40, Adolf Belka <adolf.belka(a)ipfire.org> wrote: >>>> >>>> Hi Michael, >>>> >>>> On 07/06/2024 18:01, Michael Tremer wrote: >>>>> We should not have any configuration files that we share in this place, >>>>> therefore this patch is moving it into /usr/share/openvpn where we >>>>> should be able to update it without any issues. >>>>> >>>>> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org> >>>>> --- >>>>> config/ovpn/openvpn-crl-updater | 3 +-- >>>>> config/rootfiles/common/openvpn | 2 +- >>>>> html/cgi-bin/ovpnmain.cgi | 20 ++++++++++---------- >>>>> lfs/openvpn | 6 ++++++ >>>>> 4 files changed, 18 insertions(+), 13 deletions(-) >>>>> >>>>> diff --git a/config/ovpn/openvpn-crl-updater b/config/ovpn/openvpn-crl-updater >>>>> index 5fbe21080..5008d6725 100644 >>>>> --- a/config/ovpn/openvpn-crl-updater >>>>> +++ b/config/ovpn/openvpn-crl-updater >>>>> @@ -43,7 +43,6 @@ OVPN="/var/ipfire/ovpn" >>>>> CRL="${OVPN}/crls/cacrl.pem" >>>>> CAKEY="${OVPN}/ca/cakey.pem" >>>>> CACERT="${OVPN}/ca/cacert.pem" >>>>> -OPENSSLCONF="${OVPN}/openssl/ovpn.cnf" >>>>> # Check if CRL is presant or if OpenVPN is active >>>>> if [ ! -e "${CAKEY}" ]; then >>>>> @@ -76,7 +75,7 @@ UPDATE="14" >>>>> ## Mainpart >>>>> # Check if OpenVPNs CRL needs to be renewed >>>>> if [ ${NEXTUPDATE} -le ${UPDATE} ]; then >>>>> - if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "${OPENSSLCONF}"; then >>>>> + if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "/usr/share/openvpn/ovpn.cnf"; then >>>>> logger -t openvpn "CRL has been updated" >>>>> else >>>>> logger -t openvpn "error: Could not update CRL" >>>>> diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn >>>>> index d9848a579..c0d49bfad 100644 >>>>> --- a/config/rootfiles/common/openvpn >>>>> +++ b/config/rootfiles/common/openvpn >>>>> @@ -25,6 +25,7 @@ usr/sbin/openvpn-authenticator >>>>> #usr/share/doc/openvpn/openvpn.8.html >>>>> #usr/share/man/man5/openvpn-examples.5 >>>>> #usr/share/man/man8/openvpn.8 >>>>> +usr/share/openvpn/openssl.cnf >>>> In the rootfile the file name is not only moved from /var/ipfire/ovpn/openssl/ but also renamed from ovpn.cnf to openssl.cnf but all the rest of the code continues to use ovpn.cnf >>> >>> Oh. >>> >>>>> var/ipfire/ovpn/ca >>>>> var/ipfire/ovpn/caconfig >>>>> var/ipfire/ovpn/ccd >>>>> @@ -35,7 +36,6 @@ var/ipfire/ovpn/certs/serial >>>>> var/ipfire/ovpn/crls >>>>> var/ipfire/ovpn/n2nconf >>>>> #var/ipfire/ovpn/openssl >>>>> -var/ipfire/ovpn/openssl/ovpn.cnf >>>>> var/ipfire/ovpn/openvpn-authenticator >>>>> var/ipfire/ovpn/ovpn-leases.db >>>>> var/ipfire/ovpn/ovpnconfig >>>>> diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi >>>>> index c92d0237d..f0172978f 100755 >>>>> --- a/html/cgi-bin/ovpnmain.cgi >>>>> +++ b/html/cgi-bin/ovpnmain.cgi >>>>> @@ -1836,7 +1836,7 @@ END >>>>> '-days', '999999', '-newkey', 'rsa:4096', '-sha512', >>>>> '-keyout', "${General::swroot}/ovpn/ca/cakey.pem", >>>>> '-out', "${General::swroot}/ovpn/ca/cacert.pem", >>>>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) { >>>>> + '-config', "/usr/share/openvpn/ovpn.cnf")) { >>>>> $errormessage = "$Lang::tr{'cant start openssl'}: $!"; >>>>> goto ROOTCERT_ERROR; >>>>> } >>>>> @@ -1868,7 +1868,7 @@ END >>>>> '-keyout', "${General::swroot}/ovpn/certs/serverkey.pem", >>>>> '-out', "${General::swroot}/ovpn/certs/serverreq.pem", >>>>> '-extensions', 'server', >>>>> - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" )) { >>>>> + '-config', "/usr/share/openvpn/ovpn.cnf" )) { >>>>> $errormessage = "$Lang::tr{'cant start openssl'}: $!"; >>>>> unlink ("${General::swroot}/ovpn/certs/serverkey.pem"); >>>>> unlink ("${General::swroot}/ovpn/certs/serverreq.pem"); >>>>> @@ -1885,7 +1885,7 @@ END >>>>> '-in', "${General::swroot}/ovpn/certs/serverreq.pem", >>>>> '-out', "${General::swroot}/ovpn/certs/servercert.pem", >>>>> '-extensions', 'server', >>>>> - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf"); >>>>> + '-config', "/usr/share/openvpn/ovpn.cnf"); >>>>> if ($?) { >>>>> $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; >>>>> unlink ("${General::swroot}/ovpn/ca/cakey.pem"); >>>>> @@ -1904,7 +1904,7 @@ END >>>>> # System call is safe, because all arguments are passed as array. >>>>> system('/usr/bin/openssl', 'ca', '-gencrl', >>>>> '-out', "${General::swroot}/ovpn/crls/cacrl.pem", >>>>> - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" ); >>>>> + '-config', "/usr/share/openvpn/ovpn.cnf" ); >>>>> if ($?) { >>>>> $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; >>>>> unlink ("${General::swroot}/ovpn/certs/serverkey.pem"); >>>>> @@ -2426,8 +2426,8 @@ else >>>>> if ($confighash{$cgiparams{'KEY'}}) { >>>>> # Revoke certificate if certificate was deleted and rewrite the CRL >>>>> - &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); >>>>> - &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); >>>>> + &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "/usr/share/openvpn/ovpn.cnf"); >>>>> + &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "/usr/share/openvpn/ovpn.cnf"); >>>>> ### >>>>> # m.a.d net2net >>>>> @@ -2480,7 +2480,7 @@ else >>>>> &General::system("/usr/local/bin/openvpnctrl", "-drrd", "$confighash{$cgiparams{'KEY'}}[1]"); >>>>> delete $confighash{$cgiparams{'KEY'}}; >>>>> - &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); >>>>> + &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "/usr/share/openvpn/ovpn.cnf"); >>>>> &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); >>>>> } else { >>>>> @@ -4053,7 +4053,7 @@ if ($cgiparams{'TYPE'} eq 'net') { >>>>> '-batch', '-notext', >>>>> '-in', $filename, >>>>> '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", >>>>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf"); >>>>> + '-config', "/usr/share/openvpn/ovpn.cnf"); >>>>> if ($?) { >>>>> $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; >>>>> unlink ($filename); >>>>> @@ -4266,7 +4266,7 @@ if ($cgiparams{'TYPE'} eq 'net') { >>>>> '-newkey', 'rsa:4096', >>>>> '-keyout', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem", >>>>> '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", >>>>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) { >>>>> + '-config', "/usr/share/openvpn/ovpn.cnf")) { >>>>> $errormessage = "$Lang::tr{'cant start openssl'}: $!"; >>>>> unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); >>>>> unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem"); >>>>> @@ -4280,7 +4280,7 @@ if ($cgiparams{'TYPE'} eq 'net') { >>>>> '-batch', '-notext', >>>>> '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", >>>>> '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", >>>>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf"); >>>>> + '-config', "/usr/share/openvpn/ovpn.cnf"); >>>>> if ($?) { >>>>> $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; >>>>> unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); >>>>> diff --git a/lfs/openvpn b/lfs/openvpn >>>>> index b71b4ccc9..0704aa438 100644 >>>>> --- a/lfs/openvpn >>>>> +++ b/lfs/openvpn >>>>> @@ -101,6 +101,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >>>>> chown root:root /etc/fcron.daily/openvpn-crl-updater >>>>> chmod 750 /etc/fcron.daily/openvpn-crl-updater >>>>> + # Move the OpenSSL configuration file out of /var/ipfire >>>>> + mkdir -pv /usr/share/openvpn >>>> This creates the new directory. >>>>> + mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \ >>>>> + /usr/share/openvpn/ >>>> This then moves the ovpn.cnf file from the old location to the new one but keeps the name the same. This will then mismatch with the rootfile change. >>>>> + rmdir -v /usr/share/openvpn >>>> This then seems to me to be trying to delete the newly created directory which seems incorrect to me unless I have misunderstood what is trying to be done with this overall patch, which could also be the case. >>> >>> Yes, I have no idea what I did when I developed this the first time. Nothing good obviously. >>> >>> I will send patches. >>> >>> -Michael >>> >>>> Regards, >>>> Adolf. >>>>> + >>>>> # Install authenticator >>>>> install -v -m 755 $(DIR_SRC)/config/ovpn/openvpn-authenticator \ >>>>> /usr/sbin/openvpn-authenticator >>>> >>>> -- >>>> Sent from my laptop >>> >>> ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH] OpenVPN: Move the OpenSSL configuration file out of /var/ipfire 2024-06-09 7:58 ` Adolf Belka @ 2024-06-10 16:02 ` Michael Tremer 2024-06-11 9:09 ` Adolf Belka 0 siblings, 1 reply; 19+ messages in thread From: Michael Tremer @ 2024-06-10 16:02 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 13651 bytes --] Hello, > On 9 Jun 2024, at 08:58, Adolf Belka <adolf.belka(a)ipfire.org> wrote: > > Hi Michael, > > I saw that updated patches for the path changes had been merged into Core Update 186 and the nightly run. I didn’t merge the patches into master right away, and so the latest testing update doesn’t have the fixes. However, the latest patches fixed the problem, but ovpnmain.cgi is not part of the updater. So I have to do the final build again. After updating that file, the certificates can be generated properly. This is so messy :( > As soon as I see that the nightly for the master x86_64 has also been run then I will test out the latest Core Update 186 Testing with those changes on an update from 185 to 186 and confirm that afterwards the x509 certificate set can be successfully created. Thank you for confirming. -Michael > Regards, > > Adolf. > > > On 08/06/2024 13:16, Adolf Belka wrote: >> Re-sending with minor change as I think I left some bits in that made the mail server miss a section out. >> >> Hi Michael, >> >> With the small changes I made it now successfully built and also after installing in a vm it has built the x509 certificate set. >> >> I suspect successfully as I didn't change any of the changes you made to the ovpnmain.cgi or the openvpn-crl-updater. >> >> The minor changes I made, compared to the existing openvpn lfs and rootfile are the following >> >> >> >> config/rootfiles/common/openvpn | 2 +- >> lfs/openvpn | 6 ++++++ >> 2 files changed, 7 insertions(+), 1 deletion(-) >> >> diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn >> index d9848a579..8a36d4bb4 100644 >> --- a/config/rootfiles/common/openvpn >> +++ b/config/rootfiles/common/openvpn >> @@ -25,6 +25,7 @@ usr/sbin/openvpn-authenticator >> #usr/share/doc/openvpn/openvpn.8.html >> #usr/share/man/man5/openvpn-examples.5 >> #usr/share/man/man8/openvpn.8 >> +usr/share/openvpn/ovpn.cnf >> var/ipfire/ovpn/ca >> var/ipfire/ovpn/caconfig >> var/ipfire/ovpn/ccd >> @@ -35,7 +36,6 @@ var/ipfire/ovpn/certs/serial >> var/ipfire/ovpn/crls >> var/ipfire/ovpn/n2nconf >> #var/ipfire/ovpn/openssl >> -var/ipfire/ovpn/openssl/ovpn.cnf >> var/ipfire/ovpn/openvpn-authenticator >> var/ipfire/ovpn/ovpn-leases.db >> var/ipfire/ovpn/ovpnconfig >> diff --git a/lfs/openvpn b/lfs/openvpn >> index b71b4ccc9..b686cc930 100644 >> --- a/lfs/openvpn >> +++ b/lfs/openvpn >> @@ -101,6 +101,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >> chown root:root /etc/fcron.daily/openvpn-crl-updater >> chmod 750 /etc/fcron.daily/openvpn-crl-updater >> >> + # Move the OpenSSL configuration file out of /var/ipfire >> + mkdir -pv /usr/share/openvpn >> + mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \ >> + /usr/share/openvpn/ >> + rmdir -v /var/ipfire/ovpn/openssl >> + >> # Install authenticator >> install -v -m 755 $(DIR_SRC)/config/ovpn/openvpn-authenticator \ >> /usr/sbin/openvpn-authenticator >> >> >> So I think we are close to having it working. >> >> I will create an OpenVPN Roadwarrior connection with the x509 certificate set that has been created to confirm that it is all working properly now. >> >> I can in fact confirm that a successful road warrior connection was able to be made with the x509 cert set that was created with the modified patch. >> >> >> Regards, >> >> Adolf. >> >> >> On 08/06/2024 12:43, Adolf Belka wrote: >>> Hi Michael, >>> >>> I have made a change to the rootfile and the lfs file only and that has now successfully built. That will only have ovpn.cnf in the new location. >>> >>> am now doing a build on my vm and will see if that then creates the certificates or not. >>> >>> Regards, >>> Adolf. >>> >>> On 08/06/2024 12:14, Michael Tremer wrote: >>>> Hello, >>>> >>>> Thanks for testing this. >>>> >>>>> On 8 Jun 2024, at 09:40, Adolf Belka <adolf.belka(a)ipfire.org> wrote: >>>>> >>>>> Hi Michael, >>>>> >>>>> On 07/06/2024 18:01, Michael Tremer wrote: >>>>>> We should not have any configuration files that we share in this place, >>>>>> therefore this patch is moving it into /usr/share/openvpn where we >>>>>> should be able to update it without any issues. >>>>>> >>>>>> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org> >>>>>> --- >>>>>> config/ovpn/openvpn-crl-updater | 3 +-- >>>>>> config/rootfiles/common/openvpn | 2 +- >>>>>> html/cgi-bin/ovpnmain.cgi | 20 ++++++++++---------- >>>>>> lfs/openvpn | 6 ++++++ >>>>>> 4 files changed, 18 insertions(+), 13 deletions(-) >>>>>> >>>>>> diff --git a/config/ovpn/openvpn-crl-updater b/config/ovpn/openvpn-crl-updater >>>>>> index 5fbe21080..5008d6725 100644 >>>>>> --- a/config/ovpn/openvpn-crl-updater >>>>>> +++ b/config/ovpn/openvpn-crl-updater >>>>>> @@ -43,7 +43,6 @@ OVPN="/var/ipfire/ovpn" >>>>>> CRL="${OVPN}/crls/cacrl.pem" >>>>>> CAKEY="${OVPN}/ca/cakey.pem" >>>>>> CACERT="${OVPN}/ca/cacert.pem" >>>>>> -OPENSSLCONF="${OVPN}/openssl/ovpn.cnf" >>>>>> # Check if CRL is presant or if OpenVPN is active >>>>>> if [ ! -e "${CAKEY}" ]; then >>>>>> @@ -76,7 +75,7 @@ UPDATE="14" >>>>>> ## Mainpart >>>>>> # Check if OpenVPNs CRL needs to be renewed >>>>>> if [ ${NEXTUPDATE} -le ${UPDATE} ]; then >>>>>> - if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "${OPENSSLCONF}"; then >>>>>> + if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "/usr/share/openvpn/ovpn.cnf"; then >>>>>> logger -t openvpn "CRL has been updated" >>>>>> else >>>>>> logger -t openvpn "error: Could not update CRL" >>>>>> diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn >>>>>> index d9848a579..c0d49bfad 100644 >>>>>> --- a/config/rootfiles/common/openvpn >>>>>> +++ b/config/rootfiles/common/openvpn >>>>>> @@ -25,6 +25,7 @@ usr/sbin/openvpn-authenticator >>>>>> #usr/share/doc/openvpn/openvpn.8.html >>>>>> #usr/share/man/man5/openvpn-examples.5 >>>>>> #usr/share/man/man8/openvpn.8 >>>>>> +usr/share/openvpn/openssl.cnf >>>>> In the rootfile the file name is not only moved from /var/ipfire/ovpn/openssl/ but also renamed from ovpn.cnf to openssl.cnf but all the rest of the code continues to use ovpn.cnf >>>> >>>> Oh. >>>> >>>>>> var/ipfire/ovpn/ca >>>>>> var/ipfire/ovpn/caconfig >>>>>> var/ipfire/ovpn/ccd >>>>>> @@ -35,7 +36,6 @@ var/ipfire/ovpn/certs/serial >>>>>> var/ipfire/ovpn/crls >>>>>> var/ipfire/ovpn/n2nconf >>>>>> #var/ipfire/ovpn/openssl >>>>>> -var/ipfire/ovpn/openssl/ovpn.cnf >>>>>> var/ipfire/ovpn/openvpn-authenticator >>>>>> var/ipfire/ovpn/ovpn-leases.db >>>>>> var/ipfire/ovpn/ovpnconfig >>>>>> diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi >>>>>> index c92d0237d..f0172978f 100755 >>>>>> --- a/html/cgi-bin/ovpnmain.cgi >>>>>> +++ b/html/cgi-bin/ovpnmain.cgi >>>>>> @@ -1836,7 +1836,7 @@ END >>>>>> '-days', '999999', '-newkey', 'rsa:4096', '-sha512', >>>>>> '-keyout', "${General::swroot}/ovpn/ca/cakey.pem", >>>>>> '-out', "${General::swroot}/ovpn/ca/cacert.pem", >>>>>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) { >>>>>> + '-config', "/usr/share/openvpn/ovpn.cnf")) { >>>>>> $errormessage = "$Lang::tr{'cant start openssl'}: $!"; >>>>>> goto ROOTCERT_ERROR; >>>>>> } >>>>>> @@ -1868,7 +1868,7 @@ END >>>>>> '-keyout', "${General::swroot}/ovpn/certs/serverkey.pem", >>>>>> '-out', "${General::swroot}/ovpn/certs/serverreq.pem", >>>>>> '-extensions', 'server', >>>>>> - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" )) { >>>>>> + '-config', "/usr/share/openvpn/ovpn.cnf" )) { >>>>>> $errormessage = "$Lang::tr{'cant start openssl'}: $!"; >>>>>> unlink ("${General::swroot}/ovpn/certs/serverkey.pem"); >>>>>> unlink ("${General::swroot}/ovpn/certs/serverreq.pem"); >>>>>> @@ -1885,7 +1885,7 @@ END >>>>>> '-in', "${General::swroot}/ovpn/certs/serverreq.pem", >>>>>> '-out', "${General::swroot}/ovpn/certs/servercert.pem", >>>>>> '-extensions', 'server', >>>>>> - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf"); >>>>>> + '-config', "/usr/share/openvpn/ovpn.cnf"); >>>>>> if ($?) { >>>>>> $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; >>>>>> unlink ("${General::swroot}/ovpn/ca/cakey.pem"); >>>>>> @@ -1904,7 +1904,7 @@ END >>>>>> # System call is safe, because all arguments are passed as array. >>>>>> system('/usr/bin/openssl', 'ca', '-gencrl', >>>>>> '-out', "${General::swroot}/ovpn/crls/cacrl.pem", >>>>>> - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" ); >>>>>> + '-config', "/usr/share/openvpn/ovpn.cnf" ); >>>>>> if ($?) { >>>>>> $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; >>>>>> unlink ("${General::swroot}/ovpn/certs/serverkey.pem"); >>>>>> @@ -2426,8 +2426,8 @@ else >>>>>> if ($confighash{$cgiparams{'KEY'}}) { >>>>>> # Revoke certificate if certificate was deleted and rewrite the CRL >>>>>> - &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); >>>>>> - &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); >>>>>> + &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "/usr/share/openvpn/ovpn.cnf"); >>>>>> + &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "/usr/share/openvpn/ovpn.cnf"); >>>>>> ### >>>>>> # m.a.d net2net >>>>>> @@ -2480,7 +2480,7 @@ else >>>>>> &General::system("/usr/local/bin/openvpnctrl", "-drrd", "$confighash{$cgiparams{'KEY'}}[1]"); >>>>>> delete $confighash{$cgiparams{'KEY'}}; >>>>>> - &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); >>>>>> + &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "/usr/share/openvpn/ovpn.cnf"); >>>>>> &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); >>>>>> } else { >>>>>> @@ -4053,7 +4053,7 @@ if ($cgiparams{'TYPE'} eq 'net') { >>>>>> '-batch', '-notext', >>>>>> '-in', $filename, >>>>>> '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", >>>>>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf"); >>>>>> + '-config', "/usr/share/openvpn/ovpn.cnf"); >>>>>> if ($?) { >>>>>> $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; >>>>>> unlink ($filename); >>>>>> @@ -4266,7 +4266,7 @@ if ($cgiparams{'TYPE'} eq 'net') { >>>>>> '-newkey', 'rsa:4096', >>>>>> '-keyout', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem", >>>>>> '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", >>>>>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) { >>>>>> + '-config', "/usr/share/openvpn/ovpn.cnf")) { >>>>>> $errormessage = "$Lang::tr{'cant start openssl'}: $!"; >>>>>> unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); >>>>>> unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem"); >>>>>> @@ -4280,7 +4280,7 @@ if ($cgiparams{'TYPE'} eq 'net') { >>>>>> '-batch', '-notext', >>>>>> '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", >>>>>> '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", >>>>>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf"); >>>>>> + '-config', "/usr/share/openvpn/ovpn.cnf"); >>>>>> if ($?) { >>>>>> $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; >>>>>> unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); >>>>>> diff --git a/lfs/openvpn b/lfs/openvpn >>>>>> index b71b4ccc9..0704aa438 100644 >>>>>> --- a/lfs/openvpn >>>>>> +++ b/lfs/openvpn >>>>>> @@ -101,6 +101,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >>>>>> chown root:root /etc/fcron.daily/openvpn-crl-updater >>>>>> chmod 750 /etc/fcron.daily/openvpn-crl-updater >>>>>> + # Move the OpenSSL configuration file out of /var/ipfire >>>>>> + mkdir -pv /usr/share/openvpn >>>>> This creates the new directory. >>>>>> + mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \ >>>>>> + /usr/share/openvpn/ >>>>> This then moves the ovpn.cnf file from the old location to the new one but keeps the name the same. This will then mismatch with the rootfile change. >>>>>> + rmdir -v /usr/share/openvpn >>>>> This then seems to me to be trying to delete the newly created directory which seems incorrect to me unless I have misunderstood what is trying to be done with this overall patch, which could also be the case. >>>> >>>> Yes, I have no idea what I did when I developed this the first time. Nothing good obviously. >>>> >>>> I will send patches. >>>> >>>> -Michael >>>> >>>>> Regards, >>>>> Adolf. >>>>>> + >>>>>> # Install authenticator >>>>>> install -v -m 755 $(DIR_SRC)/config/ovpn/openvpn-authenticator \ >>>>>> /usr/sbin/openvpn-authenticator >>>>> >>>>> -- >>>>> Sent from my laptop >>>> >>>> ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH] OpenVPN: Move the OpenSSL configuration file out of /var/ipfire 2024-06-10 16:02 ` Michael Tremer @ 2024-06-11 9:09 ` Adolf Belka 0 siblings, 0 replies; 19+ messages in thread From: Adolf Belka @ 2024-06-11 9:09 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 14779 bytes --] Hi Michael, On 10/06/2024 18:02, Michael Tremer wrote: > Hello, > >> On 9 Jun 2024, at 08:58, Adolf Belka <adolf.belka(a)ipfire.org> wrote: >> >> Hi Michael, >> >> I saw that updated patches for the path changes had been merged into Core Update 186 and the nightly run. > > I didn’t merge the patches into master right away, and so the latest testing update doesn’t have the fixes. > > However, the latest patches fixed the problem, but ovpnmain.cgi is not part of the updater. So I have to do the final build again. > > After updating that file, the certificates can be generated properly. > > This is so messy :( > >> As soon as I see that the nightly for the master x86_64 has also been run then I will test out the latest Core Update 186 Testing with those changes on an update from 185 to 186 and confirm that afterwards the x509 certificate set can be successfully created. > > Thank you for confirming. The master nightly was updated last night so I have tested today. Testing the x509 creation on the CU185 vm failed, as would be expected. I then ran the update to CU186 Testing. Checked the /usr/share/openvpn/ directory. It was present and contained ovpn.cnf. I then rebooted and then ran the x509 creation. It was successful in that it created the root and host certificates. I then created an openvpn client connection from it to my laptop. I was able to successfully create an OpenVPN Road Warrior connection. So it looks (fingers crossed) that it is now working correctly in that the openssl config file for openvpn is getting updated with the Core Update. Regards, Adolf. > > -Michael > >> Regards, >> >> Adolf. >> >> >> On 08/06/2024 13:16, Adolf Belka wrote: >>> Re-sending with minor change as I think I left some bits in that made the mail server miss a section out. >>> >>> Hi Michael, >>> >>> With the small changes I made it now successfully built and also after installing in a vm it has built the x509 certificate set. >>> >>> I suspect successfully as I didn't change any of the changes you made to the ovpnmain.cgi or the openvpn-crl-updater. >>> >>> The minor changes I made, compared to the existing openvpn lfs and rootfile are the following >>> >>> >>> >>> config/rootfiles/common/openvpn | 2 +- >>> lfs/openvpn | 6 ++++++ >>> 2 files changed, 7 insertions(+), 1 deletion(-) >>> >>> diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn >>> index d9848a579..8a36d4bb4 100644 >>> --- a/config/rootfiles/common/openvpn >>> +++ b/config/rootfiles/common/openvpn >>> @@ -25,6 +25,7 @@ usr/sbin/openvpn-authenticator >>> #usr/share/doc/openvpn/openvpn.8.html >>> #usr/share/man/man5/openvpn-examples.5 >>> #usr/share/man/man8/openvpn.8 >>> +usr/share/openvpn/ovpn.cnf >>> var/ipfire/ovpn/ca >>> var/ipfire/ovpn/caconfig >>> var/ipfire/ovpn/ccd >>> @@ -35,7 +36,6 @@ var/ipfire/ovpn/certs/serial >>> var/ipfire/ovpn/crls >>> var/ipfire/ovpn/n2nconf >>> #var/ipfire/ovpn/openssl >>> -var/ipfire/ovpn/openssl/ovpn.cnf >>> var/ipfire/ovpn/openvpn-authenticator >>> var/ipfire/ovpn/ovpn-leases.db >>> var/ipfire/ovpn/ovpnconfig >>> diff --git a/lfs/openvpn b/lfs/openvpn >>> index b71b4ccc9..b686cc930 100644 >>> --- a/lfs/openvpn >>> +++ b/lfs/openvpn >>> @@ -101,6 +101,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >>> chown root:root /etc/fcron.daily/openvpn-crl-updater >>> chmod 750 /etc/fcron.daily/openvpn-crl-updater >>> >>> + # Move the OpenSSL configuration file out of /var/ipfire >>> + mkdir -pv /usr/share/openvpn >>> + mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \ >>> + /usr/share/openvpn/ >>> + rmdir -v /var/ipfire/ovpn/openssl >>> + >>> # Install authenticator >>> install -v -m 755 $(DIR_SRC)/config/ovpn/openvpn-authenticator \ >>> /usr/sbin/openvpn-authenticator >>> >>> >>> So I think we are close to having it working. >>> >>> I will create an OpenVPN Roadwarrior connection with the x509 certificate set that has been created to confirm that it is all working properly now. >>> >>> I can in fact confirm that a successful road warrior connection was able to be made with the x509 cert set that was created with the modified patch. >>> >>> >>> Regards, >>> >>> Adolf. >>> >>> >>> On 08/06/2024 12:43, Adolf Belka wrote: >>>> Hi Michael, >>>> >>>> I have made a change to the rootfile and the lfs file only and that has now successfully built. That will only have ovpn.cnf in the new location. >>>> >>>> am now doing a build on my vm and will see if that then creates the certificates or not. >>>> >>>> Regards, >>>> Adolf. >>>> >>>> On 08/06/2024 12:14, Michael Tremer wrote: >>>>> Hello, >>>>> >>>>> Thanks for testing this. >>>>> >>>>>> On 8 Jun 2024, at 09:40, Adolf Belka <adolf.belka(a)ipfire.org> wrote: >>>>>> >>>>>> Hi Michael, >>>>>> >>>>>> On 07/06/2024 18:01, Michael Tremer wrote: >>>>>>> We should not have any configuration files that we share in this place, >>>>>>> therefore this patch is moving it into /usr/share/openvpn where we >>>>>>> should be able to update it without any issues. >>>>>>> >>>>>>> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org> >>>>>>> --- >>>>>>> config/ovpn/openvpn-crl-updater | 3 +-- >>>>>>> config/rootfiles/common/openvpn | 2 +- >>>>>>> html/cgi-bin/ovpnmain.cgi | 20 ++++++++++---------- >>>>>>> lfs/openvpn | 6 ++++++ >>>>>>> 4 files changed, 18 insertions(+), 13 deletions(-) >>>>>>> >>>>>>> diff --git a/config/ovpn/openvpn-crl-updater b/config/ovpn/openvpn-crl-updater >>>>>>> index 5fbe21080..5008d6725 100644 >>>>>>> --- a/config/ovpn/openvpn-crl-updater >>>>>>> +++ b/config/ovpn/openvpn-crl-updater >>>>>>> @@ -43,7 +43,6 @@ OVPN="/var/ipfire/ovpn" >>>>>>> CRL="${OVPN}/crls/cacrl.pem" >>>>>>> CAKEY="${OVPN}/ca/cakey.pem" >>>>>>> CACERT="${OVPN}/ca/cacert.pem" >>>>>>> -OPENSSLCONF="${OVPN}/openssl/ovpn.cnf" >>>>>>> # Check if CRL is presant or if OpenVPN is active >>>>>>> if [ ! -e "${CAKEY}" ]; then >>>>>>> @@ -76,7 +75,7 @@ UPDATE="14" >>>>>>> ## Mainpart >>>>>>> # Check if OpenVPNs CRL needs to be renewed >>>>>>> if [ ${NEXTUPDATE} -le ${UPDATE} ]; then >>>>>>> - if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "${OPENSSLCONF}"; then >>>>>>> + if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "/usr/share/openvpn/ovpn.cnf"; then >>>>>>> logger -t openvpn "CRL has been updated" >>>>>>> else >>>>>>> logger -t openvpn "error: Could not update CRL" >>>>>>> diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn >>>>>>> index d9848a579..c0d49bfad 100644 >>>>>>> --- a/config/rootfiles/common/openvpn >>>>>>> +++ b/config/rootfiles/common/openvpn >>>>>>> @@ -25,6 +25,7 @@ usr/sbin/openvpn-authenticator >>>>>>> #usr/share/doc/openvpn/openvpn.8.html >>>>>>> #usr/share/man/man5/openvpn-examples.5 >>>>>>> #usr/share/man/man8/openvpn.8 >>>>>>> +usr/share/openvpn/openssl.cnf >>>>>> In the rootfile the file name is not only moved from /var/ipfire/ovpn/openssl/ but also renamed from ovpn.cnf to openssl.cnf but all the rest of the code continues to use ovpn.cnf >>>>> >>>>> Oh. >>>>> >>>>>>> var/ipfire/ovpn/ca >>>>>>> var/ipfire/ovpn/caconfig >>>>>>> var/ipfire/ovpn/ccd >>>>>>> @@ -35,7 +36,6 @@ var/ipfire/ovpn/certs/serial >>>>>>> var/ipfire/ovpn/crls >>>>>>> var/ipfire/ovpn/n2nconf >>>>>>> #var/ipfire/ovpn/openssl >>>>>>> -var/ipfire/ovpn/openssl/ovpn.cnf >>>>>>> var/ipfire/ovpn/openvpn-authenticator >>>>>>> var/ipfire/ovpn/ovpn-leases.db >>>>>>> var/ipfire/ovpn/ovpnconfig >>>>>>> diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi >>>>>>> index c92d0237d..f0172978f 100755 >>>>>>> --- a/html/cgi-bin/ovpnmain.cgi >>>>>>> +++ b/html/cgi-bin/ovpnmain.cgi >>>>>>> @@ -1836,7 +1836,7 @@ END >>>>>>> '-days', '999999', '-newkey', 'rsa:4096', '-sha512', >>>>>>> '-keyout', "${General::swroot}/ovpn/ca/cakey.pem", >>>>>>> '-out', "${General::swroot}/ovpn/ca/cacert.pem", >>>>>>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) { >>>>>>> + '-config', "/usr/share/openvpn/ovpn.cnf")) { >>>>>>> $errormessage = "$Lang::tr{'cant start openssl'}: $!"; >>>>>>> goto ROOTCERT_ERROR; >>>>>>> } >>>>>>> @@ -1868,7 +1868,7 @@ END >>>>>>> '-keyout', "${General::swroot}/ovpn/certs/serverkey.pem", >>>>>>> '-out', "${General::swroot}/ovpn/certs/serverreq.pem", >>>>>>> '-extensions', 'server', >>>>>>> - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" )) { >>>>>>> + '-config', "/usr/share/openvpn/ovpn.cnf" )) { >>>>>>> $errormessage = "$Lang::tr{'cant start openssl'}: $!"; >>>>>>> unlink ("${General::swroot}/ovpn/certs/serverkey.pem"); >>>>>>> unlink ("${General::swroot}/ovpn/certs/serverreq.pem"); >>>>>>> @@ -1885,7 +1885,7 @@ END >>>>>>> '-in', "${General::swroot}/ovpn/certs/serverreq.pem", >>>>>>> '-out', "${General::swroot}/ovpn/certs/servercert.pem", >>>>>>> '-extensions', 'server', >>>>>>> - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf"); >>>>>>> + '-config', "/usr/share/openvpn/ovpn.cnf"); >>>>>>> if ($?) { >>>>>>> $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; >>>>>>> unlink ("${General::swroot}/ovpn/ca/cakey.pem"); >>>>>>> @@ -1904,7 +1904,7 @@ END >>>>>>> # System call is safe, because all arguments are passed as array. >>>>>>> system('/usr/bin/openssl', 'ca', '-gencrl', >>>>>>> '-out', "${General::swroot}/ovpn/crls/cacrl.pem", >>>>>>> - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" ); >>>>>>> + '-config', "/usr/share/openvpn/ovpn.cnf" ); >>>>>>> if ($?) { >>>>>>> $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; >>>>>>> unlink ("${General::swroot}/ovpn/certs/serverkey.pem"); >>>>>>> @@ -2426,8 +2426,8 @@ else >>>>>>> if ($confighash{$cgiparams{'KEY'}}) { >>>>>>> # Revoke certificate if certificate was deleted and rewrite the CRL >>>>>>> - &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); >>>>>>> - &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); >>>>>>> + &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "/usr/share/openvpn/ovpn.cnf"); >>>>>>> + &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "/usr/share/openvpn/ovpn.cnf"); >>>>>>> ### >>>>>>> # m.a.d net2net >>>>>>> @@ -2480,7 +2480,7 @@ else >>>>>>> &General::system("/usr/local/bin/openvpnctrl", "-drrd", "$confighash{$cgiparams{'KEY'}}[1]"); >>>>>>> delete $confighash{$cgiparams{'KEY'}}; >>>>>>> - &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); >>>>>>> + &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "/usr/share/openvpn/ovpn.cnf"); >>>>>>> &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); >>>>>>> } else { >>>>>>> @@ -4053,7 +4053,7 @@ if ($cgiparams{'TYPE'} eq 'net') { >>>>>>> '-batch', '-notext', >>>>>>> '-in', $filename, >>>>>>> '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", >>>>>>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf"); >>>>>>> + '-config', "/usr/share/openvpn/ovpn.cnf"); >>>>>>> if ($?) { >>>>>>> $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; >>>>>>> unlink ($filename); >>>>>>> @@ -4266,7 +4266,7 @@ if ($cgiparams{'TYPE'} eq 'net') { >>>>>>> '-newkey', 'rsa:4096', >>>>>>> '-keyout', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem", >>>>>>> '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", >>>>>>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) { >>>>>>> + '-config', "/usr/share/openvpn/ovpn.cnf")) { >>>>>>> $errormessage = "$Lang::tr{'cant start openssl'}: $!"; >>>>>>> unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); >>>>>>> unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem"); >>>>>>> @@ -4280,7 +4280,7 @@ if ($cgiparams{'TYPE'} eq 'net') { >>>>>>> '-batch', '-notext', >>>>>>> '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", >>>>>>> '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", >>>>>>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf"); >>>>>>> + '-config', "/usr/share/openvpn/ovpn.cnf"); >>>>>>> if ($?) { >>>>>>> $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; >>>>>>> unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); >>>>>>> diff --git a/lfs/openvpn b/lfs/openvpn >>>>>>> index b71b4ccc9..0704aa438 100644 >>>>>>> --- a/lfs/openvpn >>>>>>> +++ b/lfs/openvpn >>>>>>> @@ -101,6 +101,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >>>>>>> chown root:root /etc/fcron.daily/openvpn-crl-updater >>>>>>> chmod 750 /etc/fcron.daily/openvpn-crl-updater >>>>>>> + # Move the OpenSSL configuration file out of /var/ipfire >>>>>>> + mkdir -pv /usr/share/openvpn >>>>>> This creates the new directory. >>>>>>> + mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \ >>>>>>> + /usr/share/openvpn/ >>>>>> This then moves the ovpn.cnf file from the old location to the new one but keeps the name the same. This will then mismatch with the rootfile change. >>>>>>> + rmdir -v /usr/share/openvpn >>>>>> This then seems to me to be trying to delete the newly created directory which seems incorrect to me unless I have misunderstood what is trying to be done with this overall patch, which could also be the case. >>>>> >>>>> Yes, I have no idea what I did when I developed this the first time. Nothing good obviously. >>>>> >>>>> I will send patches. >>>>> >>>>> -Michael >>>>> >>>>>> Regards, >>>>>> Adolf. >>>>>>> + >>>>>>> # Install authenticator >>>>>>> install -v -m 755 $(DIR_SRC)/config/ovpn/openvpn-authenticator \ >>>>>>> /usr/sbin/openvpn-authenticator >>>>>> >>>>>> -- >>>>>> Sent from my laptop >>>>> >>>>> > ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH 2/3] OpenVPN: Move the OpenSSL configuration file out of /var/ipfire 2024-06-07 8:22 ` Adolf Belka 2024-06-07 16:01 ` [PATCH] " Michael Tremer @ 2024-06-07 16:03 ` Michael Tremer 2024-06-07 16:24 ` Adolf Belka 1 sibling, 1 reply; 19+ messages in thread From: Michael Tremer @ 2024-06-07 16:03 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 9111 bytes --] Hello, No, you are right. This does not work. I submitted a new patch does solves this in a more boring, but functioning way. https://patchwork.ipfire.org/project/ipfire/patch/20240607160107.3478827-1-michael.tremer(a)ipfire.org/ I tried to send this patch as a reply to this thread, but weirdly this doesn’t seem to work for me. Best, -Michael > On 7 Jun 2024, at 09:22, Adolf Belka <adolf.belka(a)ipfire.org> wrote: > > Hi Michael, > > Any comments on my feedback, did I make some errors or were there some issues with the code not working as intended? It sounded like you wanted to get any fix from this added into CU186 which would mean giving it some good testing, which I am willing and available to do. > > Regards, > > Adolf. > > On 05/06/2024 13:52, Adolf Belka wrote: >> I re-did the vm build and first did a restore of my system so I could access the logs via ssh. >> >> Then I cleared the x509 system and cleared the error_log and then ran the x509 create and the following is the output in the error_log file >> >> ...+.......+..+....+..+.......+..+.+...+.........+..................+........+.......+...+.....+.+.....+.........+....+..+...+..........+..+.........+.........+............+....+..+.......+......+..+++++++++++++++++++++++++++++++++++++++++++++*.+.........+...+...............+........+....+++++++++++++++++++++++++++++++++++++++++++++*...+...............+...+....+..............+.+......+.....+....+........+...+.........................+....................+....+......+........+.........+......+......+...+..........+..+.+..+......+....+......+.........+...+.........+.....+..........+...+........+............+............+......+...+.......+............+..+.........+...........................+............+...............+.+............+.....+...+......+.+........+......+...............+.+..............+................+..+.+...........+.+..+......+++++ >> ..+.+........+..........+..+.+........+.+.....+.+.....+....+...+...+..............+.........+.......+..+...+.........+....+......+........+.+..+...+....+..+...............+...+...+...+......+.+++++++++++++++++++++++++++++++++++++++++++++*..+..+...+.+.........+........+..........+..+.+..+....+...+..+.+..+.......+.....+......+...+.+..............+.......+...+.....+............+............+.+......+...+.....+.+..+...+....+..+.........+...............+.+...+..+...+++++++++++++++++++++++++++++++++++++++++++++*.......+....................+....+..............+.+.....+.+...+..+...+......+.+.........+.........+......+..............+...............+.........+.............+..+.......+.........+..............+.+..+.........+...+.+.....+..........+..+...+......+....+............+........+.+.................................+......+......+........+...............+......+.........+.............+..+.+.........+..+..........+...........+...+......+...+.........................+.....+...............+.+............+...+..+.......+.....+......+......+...............+...................+......+......+..+...+.........+.........................+...+..+......+...+...............+.......+...+......+...+..+.........+....+.....+..........+...+..+...............+......+......+...+..................+.......+...............+......+..+............+...+...+....+...+.........+.....+..........+...+..+.........+.......+............+.....+..........+..+......+....+........................+.....+......+...+..........+...+.....+....+......+........+.......+..+...+............+......+....+...+............+..+....+...........+...+......+.+.....+..........+..........................+............+.+..+...+.........+.................................+....+..............+....+...+..............+......+.......+..+................+...+.....+.+........+............+.............+...............+......+..+.......+...+.....+.......+++++ >> ----- >> You are about to be asked to enter information that will be incorporated >> into your certificate request. >> What you are about to enter is what is called a Distinguished Name or a DN. >> There are quite a few fields but you can leave some blank >> For some fields there will be a default value, >> If you enter '.', the field will be left blank. >> ----- >> Country Name (2 letter code) [DE]:State or Province Name (full name) []:Locality Name (eg, city) []:Organization Name (eg, company) [IPFire]:Organizational Unit Name (eg, section) []:Common Name (eg, your name or your server's hostname) []:Email Address []:Error checking request extension section server >> >> So you can see explicitly what it came back with. >> >> Regards, >> >> Adolf >> >> >> On 05/06/2024 13:33, Adolf Belka wrote: >>> Hi All, >>> >>> I should have also added to the end of this message that patches 1 and 3 were applied, as far as I could tell as per the patch. >>> >>> I then installed the built iso into a vm machine and ran the x509 install and got the root certificate and no host certificate with the standard openssl error message. >>> >>> In the httpd/error_log file it had the following message >>> >>> Email Address []:Error checking request extension section server >>> >>> Regards, >>> >>> Adolf. >>> >>> On 05/06/2024 13:26, Adolf Belka wrote: >>>> Hi Michael, >>>> >>>> Here is my feedback on these three patches and the issues I found when I tried to use them. >>>> >>>> I had to manually apply them so there is also the possibility that I made a typo somewhere. >>>> >>>> On 18/04/2024 23:36, Michael Tremer wrote: >>>>> We should not have any configuration files that we share in this place, >>>>> therefore this patch is moving it into /usr/share/openvpn where we >>>>> should be able to update it without any issues. >>>>> >>>>> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org> >>>>> --- >>>>> config/rootfiles/common/openvpn | 2 +- >>>>> html/cgi-bin/ovpnmain.cgi | 2 +- >>>>> lfs/openvpn | 6 ++++++ >>>>> 3 files changed, 8 insertions(+), 2 deletions(-) >>>>> >>>>> diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn >>>>> index d9848a579..c0d49bfad 100644 >>>>> --- a/config/rootfiles/common/openvpn >>>>> +++ b/config/rootfiles/common/openvpn >>>> These changes were no problem. >>>>> @@ -25,6 +25,7 @@ usr/sbin/openvpn-authenticator >>>>> #usr/share/doc/openvpn/openvpn.8.html >>>>> #usr/share/man/man5/openvpn-examples.5 >>>>> #usr/share/man/man8/openvpn.8 >>>>> +usr/share/openvpn/openssl.cnf >>>>> var/ipfire/ovpn/ca >>>>> var/ipfire/ovpn/caconfig >>>>> var/ipfire/ovpn/ccd >>>>> @@ -35,7 +36,6 @@ var/ipfire/ovpn/certs/serial >>>>> var/ipfire/ovpn/crls >>>>> var/ipfire/ovpn/n2nconf >>>>> #var/ipfire/ovpn/openssl >>>>> -var/ipfire/ovpn/openssl/ovpn.cnf >>>>> var/ipfire/ovpn/openvpn-authenticator >>>>> var/ipfire/ovpn/ovpn-leases.db >>>>> var/ipfire/ovpn/ovpnconfig >>>>> diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi >>>>> index 9b8ff5aa5..ed80fef7d 100755 >>>>> --- a/html/cgi-bin/ovpnmain.cgi >>>>> +++ b/html/cgi-bin/ovpnmain.cgi >>>> Also this change no problem. >>>>> @@ -54,7 +54,7 @@ my %mainsettings = (); >>>>> &General::readhash("/srv/web/ipfire/html/themes/ipfire/include/colors.txt", \%color); >>>>> # Use a custom OpenSSL configuration file for all operations >>>>> -$ENV["OPENSSL_CONF"] = "${General::swroot}/ovpn/ca/cacert.pem"; >>>>> +$ENV["OPENSSL_CONF"] = "/usr/share/openvpn/openssl.cnf"; >>>>> ### >>>>> ### Initialize variables >>>>> diff --git a/lfs/openvpn b/lfs/openvpn >>>>> index b71b4ccc9..0704aa438 100644 >>>>> --- a/lfs/openvpn >>>>> +++ b/lfs/openvpn >>>> This change refused to build as it said the directory removal was for a non empty directory. When I looked at it I believe that it needed to be different. >>>>> @@ -101,6 +101,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >>>>> chown root:root /etc/fcron.daily/openvpn-crl-updater >>>>> chmod 750 /etc/fcron.daily/openvpn-crl-updater >>>>> + # Move the OpenSSL configuration file out of /var/ipfire >>>>> + mkdir -pv /usr/share/openvpn >>>>> + mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \ >>>>> + /usr/share/openvpn/ >>>>> + rmdir -v /usr/share/openvpn >>>>> + >>>> >>>> The above lines I changed to >>>> >>>> + # Move the OpenSSL configuration file out of /var/ipfire >>>> + mkdir -pv /usr/share/openvpn >>>> + mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \ >>>> + /usr/share/openvpn/openssl.cnf >>>> + rmdir -v /var/ipfire/ovpn/openssl/ >>>> + >>>> with my changes in the last two lines. >>>> When I changed just the last line to start with then the openvpn lfs built but then later on in the cdrom stage it complained about openssl.cnf not being found, hence I also then added the change to the one before last line. >>>> >>>> Regards, >>>> Adolf. >>>> >>>>> # Install authenticator >>>>> install -v -m 755 $(DIR_SRC)/config/ovpn/openvpn-authenticator \ >>>>> /usr/sbin/openvpn-authenticator ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH 2/3] OpenVPN: Move the OpenSSL configuration file out of /var/ipfire 2024-06-07 16:03 ` [PATCH 2/3] " Michael Tremer @ 2024-06-07 16:24 ` Adolf Belka 2024-06-07 19:46 ` Adolf Belka 0 siblings, 1 reply; 19+ messages in thread From: Adolf Belka @ 2024-06-07 16:24 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 9491 bytes --] Hi Michael, On 07/06/2024 18:03, Michael Tremer wrote: > Hello, > > No, you are right. This does not work. > > I submitted a new patch does solves this in a more boring, but functioning way. > > https://patchwork.ipfire.org/project/ipfire/patch/20240607160107.3478827-1-michael.tremer(a)ipfire.org/ > > I tried to send this patch as a reply to this thread, but weirdly this doesn’t seem to work for me. I saw the patch submission so I will try and test it out and hopefully confirm that everything then works fine. Regards, Adolf. > > Best, > -Michael > >> On 7 Jun 2024, at 09:22, Adolf Belka <adolf.belka(a)ipfire.org> wrote: >> >> Hi Michael, >> >> Any comments on my feedback, did I make some errors or were there some issues with the code not working as intended? It sounded like you wanted to get any fix from this added into CU186 which would mean giving it some good testing, which I am willing and available to do. >> >> Regards, >> >> Adolf. >> >> On 05/06/2024 13:52, Adolf Belka wrote: >>> I re-did the vm build and first did a restore of my system so I could access the logs via ssh. >>> >>> Then I cleared the x509 system and cleared the error_log and then ran the x509 create and the following is the output in the error_log file >>> >>> ...+.......+..+....+..+.......+..+.+...+.........+..................+........+.......+...+.....+.+.....+.........+....+..+...+..........+..+.........+.........+............+....+..+.......+......+..+++++++++++++++++++++++++++++++++++++++++++++*.+.........+...+...............+........+....+++++++++++++++++++++++++++++++++++++++++++++*...+...............+...+....+..............+.+......+.....+....+........+...+.........................+....................+....+......+........+.........+......+......+...+..........+..+.+..+......+....+......+.........+...+.........+.....+..........+...+........+............+............+......+...+.......+............+..+.........+...........................+............+...............+.+............+.....+...+......+.+........+......+...............+.+..............+................+..+.+...........+.+..+......+++++ >>> ..+.+........+..........+..+.+........+.+.....+.+.....+....+...+...+..............+.........+.......+..+...+.........+....+......+........+.+..+...+....+..+...............+...+...+...+......+.+++++++++++++++++++++++++++++++++++++++++++++*..+..+...+.+.........+........+..........+..+.+..+....+...+..+.+..+.......+.....+......+...+.+..............+.......+...+.....+............+............+.+......+...+.....+.+..+...+....+..+.........+...............+.+...+..+...+++++++++++++++++++++++++++++++++++++++++++++*.......+....................+....+..............+.+.....+.+...+..+...+......+.+.........+.........+......+..............+...............+.........+.............+..+.......+.........+..............+.+..+.........+...+.+.....+..........+..+...+......+....+............+........+.+.................................+......+......+........+...............+......+.........+.............+..+.+.........+..+..........+...........+...+......+...+.........................+.....+...............+.+............+...+..+.......+.....+......+......+...............+...................+......+......+..+...+.........+.........................+...+..+......+...+...............+.......+...+......+...+..+.........+....+.....+..........+...+..+...............+......+......+...+..................+.......+...............+......+..+............+...+...+....+...+.........+.....+..........+...+..+.........+.......+............+.....+..........+..+......+....+........................+.....+......+...+..........+...+.....+....+......+........+.......+..+...+............+......+....+...+............+..+....+...........+...+......+.+.....+..........+..........................+............+.+..+...+.........+.................................+....+..............+....+...+..............+......+.......+..+................+...+.....+.+........+............+.............+...............+......+..+.......+...+.....+.......+++++ >>> ----- >>> You are about to be asked to enter information that will be incorporated >>> into your certificate request. >>> What you are about to enter is what is called a Distinguished Name or a DN. >>> There are quite a few fields but you can leave some blank >>> For some fields there will be a default value, >>> If you enter '.', the field will be left blank. >>> ----- >>> Country Name (2 letter code) [DE]:State or Province Name (full name) []:Locality Name (eg, city) []:Organization Name (eg, company) [IPFire]:Organizational Unit Name (eg, section) []:Common Name (eg, your name or your server's hostname) []:Email Address []:Error checking request extension section server >>> >>> So you can see explicitly what it came back with. >>> >>> Regards, >>> >>> Adolf >>> >>> >>> On 05/06/2024 13:33, Adolf Belka wrote: >>>> Hi All, >>>> >>>> I should have also added to the end of this message that patches 1 and 3 were applied, as far as I could tell as per the patch. >>>> >>>> I then installed the built iso into a vm machine and ran the x509 install and got the root certificate and no host certificate with the standard openssl error message. >>>> >>>> In the httpd/error_log file it had the following message >>>> >>>> Email Address []:Error checking request extension section server >>>> >>>> Regards, >>>> >>>> Adolf. >>>> >>>> On 05/06/2024 13:26, Adolf Belka wrote: >>>>> Hi Michael, >>>>> >>>>> Here is my feedback on these three patches and the issues I found when I tried to use them. >>>>> >>>>> I had to manually apply them so there is also the possibility that I made a typo somewhere. >>>>> >>>>> On 18/04/2024 23:36, Michael Tremer wrote: >>>>>> We should not have any configuration files that we share in this place, >>>>>> therefore this patch is moving it into /usr/share/openvpn where we >>>>>> should be able to update it without any issues. >>>>>> >>>>>> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org> >>>>>> --- >>>>>> config/rootfiles/common/openvpn | 2 +- >>>>>> html/cgi-bin/ovpnmain.cgi | 2 +- >>>>>> lfs/openvpn | 6 ++++++ >>>>>> 3 files changed, 8 insertions(+), 2 deletions(-) >>>>>> >>>>>> diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn >>>>>> index d9848a579..c0d49bfad 100644 >>>>>> --- a/config/rootfiles/common/openvpn >>>>>> +++ b/config/rootfiles/common/openvpn >>>>> These changes were no problem. >>>>>> @@ -25,6 +25,7 @@ usr/sbin/openvpn-authenticator >>>>>> #usr/share/doc/openvpn/openvpn.8.html >>>>>> #usr/share/man/man5/openvpn-examples.5 >>>>>> #usr/share/man/man8/openvpn.8 >>>>>> +usr/share/openvpn/openssl.cnf >>>>>> var/ipfire/ovpn/ca >>>>>> var/ipfire/ovpn/caconfig >>>>>> var/ipfire/ovpn/ccd >>>>>> @@ -35,7 +36,6 @@ var/ipfire/ovpn/certs/serial >>>>>> var/ipfire/ovpn/crls >>>>>> var/ipfire/ovpn/n2nconf >>>>>> #var/ipfire/ovpn/openssl >>>>>> -var/ipfire/ovpn/openssl/ovpn.cnf >>>>>> var/ipfire/ovpn/openvpn-authenticator >>>>>> var/ipfire/ovpn/ovpn-leases.db >>>>>> var/ipfire/ovpn/ovpnconfig >>>>>> diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi >>>>>> index 9b8ff5aa5..ed80fef7d 100755 >>>>>> --- a/html/cgi-bin/ovpnmain.cgi >>>>>> +++ b/html/cgi-bin/ovpnmain.cgi >>>>> Also this change no problem. >>>>>> @@ -54,7 +54,7 @@ my %mainsettings = (); >>>>>> &General::readhash("/srv/web/ipfire/html/themes/ipfire/include/colors.txt", \%color); >>>>>> # Use a custom OpenSSL configuration file for all operations >>>>>> -$ENV["OPENSSL_CONF"] = "${General::swroot}/ovpn/ca/cacert.pem"; >>>>>> +$ENV["OPENSSL_CONF"] = "/usr/share/openvpn/openssl.cnf"; >>>>>> ### >>>>>> ### Initialize variables >>>>>> diff --git a/lfs/openvpn b/lfs/openvpn >>>>>> index b71b4ccc9..0704aa438 100644 >>>>>> --- a/lfs/openvpn >>>>>> +++ b/lfs/openvpn >>>>> This change refused to build as it said the directory removal was for a non empty directory. When I looked at it I believe that it needed to be different. >>>>>> @@ -101,6 +101,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >>>>>> chown root:root /etc/fcron.daily/openvpn-crl-updater >>>>>> chmod 750 /etc/fcron.daily/openvpn-crl-updater >>>>>> + # Move the OpenSSL configuration file out of /var/ipfire >>>>>> + mkdir -pv /usr/share/openvpn >>>>>> + mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \ >>>>>> + /usr/share/openvpn/ >>>>>> + rmdir -v /usr/share/openvpn >>>>>> + >>>>> >>>>> The above lines I changed to >>>>> >>>>> + # Move the OpenSSL configuration file out of /var/ipfire >>>>> + mkdir -pv /usr/share/openvpn >>>>> + mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \ >>>>> + /usr/share/openvpn/openssl.cnf >>>>> + rmdir -v /var/ipfire/ovpn/openssl/ >>>>> + >>>>> with my changes in the last two lines. >>>>> When I changed just the last line to start with then the openvpn lfs built but then later on in the cdrom stage it complained about openssl.cnf not being found, hence I also then added the change to the one before last line. >>>>> >>>>> Regards, >>>>> Adolf. >>>>> >>>>>> # Install authenticator >>>>>> install -v -m 755 $(DIR_SRC)/config/ovpn/openvpn-authenticator \ >>>>>> /usr/sbin/openvpn-authenticator > -- Sent from my laptop ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH 2/3] OpenVPN: Move the OpenSSL configuration file out of /var/ipfire 2024-06-07 16:24 ` Adolf Belka @ 2024-06-07 19:46 ` Adolf Belka 0 siblings, 0 replies; 19+ messages in thread From: Adolf Belka @ 2024-06-07 19:46 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 137544 bytes --] Hi Michael, On 07/06/2024 18:24, Adolf Belka wrote: > Hi Michael, > > On 07/06/2024 18:03, Michael Tremer wrote: >> Hello, >> >> No, you are right. This does not work. >> >> I submitted a new patch does solves this in a more boring, but functioning way. >> >> https://patchwork.ipfire.org/project/ipfire/patch/20240607160107.3478827-1-michael.tremer(a)ipfire.org/ >> >> I tried to send this patch as a reply to this thread, but weirdly this doesn’t seem to work for me. > I saw the patch submission so I will try and test it out and hopefully confirm that everything then works fine. > > Regards, > Adolf. > I applied the patch set and then did the build. Unfortunately building the openvpn lfs failed at the step when trying to delete the directory /usr/share/openvpn after copying ovpn.cnf to that directory. In my mind it seems that it is not /usr/share/openvpn that needs to be deleted after copying the file but /var/ipfire/ovpn/openssl/ Here is the build error log for openvpn --------------------------------------------------------------------------------- Jun 7 19:21:37: Building openvpn openvpn-2.5.9.tar.gz checksum OK + cd /usr/src/lfs + make -f openvpn LFS_BASEDIR=/usr/src install ====================================== Installing openvpn-2.5.9 ... Install started; saving file list to /usr/src/lsalr ... cd /usr/src/openvpn-2.5.9 && ./configure \ --prefix=/usr \ --sysconfdir=/var/ipfire/ovpn \ --enable-iproute2 \ --enable-plugins \ --enable-plugin-auth-pam \ --enable-plugin-down-root checking for a BSD-compatible install... /usr/bin/install -c checking whether build environment is sane... yes checking for a race-free mkdir -p... /bin/mkdir -p checking for gawk... gawk checking whether make sets $(MAKE)... yes checking whether make supports nested variables... yes checking build system type... x86_64-pc-linux-gnu checking host system type... x86_64-pc-linux-gnu checking whether make supports the include directive... yes (GNU style) checking for gcc... gcc checking whether the C compiler works... yes checking for C compiler default output file name... a.out checking for suffix of executables... checking whether we are cross compiling... no checking for suffix of object files... o checking whether the compiler supports GNU C... yes checking whether gcc accepts -g... yes checking for gcc option to enable C11 features... none needed checking whether gcc understands -c and -o together... yes checking dependency style of gcc... gcc3 checking for stdio.h... yes checking for stdlib.h... yes checking for string.h... yes checking for inttypes.h... yes checking for stdint.h... yes checking for strings.h... yes checking for sys/stat.h... yes checking for sys/types.h... yes checking for unistd.h... yes checking for wchar.h... yes checking for minix/config.h... no checking for vfork.h... no checking whether it is safe to define __EXTENSIONS__... yes checking whether _XOPEN_SOURCE should be defined... no checking for pkg-config... /usr/bin/pkg-config checking pkg-config is at least version 0.9.0... yes checking how to run the C preprocessor... gcc -E checking whether ln -s works... yes checking for a sed that does not truncate output... /bin/sed checking whether make sets $(MAKE)... (cached) yes checking for ifconfig... /sbin/ifconfig checking for route... /sbin/route checking for ip... /sbin/ip checking for systemd-ask-password... no checking for netstat... netstat checking for git... no checking for rst2man... no checking for rst2man.py... rst2man.py checking for rst2html... no checking for rst2html.py... rst2html.py checking how to print strings... printf checking for a sed that does not truncate output... (cached) /bin/sed checking for grep that handles long lines and -e... /bin/grep checking for egrep... /bin/grep -E checking for fgrep... /bin/grep -F checking for ld used by gcc... /usr/bin/ld checking if the linker (/usr/bin/ld) is GNU ld... yes checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B checking the name lister (/usr/bin/nm -B) interface... BSD nm checking the maximum length of command line arguments... 1572864 checking how to convert x86_64-pc-linux-gnu file names to x86_64-pc-linux-gnu format... func_convert_file_noop checking how to convert x86_64-pc-linux-gnu file names to toolchain format... func_convert_file_noop checking for /usr/bin/ld option to reload object files... -r checking for objdump... objdump checking how to recognize dependent libraries... pass_all checking for dlltool... no checking how to associate runtime and link libraries... printf %s\n checking for ar... ar checking for archiver @FILE support... @ checking for strip... strip checking for ranlib... ranlib checking command to parse /usr/bin/nm -B output from gcc object... ok checking for sysroot... no--------------------------------------------------------------------------------- checking for a working dd... /bin/dd checking how to truncate binary pipes... /bin/dd bs=4096 count=1 checking for mt... no checking if : is a manifest tool... no checking for dlfcn.h... yes checking for objdir... .libs checking if gcc supports -fno-rtti -fno-exceptions... no checking for gcc option to produce PIC... -fPIC -DPIC checking if gcc PIC flag -fPIC -DPIC works... yes checking if gcc static flag -static works... yes checking if gcc supports -c -o file.o... yes checking if gcc supports -c -o file.o... (cached) yes checking whether the gcc linker (/usr/bin/ld -m elf_x86_64) supports shared libraries... yes checking whether -lc should be explicitly linked in... no checking dynamic linker characteristics... GNU/Linux ld.so checking how to hardcode library paths into programs... immediate checking whether stripping libraries is possible... yes checking if libtool supports shared libraries... yes checking whether to build shared libraries... yes checking whether to build static libraries... yes checking for windres... no checking for an ANSI C-conforming const... yes checking for inline... inline checking for working volatile... yes checking for off_t... yes checking for pid_t... yes checking for size_t... yes checking for uid_t in sys/types.h... yes checking for int8_t... yes checking for int16_t... yes checking for int32_t... yes checking for int64_t... yes checking for uint8_t... yes checking for uint16_t... yes checking for uint32_t... yes checking for uint64_t... yes checking return type of signal handlers... void checking for ISO C 1999 vararg macro support... yes checking for GNU GCC vararg macro support... yes checking for socklen_t... yes checking for C compiler empty array size... 0 checking size of unsigned int... 4 checking size of unsigned long... 8 checking for stdio.h... (cached) yes checking for stdarg.h... yes checking for limits.h... yes checking for time.h... yes checking for errno.h... yes checking for fcntl.h... yes checking for io.h... no checking for direct.h... no checking for ctype.h... yes checking for sys/types.h... (cached) yes checking for sys/socket.h... yes checking for signal.h... yes checking for unistd.h... (cached) yes checking for dlfcn.h... (cached) yes checking for netinet/in.h... yes checking for netinet/in_systm.h... yes checking for netinet/tcp.h... yes checking for arpa/inet.h... yes checking for netdb.h... yes checking for windows.h... no checking for winsock2.h... no checking for ws2tcpip.h... no checking for versionhelpers.h... no checking for sys/time.h... yes checking for sys/ioctl.h... yes checking for sys/stat.h... (cached) yes checking for sys/mman.h... yes checking for sys/file.h... yes checking for sys/wait.h... yes checking for unistd.h... (cached) yes checking for signal.h... (cached) yes checking for libgen.h... yes checking for stropts.h... no checking for syslog.h... yes checking for pwd.h... yes checking for grp.h... yes checking for sys/sockio.h... no checking for sys/uio.h... yes checking for linux/sockios.h... yes checking for linux/types.h... yes checking for linux/errqueue.h... yes checking for poll.h... yes checking for sys/epoll.h... yes checking for err.h... yes checking for net/if.h... yes checking for netinet/ip.h... yes checking for resolv.h... yes checking for sys/un.h... yes checking for net/if_utun.h... no checking for sys/kern_control.h... no checking for in_addr_t... yes checking for in_port_t... yes checking for struct iphdr... yes checking for struct msghdr... yes checking for struct cmsghdr... yes checking for struct in_pktinfo... yes checking for sa_family_t... yes checking for struct in_pktinfo.ipi_spec_dst... yes checking for struct sockaddr_in6... yes checking for gcc options needed to detect all undeclared functions... none needed checking whether SO_MARK is declared... yes configure: checking anonymous union support... yes checking linker supports --wrap... yes checking whether SIGHUP is declared... yes checking whether SIGINT is declared... yes checking whether SIGUSR1 is declared... yes checking whether SIGUSR2 is declared... yes checking whether SIGTERM is declared... yes checking for fork... yes checking for vfork... yes checking for working fork... yes checking for working vfork... (cached) yes checking for daemon... yes checking for chroot... yes checking for getpwnam... yes checking for setuid... yes checking for nice... yes checking for system... yes checking for getpid... yes checking for dup... yes checking for dup2... yes checking for getpass... yes checking for syslog... yes checking for openlog... yes checking for mlockall... yes checking for getgrnam... yes checking for setgid... yes checking for setgroups... yes checking for stat... yes checking for flock... yes checking for readv... yes checking for writev... yes checking for time... yes checking for gettimeofday... yes checking for ctime... yes checking for memset... yes checking for vsnprintf... yes checking for strdup... yes checking for setsid... yes checking for chdir... yes checking for putenv... yes checking for getpeername... yes checking for unlink... yes checking for chsize... no checking for ftruncate... yes checking for execve... yes checking for getpeereid... no checking for umask... yes checking for basename... yes checking for dirname... yes checking for access... yes checking for epoll_create... yes checking for strsep... yes checking for dlopen in -ldl... yes checking for inet_ntoa in -lnsl... no checking for socket in -lsocket... no checking for gethostbyname in -lresolv... yes checking for sendmsg... yes checking for recvmsg... yes checking for inet_ntop... yes checking for inet_pton... yes checking for socket... yes checking for recv... yes checking for recvfrom... yes checking for send... yes checking for sendto... yes checking for listen... yes checking for accept... yes checking for connect... yes checking for bind... yes checking for select... yes checking for gethostbyname... yes checking for inet_ntoa... yes checking for setsockopt... yes checking for getsockopt... yes checking for getsockname... yes checking for poll... yes checking for library containing __res_init... none required checking for net/if_tun.h... no checking for net/tun/if_tun.h... no checking for linux/if_tun.h... yes checking for tap-windows.h... no checking whether TUNSETPERSIST is declared... yes checking for setcon in -lselinux... no checking for pam_start in -lpam... yes checking for PKCS11_HELPER... no checking for OPENSSL... yes checking for SSL_CTX_new... yes checking for EVP_CIPHER_CTX_set_key_length... yes checking for EVP_aes_256_gcm... yes checking for HMAC_CTX_new... yes checking for HMAC_CTX_free... yes checking for HMAC_CTX_reset... yes checking for EVP_MD_CTX_new... yes checking for EVP_MD_CTX_free... yes checking for EVP_MD_CTX_reset... yes checking for EVP_CIPHER_CTX_reset... yes checking for OpenSSL_version... yes checking for SSL_CTX_get_default_passwd_cb... yes checking for SSL_CTX_get_default_passwd_cb_userdata... yes checking for SSL_CTX_set1_groups... no checking for SSL_CTX_set_security_level... yes checking for X509_get0_notBefore... yes checking for X509_get0_notAfter... yes checking for X509_get0_pubkey... yes checking for X509_STORE_get0_objects... yes checking for X509_OBJECT_free... yes checking for X509_OBJECT_get_type... yes checking for EVP_PKEY_get0_RSA... yes checking for EVP_PKEY_get0_DSA... yes checking for EVP_PKEY_get0_EC_KEY... yes checking for RSA_set_flags... yes checking for RSA_bits... yes checking for RSA_get0_key... yes checking for RSA_set0_key... yes checking for DSA_get0_pqg... yes checking for DSA_bits... yes checking for RSA_meth_new... yes checking for RSA_meth_free... yes checking for RSA_meth_set_pub_enc... yes checking for RSA_meth_set_pub_dec... yes checking for RSA_meth_set_priv_enc... yes checking for RSA_meth_set_priv_dec... yes checking for RSA_meth_set_init... yes checking for RSA_meth_set_sign... yes checking for RSA_meth_set_finish... yes checking for RSA_meth_set0_app_data... yes checking for RSA_meth_get0_app_data... yes checking for EC_GROUP_order_bits... yes checking for lzo1x_1_15_compress in -llzo2... yes checking for lzo/lzoutil.h... yes checking for lzo/lzo1x.h... yes checking for LZ4... yes checking for LZ4_compress_default in -llz4... yes checking for LZ4_decompress_safe in -llz4... yes checking git checkout... no checking whether the compiler accepts -Wno-stringop-truncation... yes checking whether the compiler accepts -Wall... yes checking for CMOCKA... no configure: WARNING: cmocka.pc not found on the system. Unit tests disabled checking that generated files are newer than configure... done configure: creating ./config.status config.status: creating version.sh config.status: creating Makefile config.status: creating build/Makefile config.status: creating build/msvc/Makefile config.status: creating build/msvc/msvc-generate/Makefile config.status: creating distro/Makefile config.status: creating distro/systemd/Makefile config.status: creating doc/Makefile config.status: creating doc/doxygen/Makefile config.status: creating doc/doxygen/openvpn.doxyfile config.status: creating include/Makefile config.status: creating sample/sample-plugins/Makefile config.status: creating src/Makefile config.status: creating src/compat/Makefile config.status: creating src/openvpn/Makefile config.status: creating src/openvpnmsica/Makefile config.status: creating src/openvpnserv/Makefile config.status: creating src/plugins/Makefile config.status: creating src/plugins/auth-pam/Makefile config.status: creating src/plugins/down-root/Makefile config.status: creating src/tapctl/Makefile config.status: creating tests/Makefile config.status: creating tests/unit_tests/Makefile config.status: creating tests/unit_tests/example_test/Makefile config.status: creating tests/unit_tests/openvpn/Makefile config.status: creating tests/unit_tests/plugins/Makefile config.status: creating tests/unit_tests/plugins/auth-pam/Makefile config.status: creating tests/unit_tests/engine-key/Makefile config.status: creating sample/Makefile config.status: creating tests/t_client.sh config.status: creating config.h config.status: creating include/openvpn-plugin.h config.status: include/openvpn-plugin.h is unchanged config.status: executing depfiles commands config.status: executing libtool commands cd /usr/src/openvpn-2.5.9 && make -j16 make[1]: Entering directory '/usr/src/openvpn-2.5.9' make all-recursive make[2]: Entering directory '/usr/src/openvpn-2.5.9' Making all in build make[3]: Entering directory '/usr/src/openvpn-2.5.9/build' Making all in msvc make[4]: Entering directory '/usr/src/openvpn-2.5.9/build/msvc' Making all in msvc-generate make[5]: Entering directory '/usr/src/openvpn-2.5.9/build/msvc/msvc-generate' make[5]: Nothing to be done for 'all'. make[5]: Leaving directory '/usr/src/openvpn-2.5.9/build/msvc/msvc-generate' make[5]: Entering directory '/usr/src/openvpn-2.5.9/build/msvc' make[5]: Nothing to be done for 'all-am'. make[5]: Leaving directory '/usr/src/openvpn-2.5.9/build/msvc' make[4]: Leaving directory '/usr/src/openvpn-2.5.9/build/msvc' make[4]: Entering directory '/usr/src/openvpn-2.5.9/build' make[4]: Nothing to be done for 'all-am'. make[4]: Leaving directory '/usr/src/openvpn-2.5.9/build' make[3]: Leaving directory '/usr/src/openvpn-2.5.9/build' Making all in distro make[3]: Entering directory '/usr/src/openvpn-2.5.9/distro' Making all in systemd make[4]: Entering directory '/usr/src/openvpn-2.5.9/distro/systemd' make[4]: Nothing to be done for 'all'. make[4]: Leaving directory '/usr/src/openvpn-2.5.9/distro/systemd' make[4]: Entering directory '/usr/src/openvpn-2.5.9/distro' make[4]: Nothing to be done for 'all-am'. make[4]: Leaving directory '/usr/src/openvpn-2.5.9/distro' make[3]: Leaving directory '/usr/src/openvpn-2.5.9/distro' Making all in include make[3]: Entering directory '/usr/src/openvpn-2.5.9/include' make all-am make[4]: Entering directory '/usr/src/openvpn-2.5.9/include' make[4]: Leaving directory '/usr/src/openvpn-2.5.9/include' make[3]: Leaving directory '/usr/src/openvpn-2.5.9/include' Making all in src make[3]: Entering directory '/usr/src/openvpn-2.5.9/src' Making all in compat make[4]: Entering directory '/usr/src/openvpn-2.5.9/src/compat' /bin/sh ../../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT compat-dirname.lo -MD -MP -MF .deps/compat-dirname.Tpo -c -o compat-dirname.lo compat-dirname.c /bin/sh ../../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT compat-basename.lo -MD -MP -MF .deps/compat-basename.Tpo -c -o compat-basename.lo compat-basename.c /bin/sh ../../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT compat-gettimeofday.lo -MD -MP -MF .deps/compat-gettimeofday.Tpo -c -o compat-gettimeofday.lo compat-gettimeofday.c /bin/sh ../../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT compat-daemon.lo -MD -MP -MF .deps/compat-daemon.Tpo -c -o compat-daemon.lo compat-daemon.c /bin/sh ../../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT compat-inet_ntop.lo -MD -MP -MF .deps/compat-inet_ntop.Tpo -c -o compat-inet_ntop.lo compat-inet_ntop.c /bin/sh ../../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT compat-inet_pton.lo -MD -MP -MF .deps/compat-inet_pton.Tpo -c -o compat-inet_pton.lo compat-inet_pton.c /bin/sh ../../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT compat-lz4.lo -MD -MP -MF .deps/compat-lz4.Tpo -c -o compat-lz4.lo compat-lz4.c /bin/sh ../../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT compat-strsep.lo -MD -MP -MF .deps/compat-strsep.Tpo -c -o compat-strsep.lo compat-strsep.c libtool: compile: gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT compat-dirname.lo -MD -MP -MF .deps/compat-dirname.Tpo -c compat-dirname.c -fPIC -DPIC -o .libs/compat-dirname.o libtool: compile: gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT compat-inet_pton.lo -MD -MP -MF .deps/compat-inet_pton.Tpo -c compat-inet_pton.c -fPIC -DPIC -o .libs/compat-inet_pton.o libtool: compile: gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT compat-lz4.lo -MD -MP -MF .deps/compat-lz4.Tpo -c compat-lz4.c -fPIC -DPIC -o .libs/compat-lz4.o libtool: compile: gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT compat-strsep.lo -MD -MP -MF .deps/compat-strsep.Tpo -c compat-strsep.c -fPIC -DPIC -o .libs/compat-strsep.o libtool: compile: gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT compat-basename.lo -MD -MP -MF .deps/compat-basename.Tpo -c compat-basename.c -fPIC -DPIC -o .libs/compat-basename.o libtool: compile: gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT compat-inet_ntop.lo -MD -MP -MF .deps/compat-inet_ntop.Tpo -c compat-inet_ntop.c -fPIC -DPIC -o .libs/compat-inet_ntop.o libtool: compile: gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT compat-gettimeofday.lo -MD -MP -MF .deps/compat-gettimeofday.Tpo -c compat-gettimeofday.c -fPIC -DPIC -o .libs/compat-gettimeofday.o libtool: compile: gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT compat-daemon.lo -MD -MP -MF .deps/compat-daemon.Tpo -c compat-daemon.c -fPIC -DPIC -o .libs/compat-daemon.o libtool: compile: gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT compat-inet_ntop.lo -MD -MP -MF .deps/compat-inet_ntop.Tpo -c compat-inet_ntop.c -o compat-inet_ntop.o >/dev/null 2>&1 libtool: compile: gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT compat-daemon.lo -MD -MP -MF .deps/compat-daemon.Tpo -c compat-daemon.c -o compat-daemon.o >/dev/null 2>&1 libtool: compile: gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT compat-inet_pton.lo -MD -MP -MF .deps/compat-inet_pton.Tpo -c compat-inet_pton.c -o compat-inet_pton.o >/dev/null 2>&1 libtool: compile: gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT compat-strsep.lo -MD -MP -MF .deps/compat-strsep.Tpo -c compat-strsep.c -o compat-strsep.o >/dev/null 2>&1 libtool: compile: gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT compat-gettimeofday.lo -MD -MP -MF .deps/compat-gettimeofday.Tpo -c compat-gettimeofday.c -o compat-gettimeofday.o >/dev/null 2>&1 libtool: compile: gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT compat-dirname.lo -MD -MP -MF .deps/compat-dirname.Tpo -c compat-dirname.c -o compat-dirname.o >/dev/null 2>&1 libtool: compile: gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT compat-basename.lo -MD -MP -MF .deps/compat-basename.Tpo -c compat-basename.c -o compat-basename.o >/dev/null 2>&1 libtool: compile: gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT compat-lz4.lo -MD -MP -MF .deps/compat-lz4.Tpo -c compat-lz4.c -o compat-lz4.o >/dev/null 2>&1 mv -f .deps/compat-inet_ntop.Tpo .deps/compat-inet_ntop.Plo mv -f .deps/compat-gettimeofday.Tpo .deps/compat-gettimeofday.Plo mv -f .deps/compat-dirname.Tpo .deps/compat-dirname.Plo mv -f .deps/compat-basename.Tpo .deps/compat-basename.Plo mv -f .deps/compat-daemon.Tpo .deps/compat-daemon.Plo mv -f .deps/compat-inet_pton.Tpo .deps/compat-inet_pton.Plo mv -f .deps/compat-strsep.Tpo .deps/compat-strsep.Plo mv -f .deps/compat-lz4.Tpo .deps/compat-lz4.Plo /bin/sh ../../libtool --tag=CC --mode=link gcc -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -o libcompat.la compat-dirname.lo compat-basename.lo compat-gettimeofday.lo compat-daemon.lo compat-inet_ntop.lo compat-inet_pton.lo compat-lz4.lo compat-strsep.lo libtool: link: ar cr .libs/libcompat.a .libs/compat-dirname.o .libs/compat-basename.o .libs/compat-gettimeofday.o .libs/compat-daemon.o .libs/compat-inet_ntop.o .libs/compat-inet_pton.o .libs/compat-lz4.o .libs/compat-strsep.o libtool: link: ranlib .libs/libcompat.a libtool: link: ( cd ".libs" && rm -f "libcompat.la" && ln -s "../libcompat.la" "libcompat.la" ) make[4]: Leaving directory '/usr/src/openvpn-2.5.9/src/compat' Making all in openvpn make[4]: Entering directory '/usr/src/openvpn-2.5.9/src/openvpn' gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT argv.o -MD -MP -MF .deps/argv.Tpo -c -o argv.o argv.c gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT auth_token.o -MD -MP -MF .deps/auth_token.Tpo -c -o auth_token.o auth_token.c gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT base64.o -MD -MP -MF .deps/base64.Tpo -c -o base64.o base64.c gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT buffer.o -MD -MP -MF .deps/buffer.Tpo -c -o buffer.o buffer.c gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT clinat.o -MD -MP -MF .deps/clinat.Tpo -c -o clinat.o clinat.c gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT comp.o -MD -MP -MF .deps/comp.Tpo -c -o comp.o comp.c gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT compstub.o -MD -MP -MF .deps/compstub.Tpo -c -o compstub.o compstub.c gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT comp-lz4.o -MD -MP -MF .deps/comp-lz4.Tpo -c -o comp-lz4.o comp-lz4.c gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT crypto.o -MD -MP -MF .deps/crypto.Tpo -c -o crypto.o crypto.c gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT crypto_openssl.o -MD -MP -MF .deps/crypto_openssl.Tpo -c -o crypto_openssl.o crypto_openssl.c gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT crypto_mbedtls.o -MD -MP -MF .deps/crypto_mbedtls.Tpo -c -o crypto_mbedtls.o crypto_mbedtls.c gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT dhcp.o -MD -MP -MF .deps/dhcp.Tpo -c -o dhcp.o dhcp.c gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT env_set.o -MD -MP -MF .deps/env_set.Tpo -c -o env_set.o env_set.c gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT error.o -MD -MP -MF .deps/error.Tpo -c -o error.o error.c gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT event.o -MD -MP -MF .deps/event.Tpo -c -o event.o event.c gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT fdmisc.o -MD -MP -MF .deps/fdmisc.Tpo -c -o fdmisc.o fdmisc.c mv -f .deps/buffer.Tpo .deps/buffer.Po gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT forward.o -MD -MP -MF .deps/forward.Tpo -c -o forward.o forward.c mv -f .deps/crypto_mbedtls.Tpo .deps/crypto_mbedtls.Po mv -f .deps/fdmisc.Tpo .deps/fdmisc.Po gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT fragment.o -MD -MP -MF .deps/fragment.Tpo -c -o fragment.o fragment.c gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT gremlin.o -MD -MP -MF .deps/gremlin.Tpo -c -o gremlin.o gremlin.c mv -f .deps/env_set.Tpo .deps/env_set.Po gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT helper.o -MD -MP -MF .deps/helper.Tpo -c -o helper.o helper.c mv -f .deps/event.Tpo .deps/event.Po mv -f .deps/clinat.Tpo .deps/clinat.Po gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT httpdigest.o -MD -MP -MF .deps/httpdigest.Tpo -c -o httpdigest.o httpdigest.c gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT lladdr.o -MD -MP -MF .deps/lladdr.Tpo -c -o lladdr.o lladdr.c mv -f .deps/compstub.Tpo .deps/compstub.Po mv -f .deps/comp-lz4.Tpo .deps/comp-lz4.Po gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT init.o -MD -MP -MF .deps/init.Tpo -c -o init.o init.c gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT interval.o -MD -MP -MF .deps/interval.Tpo -c -o interval.o interval.c mv -f .deps/dhcp.Tpo .deps/dhcp.Po gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT list.o -MD -MP -MF .deps/list.Tpo -c -o list.o list.c mv -f .deps/base64.Tpo .deps/base64.Po gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT lzo.o -MD -MP -MF .deps/lzo.Tpo -c -o lzo.o lzo.c mv -f .deps/crypto.Tpo .deps/crypto.Po mv -f .deps/comp.Tpo .deps/comp.Po gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT manage.o -MD -MP -MF .deps/manage.Tpo -c -o manage.o manage.c gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT mbuf.o -MD -MP -MF .deps/mbuf.Tpo -c -o mbuf.o mbuf.c crypto_openssl.c: In function 'show_available_digests': crypto_openssl.c:389:9: warning: unused variable 'nid' [-Wunused-variable] 389 | int nid; | ^~~ crypto_openssl.c: In function 'key_des_check': crypto_openssl.c:586:9: warning: 'DES_is_weak_key' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 586 | if (DES_is_weak_key(dc)) | ^~ In file included from crypto_openssl.c:47: /usr/include/openssl/des.h:178:27: note: declared here 178 | OSSL_DEPRECATEDIN_3_0 int DES_is_weak_key(const_DES_cblock *key); | ^~~~~~~~~~~~~~~ crypto_openssl.c:592:9: warning: 'DES_check_key_parity' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 592 | if (!DES_check_key_parity(dc)) | ^~ /usr/include/openssl/des.h:177:27: note: declared here 177 | OSSL_DEPRECATEDIN_3_0 int DES_check_key_parity(const_DES_cblock *key); | ^~~~~~~~~~~~~~~~~~~~ crypto_openssl.c: In function 'key_des_fixup': crypto_openssl.c:622:9: warning: 'DES_set_odd_parity' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 622 | DES_set_odd_parity(dc); | ^~~~~~~~~~~~~~~~~~ /usr/include/openssl/des.h:176:28: note: declared here 176 | OSSL_DEPRECATEDIN_3_0 void DES_set_odd_parity(DES_cblock *key); | ^~~~~~~~~~~~~~~~~~ crypto_openssl.c: At top level: crypto_openssl.c:935:39: warning: argument 2 of type 'unsigned char *' declared as a pointer [-Warray-parameter=] 935 | unsigned char *src, | ~~~~~~~~~~~~~~~^~~ In file included from crypto.h:125, from crypto_openssl.c:42: crypto_backend.h:217:43: note: previously declared as an array 'unsigned char[8]' 217 | unsigned char src[DES_KEY_LENGTH], | ~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~ crypto_openssl.c:936:39: warning: argument 3 of type 'unsigned char *' declared as a pointer [-Warray-parameter=] 936 | unsigned char *dst) | ~~~~~~~~~~~~~~~^~~ crypto_backend.h:218:43: note: previously declared as an array 'unsigned char[8]' 218 | unsigned char dst[DES_KEY_LENGTH]); | ~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~ crypto_openssl.c: In function 'cipher_des_encrypt_ecb': crypto_openssl.c:940:5: warning: 'DES_set_key_unchecked' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 940 | DES_set_key_unchecked((DES_cblock *)key, &sched); | ^~~~~~~~~~~~~~~~~~~~~ /usr/include/openssl/des.h:192:6: note: declared here 192 | void DES_set_key_unchecked(const_DES_cblock *key, DES_key_schedule *schedule); | ^~~~~~~~~~~~~~~~~~~~~ crypto_openssl.c:941:5: warning: 'DES_ecb_encrypt' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 941 | DES_ecb_encrypt((DES_cblock *)src, (DES_cblock *)dst, &sched, DES_ENCRYPT); | ^~~~~~~~~~~~~~~ /usr/include/openssl/des.h:105:6: note: declared here 105 | void DES_ecb_encrypt(const_DES_cblock *input, DES_cblock *output, | ^~~~~~~~~~~~~~~ crypto_openssl.c: In function 'hmac_ctx_new': crypto_openssl.c:1110:5: warning: 'HMAC_CTX_new' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 1110 | HMAC_CTX *ctx = HMAC_CTX_new(); | ^~~~~~~~ In file included from crypto_openssl.h:33, from crypto_backend.h:33: /usr/include/openssl/hmac.h:33:33: note: declared here 33 | OSSL_DEPRECATEDIN_3_0 HMAC_CTX *HMAC_CTX_new(void); | ^~~~~~~~~~~~ crypto_openssl.c: In function 'hmac_ctx_free': crypto_openssl.c:1118:5: warning: 'HMAC_CTX_free' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 1118 | HMAC_CTX_free(ctx); | ^~~~~~~~~~~~~ /usr/include/openssl/hmac.h:35:28: note: declared here 35 | OSSL_DEPRECATEDIN_3_0 void HMAC_CTX_free(HMAC_CTX *ctx); | ^~~~~~~~~~~~~ crypto_openssl.c: In function 'hmac_ctx_init': crypto_openssl.c:1127:5: warning: 'HMAC_CTX_reset' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 1127 | HMAC_CTX_reset(ctx); | ^~~~~~~~~~~~~~ /usr/include/openssl/hmac.h:34:27: note: declared here 34 | OSSL_DEPRECATEDIN_3_0 int HMAC_CTX_reset(HMAC_CTX *ctx); | ^~~~~~~~~~~~~~ crypto_openssl.c:1128:5: warning: 'HMAC_Init_ex' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 1128 | HMAC_Init_ex(ctx, key, key_len, kt, NULL); | ^~~~~~~~~~~~ /usr/include/openssl/hmac.h:43:27: note: declared here 43 | OSSL_DEPRECATEDIN_3_0 int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len, | ^~~~~~~~~~~~ crypto_openssl.c:1131:5: warning: 'HMAC_size' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 1131 | ASSERT(HMAC_size(ctx) <= key_len); | ^~~~~~ /usr/include/openssl/hmac.h:32:30: note: declared here 32 | OSSL_DEPRECATEDIN_3_0 size_t HMAC_size(const HMAC_CTX *e); | ^~~~~~~~~ crypto_openssl.c: In function 'hmac_ctx_cleanup': crypto_openssl.c:1137:5: warning: 'HMAC_CTX_reset' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 1137 | HMAC_CTX_reset(ctx); | ^~~~~~~~~~~~~~ /usr/include/openssl/hmac.h:34:27: note: declared here 34 | OSSL_DEPRECATEDIN_3_0 int HMAC_CTX_reset(HMAC_CTX *ctx); | ^~~~~~~~~~~~~~ crypto_openssl.c: In function 'hmac_ctx_size': crypto_openssl.c:1143:5: warning: 'HMAC_size' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 1143 | return HMAC_size(ctx); | ^~~~~~ /usr/include/openssl/hmac.h:32:30: note: declared here 32 | OSSL_DEPRECATEDIN_3_0 size_t HMAC_size(const HMAC_CTX *e); | ^~~~~~~~~ crypto_openssl.c: In function 'hmac_ctx_reset': crypto_openssl.c:1149:5: warning: 'HMAC_Init_ex' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 1149 | HMAC_Init_ex(ctx, NULL, 0, NULL, NULL); | ^~~~~~~~~~~~ /usr/include/openssl/hmac.h:43:27: note: declared here 43 | OSSL_DEPRECATEDIN_3_0 int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len, | ^~~~~~~~~~~~ crypto_openssl.c: In function 'hmac_ctx_update': crypto_openssl.c:1155:5: warning: 'HMAC_Update' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 1155 | HMAC_Update(ctx, src, src_len); | ^~~~~~~~~~~ /usr/include/openssl/hmac.h:45:27: note: declared here 45 | OSSL_DEPRECATEDIN_3_0 int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, | ^~~~~~~~~~~ crypto_openssl.c: In function 'hmac_ctx_final': crypto_openssl.c:1163:5: warning: 'HMAC_Final' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 1163 | HMAC_Final(ctx, dst, &in_hmac_len); | ^~~~~~~~~~ /usr/include/openssl/hmac.h:47:27: note: declared here 47 | OSSL_DEPRECATEDIN_3_0 int HMAC_Final(HMAC_CTX *ctx, unsigned char *md, | ^~~~~~~~~~ mv -f .deps/crypto_openssl.Tpo .deps/crypto_openssl.Po mv -f .deps/argv.Tpo .deps/argv.Po gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT misc.o -MD -MP -MF .deps/misc.Tpo -c -o misc.o misc.c mv -f .deps/lladdr.Tpo .deps/lladdr.Po gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT platform.o -MD -MP -MF .deps/platform.Tpo -c -o platform.o platform.c mv -f .deps/interval.Tpo .deps/interval.Po gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT console.o -MD -MP -MF .deps/console.Tpo -c -o console.o console.c gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT console_builtin.o -MD -MP -MF .deps/console_builtin.Tpo -c -o console_builtin.o console_builtin.c mv -f .deps/error.Tpo .deps/error.Po gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT console_systemd.o -MD -MP -MF .deps/console_systemd.Tpo -c -o console_systemd.o console_systemd.c mv -f .deps/gremlin.Tpo .deps/gremlin.Po mv -f .deps/list.Tpo .deps/list.Po gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT mroute.o -MD -MP -MF .deps/mroute.Tpo -c -o mroute.o mroute.c gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT mss.o -MD -MP -MF .deps/mss.Tpo -c -o mss.o mss.c mv -f .deps/lzo.Tpo .deps/lzo.Po mv -f .deps/httpdigest.Tpo .deps/httpdigest.Po gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT mstats.o -MD -MP -MF .deps/mstats.Tpo -c -o mstats.o mstats.c gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT mtcp.o -MD -MP -MF .deps/mtcp.Tpo -c -o mtcp.o mtcp.c mv -f .deps/auth_token.Tpo .deps/auth_token.Po gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT mtu.o -MD -MP -MF .deps/mtu.Tpo -c -o mtu.o mtu.c mv -f .deps/console_systemd.Tpo .deps/console_systemd.Po gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT mudp.o -MD -MP -MF .deps/mudp.Tpo -c -o mudp.o mudp.c mv -f .deps/fragment.Tpo .deps/fragment.Po gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT multi.o -MD -MP -MF .deps/multi.Tpo -c -o multi.o multi.c mv -f .deps/mbuf.Tpo .deps/mbuf.Po gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT networking_iproute2.o -MD -MP -MF .deps/networking_iproute2.Tpo -c -o networking_iproute2.o networking_iproute2.c mv -f .deps/forward.Tpo .deps/forward.Po gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT networking_sitnl.o -MD -MP -MF .deps/networking_sitnl.Tpo -c -o networking_sitnl.o networking_sitnl.c mv -f .deps/console.Tpo .deps/console.Po mv -f .deps/console_builtin.Tpo .deps/console_builtin.Po gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT ntlm.o -MD -MP -MF .deps/ntlm.Tpo -c -o ntlm.o ntlm.c gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT occ.o -MD -MP -MF .deps/occ.Tpo -c -o occ.o occ.c mv -f .deps/helper.Tpo .deps/helper.Po gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT pkcs11.o -MD -MP -MF .deps/pkcs11.Tpo -c -o pkcs11.o pkcs11.c mv -f .deps/mss.Tpo .deps/mss.Po gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT pkcs11_openssl.o -MD -MP -MF .deps/pkcs11_openssl.Tpo -c -o pkcs11_openssl.o pkcs11_openssl.c mv -f .deps/mstats.Tpo .deps/mstats.Po gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT pkcs11_mbedtls.o -MD -MP -MF .deps/pkcs11_mbedtls.Tpo -c -o pkcs11_mbedtls.o pkcs11_mbedtls.c mv -f .deps/mroute.Tpo .deps/mroute.Po gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT openvpn.o -MD -MP -MF .deps/openvpn.Tpo -c -o openvpn.o openvpn.c mv -f .deps/init.Tpo .deps/init.Po gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT options.o -MD -MP -MF .deps/options.Tpo -c -o options.o options.c mv -f .deps/platform.Tpo .deps/platform.Po gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT otime.o -MD -MP -MF .deps/otime.Tpo -c -o otime.o otime.c mv -f .deps/networking_sitnl.Tpo .deps/networking_sitnl.Po mv -f .deps/misc.Tpo .deps/misc.Po gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT packet_id.o -MD -MP -MF .deps/packet_id.Tpo -c -o packet_id.o packet_id.c mv -f .deps/manage.Tpo .deps/manage.Po gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT perf.o -MD -MP -MF .deps/perf.Tpo -c -o perf.o perf.c gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT pf.o -MD -MP -MF .deps/pf.Tpo -c -o pf.o pf.c mv -f .deps/pkcs11_openssl.Tpo .deps/pkcs11_openssl.Po mv -f .deps/pkcs11.Tpo .deps/pkcs11.Po gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT ping.o -MD -MP -MF .deps/ping.Tpo -c -o ping.o ping.c gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT plugin.o -MD -MP -MF .deps/plugin.Tpo -c -o plugin.o plugin.c mv -f .deps/pkcs11_mbedtls.Tpo .deps/pkcs11_mbedtls.Po gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT pool.o -MD -MP -MF .deps/pool.Tpo -c -o pool.o pool.c mv -f .deps/mtu.Tpo .deps/mtu.Po gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT proto.o -MD -MP -MF .deps/proto.Tpo -c -o proto.o proto.c mv -f .deps/ntlm.Tpo .deps/ntlm.Po mv -f .deps/otime.Tpo .deps/otime.Po gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT proxy.o -MD -MP -MF .deps/proxy.Tpo -c -o proxy.o proxy.c gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT ps.o -MD -MP -MF .deps/ps.Tpo -c -o ps.o ps.c mv -f .deps/mudp.Tpo .deps/mudp.Po gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT push.o -MD -MP -MF .deps/push.Tpo -c -o push.o push.c mv -f .deps/networking_iproute2.Tpo .deps/networking_iproute2.Po gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT reliable.o -MD -MP -MF .deps/reliable.Tpo -c -o reliable.o reliable.c mv -f .deps/mtcp.Tpo .deps/mtcp.Po gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT route.o -MD -MP -MF .deps/route.Tpo -c -o route.o route.c mv -f .deps/multi.Tpo .deps/multi.Po gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT run_command.o -MD -MP -MF .deps/run_command.Tpo -c -o run_command.o run_command.c mv -f .deps/occ.Tpo .deps/occ.Po gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT schedule.o -MD -MP -MF .deps/schedule.Tpo -c -o schedule.o schedule.c mv -f .deps/proto.Tpo .deps/proto.Po gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT session_id.o -MD -MP -MF .deps/session_id.Tpo -c -o session_id.o session_id.c mv -f .deps/pool.Tpo .deps/pool.Po gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT shaper.o -MD -MP -MF .deps/shaper.Tpo -c -o shaper.o shaper.c mv -f .deps/packet_id.Tpo .deps/packet_id.Po gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT sig.o -MD -MP -MF .deps/sig.Tpo -c -o sig.o sig.c mv -f .deps/openvpn.Tpo .deps/openvpn.Po gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT socket.o -MD -MP -MF .deps/socket.Tpo -c -o socket.o socket.c mv -f .deps/reliable.Tpo .deps/reliable.Po gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT socks.o -MD -MP -MF .deps/socks.Tpo -c -o socks.o socks.c mv -f .deps/run_command.Tpo .deps/run_command.Po gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT ssl.o -MD -MP -MF .deps/ssl.Tpo -c -o ssl.o ssl.c mv -f .deps/perf.Tpo .deps/perf.Po mv -f .deps/plugin.Tpo .deps/plugin.Po gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT ssl_openssl.o -MD -MP -MF .deps/ssl_openssl.Tpo -c -o ssl_openssl.o ssl_openssl.c gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT ssl_mbedtls.o -MD -MP -MF .deps/ssl_mbedtls.Tpo -c -o ssl_mbedtls.o ssl_mbedtls.c mv -f .deps/shaper.Tpo .deps/shaper.Po gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT ssl_ncp.o -MD -MP -MF .deps/ssl_ncp.Tpo -c -o ssl_ncp.o ssl_ncp.c mv -f .deps/ping.Tpo .deps/ping.Po mv -f .deps/options.Tpo .deps/options.Po gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT ssl_verify.o -MD -MP -MF .deps/ssl_verify.Tpo -c -o ssl_verify.o ssl_verify.c gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT ssl_verify_openssl.o -MD -MP -MF .deps/ssl_verify_openssl.Tpo -c -o ssl_verify_openssl.o ssl_verify_openssl.c mv -f .deps/pf.Tpo .deps/pf.Po gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT ssl_verify_mbedtls.o -MD -MP -MF .deps/ssl_verify_mbedtls.Tpo -c -o ssl_verify_mbedtls.o ssl_verify_mbedtls.c mv -f .deps/schedule.Tpo .deps/schedule.Po gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT status.o -MD -MP -MF .deps/status.Tpo -c -o status.o status.c mv -f .deps/session_id.Tpo .deps/session_id.Po gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT tls_crypt.o -MD -MP -MF .deps/tls_crypt.Tpo -c -o tls_crypt.o tls_crypt.c mv -f .deps/ps.Tpo .deps/ps.Po mv -f .deps/socks.Tpo .deps/socks.Po gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT tun.o -MD -MP -MF .deps/tun.Tpo -c -o tun.o tun.c mv -f .deps/route.Tpo .deps/route.Po gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT vlan.o -MD -MP -MF .deps/vlan.Tpo -c -o vlan.o vlan.c mv -f .deps/proxy.Tpo .deps/proxy.Po gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT win32.o -MD -MP -MF .deps/win32.Tpo -c -o win32.o win32.c gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT cryptoapi.o -MD -MP -MF .deps/cryptoapi.Tpo -c -o cryptoapi.o cryptoapi.c mv -f .deps/push.Tpo .deps/push.Po mv -f .deps/ssl_verify_mbedtls.Tpo .deps/ssl_verify_mbedtls.Po mv -f .deps/sig.Tpo .deps/sig.Po mv -f .deps/status.Tpo .deps/status.Po mv -f .deps/win32.Tpo .deps/win32.Po ssl_openssl.c: In function 'tls_ctx_load_dh_params': ssl_openssl.c:692:5: warning: 'PEM_read_bio_DHparams' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 692 | dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); | ^~ In file included from /usr/include/openssl/ssl.h:37, from ssl_openssl.h:32, from ssl_backend.h:36, from ssl_openssl.c:44: /usr/include/openssl/pem.h:473:1: note: declared here 473 | DECLARE_PEM_rw_attr(OSSL_DEPRECATEDIN_3_0, DHparams, DH) | ^~~~~~~~~~~~~~~~~~~ ssl_openssl.c:705:5: warning: 'DH_size' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 705 | msg(D_TLS_DEBUG_LOW, "Diffie-Hellman initialized with %d bit key", | ^~~ In file included from /usr/include/openssl/dsa.h:31, from /usr/include/openssl/x509.h:37, from /usr/include/openssl/ssl.h:32: /usr/include/openssl/dh.h:210:27: note: declared here 210 | OSSL_DEPRECATEDIN_3_0 int DH_size(const DH *dh); | ^~~~~~~ ssl_openssl.c:708:5: warning: 'DH_free' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 708 | DH_free(dh); | ^~~~~~~ /usr/include/openssl/dh.h:207:28: note: declared here 207 | OSSL_DEPRECATEDIN_3_0 void DH_free(DH *dh); | ^~~~~~~ ssl_openssl.c: In function 'tls_ctx_load_ecdh_params': ssl_openssl.c:751:5: warning: 'EC_KEY_new_by_curve_name' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 751 | if (NID_undef == nid || NULL == (ecdh = EC_KEY_new_by_curve_name(nid))) | ^~ In file included from /usr/include/openssl/x509.h:33: /usr/include/openssl/ec.h:1017:31: note: declared here 1017 | OSSL_DEPRECATEDIN_3_0 EC_KEY *EC_KEY_new_by_curve_name(int nid); | ^~~~~~~~~~~~~~~~~~~~~~~~ ssl_openssl.c:754:9: warning: 'EC_KEY_new_by_curve_name' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 754 | ecdh = EC_KEY_new_by_curve_name(NID_secp384r1); | ^~~~ /usr/include/openssl/ec.h:1017:31: note: declared here 1017 | OSSL_DEPRECATEDIN_3_0 EC_KEY *EC_KEY_new_by_curve_name(int nid); | ^~~~~~~~~~~~~~~~~~~~~~~~ ssl_openssl.c:769:5: warning: 'EC_KEY_free' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 769 | EC_KEY_free(ecdh); | ^~~~~~~~~~~ /usr/include/openssl/ec.h:1022:28: note: declared here 1022 | OSSL_DEPRECATEDIN_3_0 void EC_KEY_free(EC_KEY *key); | ^~~~~~~~~~~ ssl_openssl.c: In function 'openvpn_extkey_rsa_finish': ssl_openssl.c:1203:5: warning: 'RSA_get_method' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 1203 | const RSA_METHOD *meth = RSA_get_method(rsa); | ^~~~~ In file included from /usr/include/openssl/x509.h:36: /usr/include/openssl/rsa.h:312:41: note: declared here 312 | OSSL_DEPRECATEDIN_3_0 const RSA_METHOD *RSA_get_method(const RSA *rsa); | ^~~~~~~~~~~~~~ ssl_openssl.c:1204:5: warning: 'RSA_meth_free' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 1204 | RSA_meth_free((RSA_METHOD *)meth); | ^~~~~~~~~~~~~ /usr/include/openssl/rsa.h:485:28: note: declared here 485 | OSSL_DEPRECATEDIN_3_0 void RSA_meth_free(RSA_METHOD *meth); | ^~~~~~~~~~~~~ ssl_openssl.c: In function 'rsa_priv_enc': ssl_openssl.c:1270:5: warning: 'RSA_size' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 1270 | unsigned int len = RSA_size(rsa); | ^~~~~~~~ /usr/include/openssl/rsa.h:215:27: note: declared here 215 | OSSL_DEPRECATEDIN_3_0 int RSA_size(const RSA *rsa); | ^~~~~~~~ ssl_openssl.c: In function 'tls_ctx_use_external_rsa_key': ssl_openssl.c:1293:5: warning: 'EVP_PKEY_get0_RSA' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 1293 | pub_rsa = EVP_PKEY_get0_RSA(pkey); | ^~~~~~~ In file included from /usr/include/openssl/x509.h:29: /usr/include/openssl/evp.h:1354:22: note: declared here 1354 | const struct rsa_st *EVP_PKEY_get0_RSA(const EVP_PKEY *pkey); | ^~~~~~~~~~~~~~~~~ ssl_openssl.c:1293:13: warning: assignment discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers] 1293 | pub_rsa = EVP_PKEY_get0_RSA(pkey); | ^ ssl_openssl.c:1297:5: warning: 'RSA_meth_new' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 1297 | rsa_meth = RSA_meth_new("OpenVPN external private key RSA Method", | ^~~~~~~~ /usr/include/openssl/rsa.h:484:35: note: declared here 484 | OSSL_DEPRECATEDIN_3_0 RSA_METHOD *RSA_meth_new(const char *name, int flags); | ^~~~~~~~~~~~ ssl_openssl.c:1300:5: warning: 'RSA_meth_set_pub_enc' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 1300 | RSA_meth_set_pub_enc(rsa_meth, rsa_pub_enc); | ^~~~~~~~~~~~~~~~~~~~ /usr/include/openssl/rsa.h:501:5: note: declared here 501 | int RSA_meth_set_pub_enc(RSA_METHOD *rsa, | ^~~~~~~~~~~~~~~~~~~~ ssl_openssl.c:1301:5: warning: 'RSA_meth_set_pub_dec' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 1301 | RSA_meth_set_pub_dec(rsa_meth, rsa_pub_dec); | ^~~~~~~~~~~~~~~~~~~~ /usr/include/openssl/rsa.h:511:5: note: declared here 511 | int RSA_meth_set_pub_dec(RSA_METHOD *rsa, | ^~~~~~~~~~~~~~~~~~~~ ssl_openssl.c:1302:5: warning: 'RSA_meth_set_priv_enc' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 1302 | RSA_meth_set_priv_enc(rsa_meth, rsa_priv_enc); | ^~~~~~~~~~~~~~~~~~~~~ /usr/include/openssl/rsa.h:521:5: note: declared here 521 | int RSA_meth_set_priv_enc(RSA_METHOD *rsa, | ^~~~~~~~~~~~~~~~~~~~~ ssl_openssl.c:1303:5: warning: 'RSA_meth_set_priv_dec' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 1303 | RSA_meth_set_priv_dec(rsa_meth, rsa_priv_dec); | ^~~~~~~~~~~~~~~~~~~~~ /usr/include/openssl/rsa.h:531:5: note: declared here 531 | int RSA_meth_set_priv_dec(RSA_METHOD *rsa, | ^~~~~~~~~~~~~~~~~~~~~ ssl_openssl.c:1304:5: warning: 'RSA_meth_set_init' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 1304 | RSA_meth_set_init(rsa_meth, NULL); | ^~~~~~~~~~~~~~~~~ /usr/include/openssl/rsa.h:561:5: note: declared here 561 | int RSA_meth_set_init(RSA_METHOD *rsa, int (*init) (RSA *rsa)); | ^~~~~~~~~~~~~~~~~ ssl_openssl.c:1305:5: warning: 'RSA_meth_set_finish' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 1305 | RSA_meth_set_finish(rsa_meth, openvpn_extkey_rsa_finish); | ^~~~~~~~~~~~~~~~~~~ /usr/include/openssl/rsa.h:565:5: note: declared here 565 | int RSA_meth_set_finish(RSA_METHOD *rsa, int (*finish) (RSA *rsa)); | ^~~~~~~~~~~~~~~~~~~ ssl_openssl.c:1306:5: warning: 'RSA_meth_set0_app_data' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 1306 | RSA_meth_set0_app_data(rsa_meth, NULL); | ^~~~~~~~~~~~~~~~~~~~~~ /usr/include/openssl/rsa.h:493:27: note: declared here 493 | OSSL_DEPRECATEDIN_3_0 int RSA_meth_set0_app_data(RSA_METHOD *meth, | ^~~~~~~~~~~~~~~~~~~~~~ ssl_openssl.c:1309:5: warning: 'RSA_new' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 1309 | rsa = RSA_new(); | ^~~ /usr/include/openssl/rsa.h:212:28: note: declared here 212 | OSSL_DEPRECATEDIN_3_0 RSA *RSA_new(void); | ^~~~~~~ ssl_openssl.c:1319:5: warning: 'RSA_get0_key' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 1319 | RSA_get0_key(pub_rsa, &n, &e, NULL); | ^~~~~~~~~~~~ /usr/include/openssl/rsa.h:228:28: note: declared here 228 | OSSL_DEPRECATEDIN_3_0 void RSA_get0_key(const RSA *r, | ^~~~~~~~~~~~ ssl_openssl.c:1320:5: warning: 'RSA_set0_key' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 1320 | RSA_set0_key(rsa, BN_dup(n), BN_dup(e), NULL); | ^~~~~~~~~~~~ /usr/include/openssl/rsa.h:218:27: note: declared here 218 | OSSL_DEPRECATEDIN_3_0 int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d); | ^~~~~~~~~~~~ ssl_openssl.c:1321:5: warning: 'RSA_set_flags' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 1321 | RSA_set_flags(rsa, RSA_flags(rsa) | RSA_FLAG_EXT_PKEY); | ^~~~~~~~~~~~~ /usr/include/openssl/rsa.h:254:28: note: declared here 254 | OSSL_DEPRECATEDIN_3_0 void RSA_set_flags(RSA *r, int flags); | ^~~~~~~~~~~~~ ssl_openssl.c:1321:5: warning: 'RSA_flags' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 1321 | RSA_set_flags(rsa, RSA_flags(rsa) | RSA_FLAG_EXT_PKEY); | ^~~~~~~~~~~~~ /usr/include/openssl/rsa.h:307:27: note: declared here 307 | OSSL_DEPRECATEDIN_3_0 int RSA_flags(const RSA *r); | ^~~~~~~~~ ssl_openssl.c:1322:5: warning: 'RSA_set_method' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 1322 | if (!RSA_set_method(rsa, rsa_meth)) | ^~ /usr/include/openssl/rsa.h:313:27: note: declared here 313 | OSSL_DEPRECATEDIN_3_0 int RSA_set_method(RSA *rsa, const RSA_METHOD *meth); | ^~~~~~~~~~~~~~ ssl_openssl.c:1324:9: warning: 'RSA_meth_free' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 1324 | RSA_meth_free(rsa_meth); | ^~~~~~~~~~~~~ /usr/include/openssl/rsa.h:485:28: note: declared here 485 | OSSL_DEPRECATEDIN_3_0 void RSA_meth_free(RSA_METHOD *meth); | ^~~~~~~~~~~~~ ssl_openssl.c:1330:5: warning: 'SSL_CTX_use_RSAPrivateKey' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 1330 | if (!SSL_CTX_use_RSAPrivateKey(ctx->ctx, rsa)) | ^~ /usr/include/openssl/ssl.h:1842:12: note: declared here 1842 | __owur int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa); | ^~~~~~~~~~~~~~~~~~~~~~~~~ ssl_openssl.c:1335:5: warning: 'RSA_free' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 1335 | RSA_free(rsa); /* doesn't necessarily free, just decrements refcount */ | ^~~~~~~~ /usr/include/openssl/rsa.h:304:28: note: declared here 304 | OSSL_DEPRECATEDIN_3_0 void RSA_free(RSA *r); | ^~~~~~~~ ssl_openssl.c:1341:9: warning: 'RSA_free' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 1341 | RSA_free(rsa); | ^~~~~~~~ /usr/include/openssl/rsa.h:304:28: note: declared here 304 | OSSL_DEPRECATEDIN_3_0 void RSA_free(RSA *r); | ^~~~~~~~ ssl_openssl.c:1347:13: warning: 'RSA_meth_free' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 1347 | RSA_meth_free(rsa_meth); | ^~~~~~~~~~~~~ /usr/include/openssl/rsa.h:485:28: note: declared here 485 | OSSL_DEPRECATEDIN_3_0 void RSA_meth_free(RSA_METHOD *meth); | ^~~~~~~~~~~~~ ssl_openssl.c: In function 'openvpn_extkey_ec_finish': ssl_openssl.c:1362:5: warning: 'EC_KEY_get_method' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 1362 | const EC_KEY_METHOD *ec_meth = EC_KEY_get_method(ec); | ^~~~~ /usr/include/openssl/ec.h:1301:44: note: declared here 1301 | OSSL_DEPRECATEDIN_3_0 const EC_KEY_METHOD *EC_KEY_get_method(const EC_KEY *key); | ^~~~~~~~~~~~~~~~~ ssl_openssl.c:1363:5: warning: 'EC_KEY_METHOD_free' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 1363 | EC_KEY_METHOD_free((EC_KEY_METHOD *) ec_meth); | ^~~~~~~~~~~~~~~~~~ /usr/include/openssl/ec.h:1481:28: note: declared here 1481 | OSSL_DEPRECATEDIN_3_0 void EC_KEY_METHOD_free(EC_KEY_METHOD *meth); | ^~~~~~~~~~~~~~~~~~ ssl_openssl.c: In function 'ecdsa_sign': ssl_openssl.c:1374:5: warning: 'ECDSA_size' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 1374 | int capacity = ECDSA_size(ec); | ^~~ /usr/include/openssl/ec.h:1474:27: note: declared here 1474 | OSSL_DEPRECATEDIN_3_0 int ECDSA_size(const EC_KEY *eckey); | ^~~~~~~~~~ ssl_openssl.c: In function 'ecdsa_sign_sig': ssl_openssl.c:1406:5: warning: 'ECDSA_size' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 1406 | unsigned int len = ECDSA_size(ec); | ^~~~~~~~ /usr/include/openssl/ec.h:1474:27: note: declared here 1474 | OSSL_DEPRECATEDIN_3_0 int ECDSA_size(const EC_KEY *eckey); | ^~~~~~~~~~ ssl_openssl.c: In function 'tls_ctx_use_external_ec_key': ssl_openssl.c:1431:5: warning: 'EC_KEY_METHOD_new' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 1431 | ec_method = EC_KEY_METHOD_new(EC_KEY_OpenSSL()); | ^~~~~~~~~ /usr/include/openssl/ec.h:1480:38: note: declared here 1480 | OSSL_DEPRECATEDIN_3_0 EC_KEY_METHOD *EC_KEY_METHOD_new(const EC_KEY_METHOD *meth); | ^~~~~~~~~~~~~~~~~ ssl_openssl.c:1431:5: warning: 'EC_KEY_OpenSSL' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 1431 | ec_method = EC_KEY_METHOD_new(EC_KEY_OpenSSL()); | ^~~~~~~~~ /usr/include/openssl/ec.h:1298:44: note: declared here 1298 | OSSL_DEPRECATEDIN_3_0 const EC_KEY_METHOD *EC_KEY_OpenSSL(void); | ^~~~~~~~~~~~~~ ssl_openssl.c:1438:5: warning: 'EC_KEY_METHOD_set_init' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 1438 | EC_KEY_METHOD_set_init(ec_method, NULL, openvpn_extkey_ec_finish, NULL, NULL, NULL, NULL); | ^~~~~~~~~~~~~~~~~~~~~~ /usr/include/openssl/ec.h:1482:28: note: declared here 1482 | OSSL_DEPRECATEDIN_3_0 void EC_KEY_METHOD_set_init | ^~~~~~~~~~~~~~~~~~~~~~ ssl_openssl.c:1439:5: warning: 'EC_KEY_METHOD_set_sign' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 1439 | EC_KEY_METHOD_set_sign(ec_method, ecdsa_sign, ecdsa_sign_setup, ecdsa_sign_sig); | ^~~~~~~~~~~~~~~~~~~~~~ /usr/include/openssl/ec.h:1499:28: note: declared here 1499 | OSSL_DEPRECATEDIN_3_0 void EC_KEY_METHOD_set_sign | ^~~~~~~~~~~~~~~~~~~~~~ ssl_openssl.c:1441:5: warning: 'EC_KEY_dup' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 1441 | ec = EC_KEY_dup(EVP_PKEY_get0_EC_KEY(pkey)); | ^~ /usr/include/openssl/ec.h:1035:31: note: declared here 1035 | OSSL_DEPRECATEDIN_3_0 EC_KEY *EC_KEY_dup(const EC_KEY *src); | ^~~~~~~~~~ ssl_openssl.c:1441:5: warning: 'EVP_PKEY_get0_EC_KEY' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 1441 | ec = EC_KEY_dup(EVP_PKEY_get0_EC_KEY(pkey)); | ^~ /usr/include/openssl/evp.h:1380:25: note: declared here 1380 | const struct ec_key_st *EVP_PKEY_get0_EC_KEY(const EVP_PKEY *pkey); | ^~~~~~~~~~~~~~~~~~~~ ssl_openssl.c:1444:9: warning: 'EC_KEY_METHOD_free' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 1444 | EC_KEY_METHOD_free(ec_method); | ^~~~~~~~~~~~~~~~~~ /usr/include/openssl/ec.h:1481:28: note: declared here 1481 | OSSL_DEPRECATEDIN_3_0 void EC_KEY_METHOD_free(EC_KEY_METHOD *meth); | ^~~~~~~~~~~~~~~~~~ ssl_openssl.c:1447:5: warning: 'EC_KEY_set_method' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 1447 | if (!EC_KEY_set_method(ec, ec_method)) | ^~ /usr/include/openssl/ec.h:1302:27: note: declared here 1302 | OSSL_DEPRECATEDIN_3_0 int EC_KEY_set_method(EC_KEY *key, const EC_KEY_METHOD *meth); | ^~~~~~~~~~~~~~~~~ ssl_openssl.c:1449:9: warning: 'EC_KEY_METHOD_free' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 1449 | EC_KEY_METHOD_free(ec_method); | ^~~~~~~~~~~~~~~~~~ /usr/include/openssl/ec.h:1481:28: note: declared here 1481 | OSSL_DEPRECATEDIN_3_0 void EC_KEY_METHOD_free(EC_KEY_METHOD *meth); | ^~~~~~~~~~~~~~~~~~ ssl_openssl.c:1455:5: warning: 'EVP_PKEY_assign' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 1455 | if (!EVP_PKEY_assign_EC_KEY(privkey, ec)) | ^~ /usr/include/openssl/evp.h:1336:5: note: declared here 1336 | int EVP_PKEY_assign(EVP_PKEY *pkey, int type, void *key); | ^~~~~~~~~~~~~~~ ssl_openssl.c:1478:9: warning: 'EC_KEY_free' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 1478 | EC_KEY_free(ec); | ^~~~~~~~~~~ /usr/include/openssl/ec.h:1022:28: note: declared here 1022 | OSSL_DEPRECATEDIN_3_0 void EC_KEY_free(EC_KEY *key); | ^~~~~~~~~~~ ssl_openssl.c: In function 'print_cert_details': ssl_openssl.c:2081:5: warning: 'EVP_PKEY_get0_EC_KEY' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 2081 | if (typeid == EVP_PKEY_EC && EVP_PKEY_get0_EC_KEY(pkey) != NULL) | ^~ /usr/include/openssl/evp.h:1380:25: note: declared here 1380 | const struct ec_key_st *EVP_PKEY_get0_EC_KEY(const EVP_PKEY *pkey); | ^~~~~~~~~~~~~~~~~~~~ ssl_openssl.c:2083:9: warning: 'EVP_PKEY_get0_EC_KEY' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 2083 | EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey); | ^~~~~~ /usr/include/openssl/evp.h:1380:25: note: declared here 1380 | const struct ec_key_st *EVP_PKEY_get0_EC_KEY(const EVP_PKEY *pkey); | ^~~~~~~~~~~~~~~~~~~~ ssl_openssl.c:2083:22: warning: initialization discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers] 2083 | EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey); | ^~~~~~~~~~~~~~~~~~~~ ssl_openssl.c:2084:9: warning: 'EC_KEY_get0_group' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 2084 | const EC_GROUP *group = EC_KEY_get0_group(ec); | ^~~~~ /usr/include/openssl/ec.h:1053:39: note: declared here 1053 | OSSL_DEPRECATEDIN_3_0 const EC_GROUP *EC_KEY_get0_group(const EC_KEY *key); | ^~~~~~~~~~~~~~~~~ mv -f .deps/ssl_ncp.Tpo .deps/ssl_ncp.Po mv -f .deps/ssl_verify.Tpo .deps/ssl_verify.Po mv -f .deps/ssl_verify_openssl.Tpo .deps/ssl_verify_openssl.Po mv -f .deps/tls_crypt.Tpo .deps/tls_crypt.Po mv -f .deps/cryptoapi.Tpo .deps/cryptoapi.Po mv -f .deps/ssl_openssl.Tpo .deps/ssl_openssl.Po mv -f .deps/socket.Tpo .deps/socket.Po mv -f .deps/ssl.Tpo .deps/ssl.Po mv -f .deps/ssl_mbedtls.Tpo .deps/ssl_mbedtls.Po mv -f .deps/tun.Tpo .deps/tun.Po mv -f .deps/vlan.Tpo .deps/vlan.Po /bin/sh ../../libtool --tag=CC --mode=link gcc -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -o openvpn argv.o auth_token.o base64.o buffer.o clinat.o comp.o compstub.o comp-lz4.o crypto.o crypto_openssl.o crypto_mbedtls.o dhcp.o env_set.o error.o event.o fdmisc.o forward.o fragment.o gremlin.o helper.o httpdigest.o lladdr.o init.o interval.o list.o lzo.o manage.o mbuf.o misc.o platform.o console.o console_builtin.o console_systemd.o mroute.o mss.o mstats.o mtcp.o mtu.o mudp.o multi.o networking_iproute2.o networking_sitnl.o ntlm.o occ.o pkcs11.o pkcs11_openssl.o pkcs11_mbedtls.o openvpn.o options.o otime.o packet_id.o perf.o pf.o ping.o plugin.o pool.o proto.o proxy.o ps.o push.o reliable.o route.o run_command.o schedule.o session_id.o shaper.o sig.o socket.o socks.o ssl.o ssl_openssl.o ssl_mbedtls.o ssl_ncp.o ssl_verify.o ssl_verify_openssl.o ssl_verify_mbedtls.o status.o tls_crypt.o tun.o vlan.o win32.o cryptoapi.o ../../src/compat/libcompat.la -lresolv -llzo2 -llz4 -L/usr/lib64 -lssl -lcrypto -ldl libtool: link: gcc -DPLUGIN_LIBDIR=\"/usr/lib/openvpn/plugins\" -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -o openvpn argv.o auth_token.o base64.o buffer.o clinat.o comp.o compstub.o comp-lz4.o crypto.o crypto_openssl.o crypto_mbedtls.o dhcp.o env_set.o error.o event.o fdmisc.o forward.o fragment.o gremlin.o helper.o httpdigest.o lladdr.o init.o interval.o list.o lzo.o manage.o mbuf.o misc.o platform.o console.o console_builtin.o console_systemd.o mroute.o mss.o mstats.o mtcp.o mtu.o mudp.o multi.o networking_iproute2.o networking_sitnl.o ntlm.o occ.o pkcs11.o pkcs11_openssl.o pkcs11_mbedtls.o openvpn.o options.o otime.o packet_id.o perf.o pf.o ping.o plugin.o pool.o proto.o proxy.o ps.o push.o reliable.o route.o run_command.o schedule.o session_id.o shaper.o sig.o socket.o socks.o ssl.o ssl_openssl.o ssl_mbedtls.o ssl_ncp.o ssl_verify.o ssl_verify_openssl.o ssl_verify_mbedtls.o status.o tls_crypt.o tun.o vlan.o win32.o cryptoapi.o ../../src/compat/.libs/libcompat.a -lresolv /usr/lib/liblzo2.so -llz4 -L/usr/lib64 -lssl -lcrypto -ldl make[4]: Leaving directory '/usr/src/openvpn-2.5.9/src/openvpn' Making all in openvpnmsica make[4]: Entering directory '/usr/src/openvpn-2.5.9/src/openvpnmsica' make[4]: Nothing to be done for 'all'. make[4]: Leaving directory '/usr/src/openvpn-2.5.9/src/openvpnmsica' Making all in openvpnserv make[4]: Entering directory '/usr/src/openvpn-2.5.9/src/openvpnserv' make[4]: Nothing to be done for 'all'. make[4]: Leaving directory '/usr/src/openvpn-2.5.9/src/openvpnserv' Making all in plugins make[4]: Entering directory '/usr/src/openvpn-2.5.9/src/plugins' Making all in auth-pam make[5]: Entering directory '/usr/src/openvpn-2.5.9/src/plugins/auth-pam' /bin/sh ../../../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I../../.. -I../../../include -I../../../include -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT utils.lo -MD -MP -MF .deps/utils.Tpo -c -o utils.lo utils.c /bin/sh ../../../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I../../.. -I../../../include -I../../../include -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT auth-pam.lo -MD -MP -MF .deps/auth-pam.Tpo -c -o auth-pam.lo auth-pam.c /bin/sh ../../../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I../../.. -I../../../include -I../../../include -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT pamdl.lo -MD -MP -MF .deps/pamdl.Tpo -c -o pamdl.lo pamdl.c libtool: compile: gcc -DHAVE_CONFIG_H -I. -I../../.. -I../../../include -I../../../include -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT utils.lo -MD -MP -MF .deps/utils.Tpo -c utils.c -fPIC -DPIC -o .libs/utils.o libtool: compile: gcc -DHAVE_CONFIG_H -I. -I../../.. -I../../../include -I../../../include -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT auth-pam.lo -MD -MP -MF .deps/auth-pam.Tpo -c auth-pam.c -fPIC -DPIC -o .libs/auth-pam.o libtool: compile: gcc -DHAVE_CONFIG_H -I. -I../../.. -I../../../include -I../../../include -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT pamdl.lo -MD -MP -MF .deps/pamdl.Tpo -c pamdl.c -fPIC -DPIC -o .libs/pamdl.o libtool: compile: gcc -DHAVE_CONFIG_H -I. -I../../.. -I../../../include -I../../../include -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT pamdl.lo -MD -MP -MF .deps/pamdl.Tpo -c pamdl.c -o pamdl.o >/dev/null 2>&1 libtool: compile: gcc -DHAVE_CONFIG_H -I. -I../../.. -I../../../include -I../../../include -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT utils.lo -MD -MP -MF .deps/utils.Tpo -c utils.c -o utils.o >/dev/null 2>&1 mv -f .deps/pamdl.Tpo .deps/pamdl.Plo mv -f .deps/utils.Tpo .deps/utils.Plo libtool: compile: gcc -DHAVE_CONFIG_H -I. -I../../.. -I../../../include -I../../../include -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT auth-pam.lo -MD -MP -MF .deps/auth-pam.Tpo -c auth-pam.c -o auth-pam.o >/dev/null 2>&1 mv -f .deps/auth-pam.Tpo .deps/auth-pam.Plo /bin/sh ../../../libtool --tag=CC --mode=link gcc -I../../../include -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -export-symbols "./auth-pam.exports" -module -shared -avoid-version -no-undefined -o openvpn-plugin-auth-pam.la -rpath /usr/lib/openvpn/plugins utils.lo auth-pam.lo pamdl.lo -lpam libtool: link: echo "{ global:" > .libs/openvpn-plugin-auth-pam.ver libtool: link: cat ./auth-pam.exports | sed -e "s/\(.*\)/\1;/" >> .libs/openvpn-plugin-auth-pam.ver libtool: link: echo "local: *; };" >> .libs/openvpn-plugin-auth-pam.ver libtool: link: gcc -shared -fPIC -DPIC .libs/utils.o .libs/auth-pam.o .libs/pamdl.o /usr/lib/libpam.so -O2 -g0 -m64 -mtune=generic -fstack-protector-strong -Wl,-soname -Wl,openvpn-plugin-auth-pam.so -Wl,-version-script -Wl,.libs/openvpn-plugin-auth-pam.ver -o .libs/openvpn-plugin-auth-pam.so libtool: link: ( cd ".libs" && rm -f "openvpn-plugin-auth-pam.la" && ln -s "../openvpn-plugin-auth-pam.la" "openvpn-plugin-auth-pam.la" ) make[5]: Leaving directory '/usr/src/openvpn-2.5.9/src/plugins/auth-pam' Making all in down-root make[5]: Entering directory '/usr/src/openvpn-2.5.9/src/plugins/down-root' /bin/sh ../../../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I../../.. -I../../../include -I../../../include -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT down-root.lo -MD -MP -MF .deps/down-root.Tpo -c -o down-root.lo down-root.c libtool: compile: gcc -DHAVE_CONFIG_H -I. -I../../.. -I../../../include -I../../../include -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT down-root.lo -MD -MP -MF .deps/down-root.Tpo -c down-root.c -fPIC -DPIC -o .libs/down-root.o libtool: compile: gcc -DHAVE_CONFIG_H -I. -I../../.. -I../../../include -I../../../include -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -MT down-root.lo -MD -MP -MF .deps/down-root.Tpo -c down-root.c -o down-root.o >/dev/null 2>&1 mv -f .deps/down-root.Tpo .deps/down-root.Plo /bin/sh ../../../libtool --tag=CC --mode=link gcc -I../../../include -Wall -Wno-stringop-truncation -O2 -g0 -pipe -Wall -fexceptions -fPIC -m64 -mtune=generic -fcf-protection=full -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -std=c99 -export-symbols "./down-root.exports" -module -shared -avoid-version -no-undefined -o openvpn-plugin-down-root.la -rpath /usr/lib/openvpn/plugins down-root.lo libtool: link: echo "{ global:" > .libs/openvpn-plugin-down-root.ver libtool: link: cat ./down-root.exports | sed -e "s/\(.*\)/\1;/" >> .libs/openvpn-plugin-down-root.ver libtool: link: echo "local: *; };" >> .libs/openvpn-plugin-down-root.ver libtool: link: gcc -shared -fPIC -DPIC .libs/down-root.o -O2 -g0 -m64 -mtune=generic -fstack-protector-strong -Wl,-soname -Wl,openvpn-plugin-down-root.so -Wl,-version-script -Wl,.libs/openvpn-plugin-down-root.ver -o .libs/openvpn-plugin-down-root.so libtool: link: ( cd ".libs" && rm -f "openvpn-plugin-down-root.la" && ln -s "../openvpn-plugin-down-root.la" "openvpn-plugin-down-root.la" ) make[5]: Leaving directory '/usr/src/openvpn-2.5.9/src/plugins/down-root' make[5]: Entering directory '/usr/src/openvpn-2.5.9/src/plugins' make[5]: Nothing to be done for 'all-am'. make[5]: Leaving directory '/usr/src/openvpn-2.5.9/src/plugins' make[4]: Leaving directory '/usr/src/openvpn-2.5.9/src/plugins' Making all in tapctl make[4]: Entering directory '/usr/src/openvpn-2.5.9/src/tapctl' make[4]: Nothing to be done for 'all'. make[4]: Leaving directory '/usr/src/openvpn-2.5.9/src/tapctl' make[4]: Entering directory '/usr/src/openvpn-2.5.9/src' make[4]: Nothing to be done for 'all-am'. make[4]: Leaving directory '/usr/src/openvpn-2.5.9/src' make[3]: Leaving directory '/usr/src/openvpn-2.5.9/src' Making all in sample make[3]: Entering directory '/usr/src/openvpn-2.5.9/sample' make[3]: Nothing to be done for 'all'. make[3]: Leaving directory '/usr/src/openvpn-2.5.9/sample' Making all in doc make[3]: Entering directory '/usr/src/openvpn-2.5.9/doc' Making all in doxygen make[4]: Entering directory '/usr/src/openvpn-2.5.9/doc/doxygen' make[4]: Nothing to be done for 'all'. make[4]: Leaving directory '/usr/src/openvpn-2.5.9/doc/doxygen' make[4]: Entering directory '/usr/src/openvpn-2.5.9/doc' make[4]: Nothing to be done for 'all-am'. make[4]: Leaving directory '/usr/src/openvpn-2.5.9/doc' make[3]: Leaving directory '/usr/src/openvpn-2.5.9/doc' Making all in tests make[3]: Entering directory '/usr/src/openvpn-2.5.9/tests' Making all in unit_tests make[4]: Entering directory '/usr/src/openvpn-2.5.9/tests/unit_tests' make[5]: Entering directory '/usr/src/openvpn-2.5.9/tests/unit_tests' make[5]: Nothing to be done for 'all-am'. make[5]: Leaving directory '/usr/src/openvpn-2.5.9/tests/unit_tests' make[4]: Leaving directory '/usr/src/openvpn-2.5.9/tests/unit_tests' make[4]: Entering directory '/usr/src/openvpn-2.5.9/tests' make[4]: Nothing to be done for 'all-am'. make[4]: Leaving directory '/usr/src/openvpn-2.5.9/tests' make[3]: Leaving directory '/usr/src/openvpn-2.5.9/tests' make[3]: Entering directory '/usr/src/openvpn-2.5.9' make[3]: Leaving directory '/usr/src/openvpn-2.5.9' make[2]: Leaving directory '/usr/src/openvpn-2.5.9' make[1]: Leaving directory '/usr/src/openvpn-2.5.9' cd /usr/src/openvpn-2.5.9 && make install make[1]: Entering directory '/usr/src/openvpn-2.5.9' make install-recursive make[2]: Entering directory '/usr/src/openvpn-2.5.9' Making install in build make[3]: Entering directory '/usr/src/openvpn-2.5.9/build' Making install in msvc make[4]: Entering directory '/usr/src/openvpn-2.5.9/build/msvc' Making install in msvc-generate make[5]: Entering directory '/usr/src/openvpn-2.5.9/build/msvc/msvc-generate' make[6]: Entering directory '/usr/src/openvpn-2.5.9/build/msvc/msvc-generate' make[6]: Nothing to be done for 'install-exec-am'. make[6]: Nothing to be done for 'install-data-am'. make[6]: Leaving directory '/usr/src/openvpn-2.5.9/build/msvc/msvc-generate' make[5]: Leaving directory '/usr/src/openvpn-2.5.9/build/msvc/msvc-generate' make[5]: Entering directory '/usr/src/openvpn-2.5.9/build/msvc' make[6]: Entering directory '/usr/src/openvpn-2.5.9/build/msvc' make[6]: Nothing to be done for 'install-exec-am'. make[6]: Nothing to be done for 'install-data-am'. make[6]: Leaving directory '/usr/src/openvpn-2.5.9/build/msvc' make[5]: Leaving directory '/usr/src/openvpn-2.5.9/build/msvc' make[4]: Leaving directory '/usr/src/openvpn-2.5.9/build/msvc' make[4]: Entering directory '/usr/src/openvpn-2.5.9/build' make[5]: Entering directory '/usr/src/openvpn-2.5.9/build' make[5]: Nothing to be done for 'install-exec-am'. make[5]: Nothing to be done for 'install-data-am'. make[5]: Leaving directory '/usr/src/openvpn-2.5.9/build' make[4]: Leaving directory '/usr/src/openvpn-2.5.9/build' make[3]: Leaving directory '/usr/src/openvpn-2.5.9/build' Making install in distro make[3]: Entering directory '/usr/src/openvpn-2.5.9/distro' Making install in systemd make[4]: Entering directory '/usr/src/openvpn-2.5.9/distro/systemd' make[5]: Entering directory '/usr/src/openvpn-2.5.9/distro/systemd' make[5]: Nothing to be done for 'install-exec-am'. make install-data-hook make[6]: Entering directory '/usr/src/openvpn-2.5.9/distro/systemd' make[6]: Nothing to be done for 'install-data-hook'. make[6]: Leaving directory '/usr/src/openvpn-2.5.9/distro/systemd' make[5]: Leaving directory '/usr/src/openvpn-2.5.9/distro/systemd' make[4]: Leaving directory '/usr/src/openvpn-2.5.9/distro/systemd' make[4]: Entering directory '/usr/src/openvpn-2.5.9/distro' make[5]: Entering directory '/usr/src/openvpn-2.5.9/distro' make[5]: Nothing to be done for 'install-exec-am'. make[5]: Nothing to be done for 'install-data-am'. make[5]: Leaving directory '/usr/src/openvpn-2.5.9/distro' make[4]: Leaving directory '/usr/src/openvpn-2.5.9/distro' make[3]: Leaving directory '/usr/src/openvpn-2.5.9/distro' Making install in include make[3]: Entering directory '/usr/src/openvpn-2.5.9/include' make[4]: Entering directory '/usr/src/openvpn-2.5.9/include' make[4]: Nothing to be done for 'install-exec-am'. /bin/mkdir -p '/usr/include' /usr/bin/install -c -m 644 openvpn-plugin.h openvpn-msg.h '/usr/include' make[4]: Leaving directory '/usr/src/openvpn-2.5.9/include' make[3]: Leaving directory '/usr/src/openvpn-2.5.9/include' Making install in src make[3]: Entering directory '/usr/src/openvpn-2.5.9/src' Making install in compat make[4]: Entering directory '/usr/src/openvpn-2.5.9/src/compat' make[5]: Entering directory '/usr/src/openvpn-2.5.9/src/compat' make[5]: Nothing to be done for 'install-exec-am'. make[5]: Nothing to be done for 'install-data-am'. make[5]: Leaving directory '/usr/src/openvpn-2.5.9/src/compat' make[4]: Leaving directory '/usr/src/openvpn-2.5.9/src/compat' Making install in openvpn make[4]: Entering directory '/usr/src/openvpn-2.5.9/src/openvpn' make[5]: Entering directory '/usr/src/openvpn-2.5.9/src/openvpn' /bin/mkdir -p '/usr/sbin' /bin/sh ../../libtool --mode=install /usr/bin/install -c openvpn '/usr/sbin' libtool: install: /usr/bin/install -c openvpn /usr/sbin/openvpn make[5]: Nothing to be done for 'install-data-am'. make[5]: Leaving directory '/usr/src/openvpn-2.5.9/src/openvpn' make[4]: Leaving directory '/usr/src/openvpn-2.5.9/src/openvpn' Making install in openvpnmsica make[4]: Entering directory '/usr/src/openvpn-2.5.9/src/openvpnmsica' make[5]: Entering directory '/usr/src/openvpn-2.5.9/src/openvpnmsica' make[5]: Nothing to be done for 'install-data-am'. make[5]: Leaving directory '/usr/src/openvpn-2.5.9/src/openvpnmsica' make[4]: Leaving directory '/usr/src/openvpn-2.5.9/src/openvpnmsica' Making install in openvpnserv make[4]: Entering directory '/usr/src/openvpn-2.5.9/src/openvpnserv' make[5]: Entering directory '/usr/src/openvpn-2.5.9/src/openvpnserv' make[5]: Nothing to be done for 'install-data-am'. make[5]: Leaving directory '/usr/src/openvpn-2.5.9/src/openvpnserv' make[4]: Leaving directory '/usr/src/openvpn-2.5.9/src/openvpnserv' Making install in plugins make[4]: Entering directory '/usr/src/openvpn-2.5.9/src/plugins' Making install in auth-pam make[5]: Entering directory '/usr/src/openvpn-2.5.9/src/plugins/auth-pam' make[6]: Entering directory '/usr/src/openvpn-2.5.9/src/plugins/auth-pam' make[6]: Nothing to be done for 'install-exec-am'. /bin/mkdir -p '/usr/share/doc/openvpn' /usr/bin/install -c -m 644 README.auth-pam '/usr/share/doc/openvpn' /bin/mkdir -p '/usr/lib/openvpn/plugins' /bin/sh ../../../libtool --mode=install /usr/bin/install -c openvpn-plugin-auth-pam.la '/usr/lib/openvpn/plugins' libtool: install: /usr/bin/install -c .libs/openvpn-plugin-auth-pam.so /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so libtool: install: /usr/bin/install -c .libs/openvpn-plugin-auth-pam.lai /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.la libtool: finish: PATH="/tools_x86_64/ccache/bin:/bin:/usr/bin:/sbin:/usr/sbin:/tools_x86_64/sbin:/tools_x86_64/bin:/sbin" ldconfig -n /usr/lib/openvpn/plugins ---------------------------------------------------------------------- Libraries have been installed in: /usr/lib/openvpn/plugins If you ever happen to want to link against installed libraries in a given directory, LIBDIR, you must either use libtool, and specify the full pathname of the library, or use the '-LLIBDIR' flag during linking and do at least one of the following: - add LIBDIR to the 'LD_LIBRARY_PATH' environment variable during execution - add LIBDIR to the 'LD_RUN_PATH' environment variable during linking - use the '-Wl,-rpath -Wl,LIBDIR' linker flag - have your system administrator add LIBDIR to '/etc/ld.so.conf' See any operating system documentation about shared libraries for more information, such as the ld(1) and ld.so(8) manual pages. ---------------------------------------------------------------------- make[6]: Leaving directory '/usr/src/openvpn-2.5.9/src/plugins/auth-pam' make[5]: Leaving directory '/usr/src/openvpn-2.5.9/src/plugins/auth-pam' Making install in down-root make[5]: Entering directory '/usr/src/openvpn-2.5.9/src/plugins/down-root' make[6]: Entering directory '/usr/src/openvpn-2.5.9/src/plugins/down-root' make[6]: Nothing to be done for 'install-exec-am'. /bin/mkdir -p '/usr/share/doc/openvpn' /usr/bin/install -c -m 644 README.down-root '/usr/share/doc/openvpn' /bin/mkdir -p '/usr/lib/openvpn/plugins' /bin/sh ../../../libtool --mode=install /usr/bin/install -c openvpn-plugin-down-root.la '/usr/lib/openvpn/plugins' libtool: install: /usr/bin/install -c .libs/openvpn-plugin-down-root.so /usr/lib/openvpn/plugins/openvpn-plugin-down-root.so libtool: install: /usr/bin/install -c .libs/openvpn-plugin-down-root.lai /usr/lib/openvpn/plugins/openvpn-plugin-down-root.la libtool: finish: PATH="/tools_x86_64/ccache/bin:/bin:/usr/bin:/sbin:/usr/sbin:/tools_x86_64/sbin:/tools_x86_64/bin:/sbin" ldconfig -n /usr/lib/openvpn/plugins ---------------------------------------------------------------------- Libraries have been installed in: /usr/lib/openvpn/plugins If you ever happen to want to link against installed libraries in a given directory, LIBDIR, you must either use libtool, and specify the full pathname of the library, or use the '-LLIBDIR' flag during linking and do at least one of the following: - add LIBDIR to the 'LD_LIBRARY_PATH' environment variable during execution - add LIBDIR to the 'LD_RUN_PATH' environment variable during linking - use the '-Wl,-rpath -Wl,LIBDIR' linker flag - have your system administrator add LIBDIR to '/etc/ld.so.conf' See any operating system documentation about shared libraries for more information, such as the ld(1) and ld.so(8) manual pages. ---------------------------------------------------------------------- make[6]: Leaving directory '/usr/src/openvpn-2.5.9/src/plugins/down-root' make[5]: Leaving directory '/usr/src/openvpn-2.5.9/src/plugins/down-root' make[5]: Entering directory '/usr/src/openvpn-2.5.9/src/plugins' make[6]: Entering directory '/usr/src/openvpn-2.5.9/src/plugins' make[6]: Nothing to be done for 'install-exec-am'. make[6]: Nothing to be done for 'install-data-am'. make[6]: Leaving directory '/usr/src/openvpn-2.5.9/src/plugins' make[5]: Leaving directory '/usr/src/openvpn-2.5.9/src/plugins' make[4]: Leaving directory '/usr/src/openvpn-2.5.9/src/plugins' Making install in tapctl make[4]: Entering directory '/usr/src/openvpn-2.5.9/src/tapctl' make[5]: Entering directory '/usr/src/openvpn-2.5.9/src/tapctl' make[5]: Nothing to be done for 'install-data-am'. make[5]: Leaving directory '/usr/src/openvpn-2.5.9/src/tapctl' make[4]: Leaving directory '/usr/src/openvpn-2.5.9/src/tapctl' make[4]: Entering directory '/usr/src/openvpn-2.5.9/src' make[5]: Entering directory '/usr/src/openvpn-2.5.9/src' make[5]: Nothing to be done for 'install-exec-am'. make[5]: Nothing to be done for 'install-data-am'. make[5]: Leaving directory '/usr/src/openvpn-2.5.9/src' make[4]: Leaving directory '/usr/src/openvpn-2.5.9/src' make[3]: Leaving directory '/usr/src/openvpn-2.5.9/src' Making install in sample make[3]: Entering directory '/usr/src/openvpn-2.5.9/sample' make[4]: Entering directory '/usr/src/openvpn-2.5.9/sample' make[4]: Nothing to be done for 'install-exec-am'. make[4]: Leaving directory '/usr/src/openvpn-2.5.9/sample' make[3]: Leaving directory '/usr/src/openvpn-2.5.9/sample' Making install in doc make[3]: Entering directory '/usr/src/openvpn-2.5.9/doc' Making install in doxygen make[4]: Entering directory '/usr/src/openvpn-2.5.9/doc/doxygen' make[5]: Entering directory '/usr/src/openvpn-2.5.9/doc/doxygen' make[5]: Nothing to be done for 'install-exec-am'. make[5]: Nothing to be done for 'install-data-am'. make[5]: Leaving directory '/usr/src/openvpn-2.5.9/doc/doxygen' make[4]: Leaving directory '/usr/src/openvpn-2.5.9/doc/doxygen' make[4]: Entering directory '/usr/src/openvpn-2.5.9/doc' make[5]: Entering directory '/usr/src/openvpn-2.5.9/doc' make[5]: Nothing to be done for 'install-exec-am'. /bin/mkdir -p '/usr/share/doc/openvpn' /usr/bin/install -c -m 644 management-notes.txt gui-notes.txt '/usr/share/doc/openvpn' /bin/mkdir -p '/usr/share/doc/openvpn' /usr/bin/install -c -m 644 openvpn.8.html openvpn-examples.5.html '/usr/share/doc/openvpn' /bin/mkdir -p '/usr/share/man/man5' /usr/bin/install -c -m 644 openvpn-examples.5 '/usr/share/man/man5' /bin/mkdir -p '/usr/share/man/man8' /usr/bin/install -c -m 644 openvpn.8 '/usr/share/man/man8' make[5]: Leaving directory '/usr/src/openvpn-2.5.9/doc' make[4]: Leaving directory '/usr/src/openvpn-2.5.9/doc' make[3]: Leaving directory '/usr/src/openvpn-2.5.9/doc' Making install in tests make[3]: Entering directory '/usr/src/openvpn-2.5.9/tests' Making install in unit_tests make[4]: Entering directory '/usr/src/openvpn-2.5.9/tests/unit_tests' make[5]: Entering directory '/usr/src/openvpn-2.5.9/tests/unit_tests' make[6]: Entering directory '/usr/src/openvpn-2.5.9/tests/unit_tests' make[6]: Nothing to be done for 'install-exec-am'. make[6]: Nothing to be done for 'install-data-am'. make[6]: Leaving directory '/usr/src/openvpn-2.5.9/tests/unit_tests' make[5]: Leaving directory '/usr/src/openvpn-2.5.9/tests/unit_tests' make[4]: Leaving directory '/usr/src/openvpn-2.5.9/tests/unit_tests' make[4]: Entering directory '/usr/src/openvpn-2.5.9/tests' make[5]: Entering directory '/usr/src/openvpn-2.5.9/tests' make[5]: Nothing to be done for 'install-exec-am'. make[5]: Nothing to be done for 'install-data-am'. make[5]: Leaving directory '/usr/src/openvpn-2.5.9/tests' make[4]: Leaving directory '/usr/src/openvpn-2.5.9/tests' make[3]: Leaving directory '/usr/src/openvpn-2.5.9/tests' make[3]: Entering directory '/usr/src/openvpn-2.5.9' make[4]: Entering directory '/usr/src/openvpn-2.5.9' make[4]: Nothing to be done for 'install-exec-am'. /bin/mkdir -p '/usr/share/doc/openvpn' /usr/bin/install -c -m 644 README README.IPv6 README.mbedtls Changes.rst COPYRIGHT.GPL COPYING '/usr/share/doc/openvpn' make[4]: Leaving directory '/usr/src/openvpn-2.5.9' make[3]: Leaving directory '/usr/src/openvpn-2.5.9' make[2]: Leaving directory '/usr/src/openvpn-2.5.9' make[1]: Leaving directory '/usr/src/openvpn-2.5.9' cd /usr/src/openvpn-2.5.9 && cp -Rvf /usr/src/config/ovpn /var/ipfire '/usr/src/config/ovpn/caconfig' -> '/var/ipfire/ovpn/caconfig' '/usr/src/config/ovpn/certs' -> '/var/ipfire/ovpn/certs' '/usr/src/config/ovpn/certs/index.txt' -> '/var/ipfire/ovpn/certs/index.txt' '/usr/src/config/ovpn/certs/index.txt.attr' -> '/var/ipfire/ovpn/certs/index.txt.attr' '/usr/src/config/ovpn/certs/serial' -> '/var/ipfire/ovpn/certs/serial' '/usr/src/config/ovpn/openssl' -> '/var/ipfire/ovpn/openssl' '/usr/src/config/ovpn/openssl/ovpn.cnf' -> '/var/ipfire/ovpn/openssl/ovpn.cnf' '/usr/src/config/ovpn/ovpnconfig' -> '/var/ipfire/ovpn/ovpnconfig' '/usr/src/config/ovpn/settings' -> '/var/ipfire/ovpn/settings' '/usr/src/config/ovpn/verify' -> '/var/ipfire/ovpn/verify' '/usr/src/config/ovpn/openvpn-authenticator' -> '/var/ipfire/ovpn/openvpn-authenticator' '/usr/src/config/ovpn/openvpn-crl-updater' -> '/var/ipfire/ovpn/openvpn-crl-updater' mkdir -vp /usr/lib/openvpn/plugins mkdir -vp /var/log/openvpn mkdir: created directory '/var/log/openvpn' mkdir -vp /var/ipfire/ovpn/ca mkdir: created directory '/var/ipfire/ovpn/ca' mkdir -vp /var/ipfire/ovpn/ccd mkdir: created directory '/var/ipfire/ovpn/ccd' mkdir -vp /var/ipfire/ovpn/crls mkdir: created directory '/var/ipfire/ovpn/crls' mkdir -vp /var/ipfire/ovpn/n2nconf mkdir: created directory '/var/ipfire/ovpn/n2nconf' mkdir -vp /var/ipfire/ovpn/scripts mkdir: created directory '/var/ipfire/ovpn/scripts' touch /var/ipfire/ovpn/ovpn-leases.db chmod 600 /var/ipfire/ovpn/ovpn-leases.db chown -R root:root /var/ipfire/ovpn/scripts chown -R nobody:nobody /var/ipfire/ovpn chmod 700 /var/ipfire/ovpn/certs mv -v /var/ipfire/ovpn/verify /usr/lib/openvpn/verify renamed '/var/ipfire/ovpn/verify' -> '/usr/lib/openvpn/verify' chown root:root /usr/lib/openvpn/verify chmod 755 /usr/lib/openvpn/verify # Add crl updater mv -v /var/ipfire/ovpn/openvpn-crl-updater /etc/fcron.daily renamed '/var/ipfire/ovpn/openvpn-crl-updater' -> '/etc/fcron.daily/openvpn-crl-updater' chown root:root /etc/fcron.daily/openvpn-crl-updater chmod 750 /etc/fcron.daily/openvpn-crl-updater # Move the OpenSSL configuration file out of /var/ipfire mkdir -pv /usr/share/openvpn mkdir: created directory '/usr/share/openvpn' mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \ /usr/share/openvpn/ renamed '/var/ipfire/ovpn/openssl/ovpn.cnf' -> '/usr/share/openvpn/ovpn.cnf' rmdir -v /usr/share/openvpn rmdir: removing directory, '/usr/share/openvpn' rmdir: failed to remove '/usr/share/openvpn': Directory not empty make: *** [openvpn:99: /usr/src/log/openvpn-2.5.9] Error 1 --------------------------------------------------------------------------------- Regards, Adolf. >> Best, >> -Michael >> >>> On 7 Jun 2024, at 09:22, Adolf Belka <adolf.belka(a)ipfire.org> wrote: >>> >>> Hi Michael, >>> >>> Any comments on my feedback, did I make some errors or were there some issues with the code not working as intended? It sounded like you wanted to get any fix from this added into CU186 which would mean giving it some good testing, which I am willing and available to do. >>> >>> Regards, >>> >>> Adolf. >>> >>> On 05/06/2024 13:52, Adolf Belka wrote: >>>> I re-did the vm build and first did a restore of my system so I could access the logs via ssh. >>>> >>>> Then I cleared the x509 system and cleared the error_log and then ran the x509 create and the following is the output in the error_log file >>>> >>>> ...+.......+..+....+..+.......+..+.+...+.........+..................+........+.......+...+.....+.+.....+.........+....+..+...+..........+..+.........+.........+............+....+..+.......+......+..+++++++++++++++++++++++++++++++++++++++++++++*.+.........+...+...............+........+....+++++++++++++++++++++++++++++++++++++++++++++*...+...............+...+....+..............+.+......+.....+....+........+...+.........................+....................+....+......+........+.........+......+......+...+..........+..+.+..+......+....+......+.........+...+.........+.....+..........+...+........+............+............+......+...+.......+............+..+.........+...........................+............+...............+.+............+.....+...+......+.+........+......+...............+.+..............+................+..+.+...........+.+..+......+++++ >>>> ..+.+........+..........+..+.+........+.+.....+.+.....+....+...+...+..............+.........+.......+..+...+.........+....+......+........+.+..+...+....+..+...............+...+...+...+......+.+++++++++++++++++++++++++++++++++++++++++++++*..+..+...+.+.........+........+..........+..+.+..+....+...+..+.+..+.......+.....+......+...+.+..............+.......+...+.....+............+............+.+......+...+.....+.+..+...+....+..+.........+...............+.+...+..+...+++++++++++++++++++++++++++++++++++++++++++++*.......+....................+....+..............+.+.....+.+...+..+...+......+.+.........+.........+......+..............+...............+.........+.............+..+.......+.........+..............+.+..+.........+...+.+.....+..........+..+...+......+....+............+........+.+.................................+......+......+........+...............+......+.........+.............+..+.+.........+..+..........+...........+...+......+...+.........................+.....+...............+.+............+...+..+.......+.....+......+......+...............+...................+......+......+..+...+.........+.........................+...+..+......+...+...............+.......+...+......+...+..+.........+....+.....+..........+...+..+...............+......+......+...+..................+.......+...............+......+..+............+...+...+....+...+.........+.....+..........+...+..+.........+.......+............+.....+..........+..+......+....+........................+.....+......+...+..........+...+.....+....+......+........+.......+..+...+............+......+....+...+............+..+....+...........+...+......+.+.....+..........+..........................+............+.+..+...+.........+.................................+....+..............+....+...+..............+......+.......+..+................+...+.....+.+........+............+.............+...............+......+..+.......+...+.....+.......+++++ >>>> >>>> ----- >>>> You are about to be asked to enter information that will be incorporated >>>> into your certificate request. >>>> What you are about to enter is what is called a Distinguished Name or a DN. >>>> There are quite a few fields but you can leave some blank >>>> For some fields there will be a default value, >>>> If you enter '.', the field will be left blank. >>>> ----- >>>> Country Name (2 letter code) [DE]:State or Province Name (full name) []:Locality Name (eg, city) []:Organization Name (eg, company) [IPFire]:Organizational Unit Name (eg, section) []:Common Name (eg, your name or your server's hostname) []:Email Address []:Error checking request extension section server >>>> >>>> So you can see explicitly what it came back with. >>>> >>>> Regards, >>>> >>>> Adolf >>>> >>>> >>>> On 05/06/2024 13:33, Adolf Belka wrote: >>>>> Hi All, >>>>> >>>>> I should have also added to the end of this message that patches 1 and 3 were applied, as far as I could tell as per the patch. >>>>> >>>>> I then installed the built iso into a vm machine and ran the x509 install and got the root certificate and no host certificate with the standard openssl error message. >>>>> >>>>> In the httpd/error_log file it had the following message >>>>> >>>>> Email Address []:Error checking request extension section server >>>>> >>>>> Regards, >>>>> >>>>> Adolf. >>>>> >>>>> On 05/06/2024 13:26, Adolf Belka wrote: >>>>>> Hi Michael, >>>>>> >>>>>> Here is my feedback on these three patches and the issues I found when I tried to use them. >>>>>> >>>>>> I had to manually apply them so there is also the possibility that I made a typo somewhere. >>>>>> >>>>>> On 18/04/2024 23:36, Michael Tremer wrote: >>>>>>> We should not have any configuration files that we share in this place, >>>>>>> therefore this patch is moving it into /usr/share/openvpn where we >>>>>>> should be able to update it without any issues. >>>>>>> >>>>>>> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org> >>>>>>> --- >>>>>>> config/rootfiles/common/openvpn | 2 +- >>>>>>> html/cgi-bin/ovpnmain.cgi | 2 +- >>>>>>> lfs/openvpn | 6 ++++++ >>>>>>> 3 files changed, 8 insertions(+), 2 deletions(-) >>>>>>> >>>>>>> diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn >>>>>>> index d9848a579..c0d49bfad 100644 >>>>>>> --- a/config/rootfiles/common/openvpn >>>>>>> +++ b/config/rootfiles/common/openvpn >>>>>> These changes were no problem. >>>>>>> @@ -25,6 +25,7 @@ usr/sbin/openvpn-authenticator >>>>>>> #usr/share/doc/openvpn/openvpn.8.html >>>>>>> #usr/share/man/man5/openvpn-examples.5 >>>>>>> #usr/share/man/man8/openvpn.8 >>>>>>> +usr/share/openvpn/openssl.cnf >>>>>>> var/ipfire/ovpn/ca >>>>>>> var/ipfire/ovpn/caconfig >>>>>>> var/ipfire/ovpn/ccd >>>>>>> @@ -35,7 +36,6 @@ var/ipfire/ovpn/certs/serial >>>>>>> var/ipfire/ovpn/crls >>>>>>> var/ipfire/ovpn/n2nconf >>>>>>> #var/ipfire/ovpn/openssl >>>>>>> -var/ipfire/ovpn/openssl/ovpn.cnf >>>>>>> var/ipfire/ovpn/openvpn-authenticator >>>>>>> var/ipfire/ovpn/ovpn-leases.db >>>>>>> var/ipfire/ovpn/ovpnconfig >>>>>>> diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi >>>>>>> index 9b8ff5aa5..ed80fef7d 100755 >>>>>>> --- a/html/cgi-bin/ovpnmain.cgi >>>>>>> +++ b/html/cgi-bin/ovpnmain.cgi >>>>>> Also this change no problem. >>>>>>> @@ -54,7 +54,7 @@ my %mainsettings = (); >>>>>>> &General::readhash("/srv/web/ipfire/html/themes/ipfire/include/colors.txt", \%color); >>>>>>> # Use a custom OpenSSL configuration file for all operations >>>>>>> -$ENV["OPENSSL_CONF"] = "${General::swroot}/ovpn/ca/cacert.pem"; >>>>>>> +$ENV["OPENSSL_CONF"] = "/usr/share/openvpn/openssl.cnf"; >>>>>>> ### >>>>>>> ### Initialize variables >>>>>>> diff --git a/lfs/openvpn b/lfs/openvpn >>>>>>> index b71b4ccc9..0704aa438 100644 >>>>>>> --- a/lfs/openvpn >>>>>>> +++ b/lfs/openvpn >>>>>> This change refused to build as it said the directory removal was for a non empty directory. When I looked at it I believe that it needed to be different. >>>>>>> @@ -101,6 +101,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >>>>>>> chown root:root /etc/fcron.daily/openvpn-crl-updater >>>>>>> chmod 750 /etc/fcron.daily/openvpn-crl-updater >>>>>>> + # Move the OpenSSL configuration file out of /var/ipfire >>>>>>> + mkdir -pv /usr/share/openvpn >>>>>>> + mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \ >>>>>>> + /usr/share/openvpn/ >>>>>>> + rmdir -v /usr/share/openvpn >>>>>>> + >>>>>> >>>>>> The above lines I changed to >>>>>> >>>>>> + # Move the OpenSSL configuration file out of /var/ipfire >>>>>> + mkdir -pv /usr/share/openvpn >>>>>> + mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \ >>>>>> + /usr/share/openvpn/openssl.cnf >>>>>> + rmdir -v /var/ipfire/ovpn/openssl/ >>>>>> + >>>>>> with my changes in the last two lines. >>>>>> When I changed just the last line to start with then the openvpn lfs built but then later on in the cdrom stage it complained about openssl.cnf not being found, hence I also then added the change to the one before last line. >>>>>> >>>>>> Regards, >>>>>> Adolf. >>>>>> >>>>>>> # Install authenticator >>>>>>> install -v -m 755 $(DIR_SRC)/config/ovpn/openvpn-authenticator \ >>>>>>> /usr/sbin/openvpn-authenticator >> > ^ permalink raw reply [flat|nested] 19+ messages in thread
* [PATCH 3/3] openvpn-crl-updater: Update for the changed configuration file 2024-04-18 21:36 [PATCH 1/3] ovpnmain.cgi: Define OpenSSL configuration globally Michael Tremer 2024-04-18 21:36 ` [PATCH 2/3] OpenVPN: Move the OpenSSL configuration file out of /var/ipfire Michael Tremer @ 2024-04-18 21:36 ` Michael Tremer 1 sibling, 0 replies; 19+ messages in thread From: Michael Tremer @ 2024-04-18 21:36 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 1182 bytes --] Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org> --- config/ovpn/openvpn-crl-updater | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/config/ovpn/openvpn-crl-updater b/config/ovpn/openvpn-crl-updater index 5fbe21080..d22f8f78c 100644 --- a/config/ovpn/openvpn-crl-updater +++ b/config/ovpn/openvpn-crl-updater @@ -43,7 +43,9 @@ OVPN="/var/ipfire/ovpn" CRL="${OVPN}/crls/cacrl.pem" CAKEY="${OVPN}/ca/cakey.pem" CACERT="${OVPN}/ca/cacert.pem" -OPENSSLCONF="${OVPN}/openssl/ovpn.cnf" + +# Use an alternative OpenSSL configurtion file +export OPENSSL_CONF="/usr/share/openvpn/openssl.cnf" # Check if CRL is presant or if OpenVPN is active if [ ! -e "${CAKEY}" ]; then @@ -76,7 +78,7 @@ UPDATE="14" ## Mainpart # Check if OpenVPNs CRL needs to be renewed if [ ${NEXTUPDATE} -le ${UPDATE} ]; then - if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "${OPENSSLCONF}"; then + if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}"; then logger -t openvpn "CRL has been updated" else logger -t openvpn "error: Could not update CRL" -- 2.39.2 ^ permalink raw reply [flat|nested] 19+ messages in thread
end of thread, other threads:[~2024-06-11 9:09 UTC | newest] Thread overview: 19+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2024-04-18 21:36 [PATCH 1/3] ovpnmain.cgi: Define OpenSSL configuration globally Michael Tremer 2024-04-18 21:36 ` [PATCH 2/3] OpenVPN: Move the OpenSSL configuration file out of /var/ipfire Michael Tremer 2024-06-05 11:26 ` Adolf Belka 2024-06-05 11:33 ` Adolf Belka 2024-06-05 11:52 ` Adolf Belka 2024-06-07 8:22 ` Adolf Belka 2024-06-07 16:01 ` [PATCH] " Michael Tremer 2024-06-08 8:40 ` Adolf Belka 2024-06-08 10:14 ` Michael Tremer 2024-06-08 10:43 ` Adolf Belka 2024-06-08 11:00 ` Adolf Belka 2024-06-08 11:16 ` Adolf Belka 2024-06-09 7:58 ` Adolf Belka 2024-06-10 16:02 ` Michael Tremer 2024-06-11 9:09 ` Adolf Belka 2024-06-07 16:03 ` [PATCH 2/3] " Michael Tremer 2024-06-07 16:24 ` Adolf Belka 2024-06-07 19:46 ` Adolf Belka 2024-04-18 21:36 ` [PATCH 3/3] openvpn-crl-updater: Update for the changed configuration file Michael Tremer
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox