openvpn icon indicating copy to clipboard operation
openvpn copied to clipboard
verified publisher icon OpenVPN

OpenVPN v2.7_beta1 does not build with FreeBSD's wolfSSL 5.8.2_1 package

Open mandree opened this issue 4 months ago • 2 comments

Describe the bug OpenVPN v2.7_beta1 does not build with FreeBSD's wolfSSL 5.8.2_1 package, the compiler complains about type differences that for some reason aren't fatal, and the linker bombs out:

In file included from ../../../src/openvpn/ssl_openssl.h:32,
                 from ../../../src/openvpn/ssl_backend.h:36,
                 from ../../../src/openvpn/ssl_openssl.c:42:
../../../src/openvpn/ssl_openssl.c: In function 'key_state_export_keying_material':
/usr/local/include/wolfssl/openssl/ssl.h:398:41: warning: implicit declaration of function 'wolfSSL_export_keying_material'; did you mean 'SSL_export_keying_material'? [-Wimplicit-function-declaration]
  398 | #define SSL_export_keying_material      wolfSSL_export_keying_material
      |                                         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../../src/openvpn/ssl_openssl.c:161:9: note: in expansion of macro 'SSL_export_keying_material'
  161 |     if (SSL_export_keying_material(ssl, ekm, ekm_size, label, label_size, NULL, 0, 0) == 1)
      |         ^~~~~~~~~~~~~~~~~~~~~~~~~~
../../../src/openvpn/ssl_openssl.c: In function 'show_available_tls_ciphers_list':
../../../src/openvpn/ssl_openssl.c:2551:32: warning: implicit declaration of function 'SSL_get1_supported_ciphers'; did you mean 'dco_get_supported_ciphers'? [-Wimplicit-function-declaration]
 2551 |     STACK_OF(SSL_CIPHER) *sk = SSL_get1_supported_ciphers(ssl);
      |                                ^~~~~~~~~~~~~~~~~~~~~~~~~~
      |                                dco_get_supported_ciphers
../../../src/openvpn/ssl_openssl.c:2551:32: warning: initialization of 'WOLFSSL_STACK *' from 'int' makes pointer from integer without a cast [-Wint-conversion]

[...]

  CCLD     openvpn
/usr/local/bin/ld: ssl_openssl.o: in function `key_state_export_keying_material':
/home/mandree/VCS-other/openvpn.git/_build-wolfssl/src/openvpn/../../../src/openvpn/ssl_openssl.c:161:(.text+0xb1a): undefined reference to `wolfSSL_export_keying_material'
/usr/local/bin/ld: ssl_openssl.o: in function `show_available_tls_ciphers_list':
/home/mandree/VCS-other/openvpn.git/_build-wolfssl/src/openvpn/../../../src/openvpn/ssl_openssl.c:2551:(.text+0x3697): undefined reference to `SSL_get1_supported_ciphers'
collect2: error: ld returned 1 exit status

To Reproduce

  1. get a FreeBSD system ready and clone the OpenVPN Git repo.
  2. pkg install -y wolfssl gmake automake - add more requisites as needed
  3. autoreconf -si
  4. mkdir _build-wolfssl
  5. cd _build-wolfssl && ../configure --with-crypto-library=wolfssl
  6. env MAKE=gmake gmake -j

Expected behavior Build passes.

Version information (please complete the following information):

  • OS: FreeBSD 14.3-RELEASE-p2, with wolfssl-5.8.2_1 installed
  • OpenVPN version: Git 88f8edbf7545dc7913d031ea12c4bae5250bb766 (describe: v2.7_beta1-1-g88f8edbf)

Additional context Add any other context about the problem here.

mandree avatar Sep 08 '25 18:09 mandree

Currently, wolfSSL 5.8.2 is incompatible with OpenVPN for another reason as well.

WolfSSL changed their license from GPL2+ to GPL3, making wolfSSL incompatible with OpenVPN's GPL2 only licensing. So for now we probably will rather wait if that gets resolved before we look into fixing it (Open issue foir this: https://github.com/wolfSSL/wolfssl/issues/9143)

schwabe avatar Sep 09 '25 13:09 schwabe

So the license thing has been solved, I hear :-) - any volunteers to re-test current git master (rc4-to-be) with WolfSSL 5.8. on FreeBSD...? @mandree do you have time?

cron2 avatar Dec 16 '25 18:12 cron2

Well wolfSSL_export_keying_material is something that is definitively required for OpenVPN 2.6 and later as these version require TLS EKM to work.

Unfortunately the FreeBSD wolfSSL port does not enable this feature by default.

diff --git a/security/wolfssl/Makefile b/security/wolfssl/Makefile
index 910e018a11dd..4d875d286afb 100644
--- a/security/wolfssl/Makefile
+++ b/security/wolfssl/Makefile
@@ -37,7 +37,8 @@ CONFIGURE_ARGS=       --disable-dependency-tracking \
                --enable-ssh \
                --enable-static \
                --enable-tls13 \
-               --enable-tls13-draft18
+               --enable-tls13-draft18 \
+                --enable-keying-material
 TEST_TARGET=   check
 CFLAGS+=       -DWOLFSSL_ALT_NAMES -DWOLFSSL_GETRANDOM=1
 CFLAGS_i386=   -DWOLFSSL_SHA224

For the other error the problem is that wolfSSL decided to put some things under special compile options and that normally not included the library like:

#elif defined(OPENSSL_ALL) || defined(HAVE_LIGHTY) || \
    defined(WOLFSSL_NGINX) || defined(WOLFSSL_OPENSSH) || defined(WOLFSSL_OPENVPN)
    /* version number can be increased for Lighty after compatibility for ECDH
       is added */
    #define OPENSSL_VERSION_NUMBER 0x10001040L
#else
    #define OPENSSL_VERSION_NUMBER 0x0090810fL
#endif

also the SSL_get_ciphers we use when the OpenSSL library version is below 1.1.0 is hidden under OPENSSL_ALL

#if defined(OPENSSL_ALL) || defined(WOLFSSL_HAPROXY)
#define SSL_get_rbio                    wolfSSL_SSL_get_rbio
#define SSL_get_wbio                    wolfSSL_SSL_get_wbio
#define SSL_do_handshake                wolfSSL_SSL_do_handshake
#define SSL_get_ciphers(x)              wolfSSL_get_ciphers_compat(x)

Which seems to be at least defined but because of wolfSSL's stupid version trickery only a wolfssl build with --enable-openvpn will report a version number for OpenVPN that is lower than 1.1.0. Here is a patch to fix that: https://gerrit.openvpn.net/c/openvpn/+/1448

FreeBSD version used here:

[13:11]arne@imp:~% uname -a
FreeBSD imp 15.0-RELEASE-p1 FreeBSD 15.0-RELEASE-p1 n280999-63a5b645b23e GENERIC amd64

schwabe avatar Dec 17 '25 12:12 schwabe