openvpn icon indicating copy to clipboard operation
openvpn copied to clipboard
verified publisher icon OpenVPN

Updates to pkcs11-helper and RFC7512 patch set

Open becm opened this issue 1 month ago • 7 comments

A new pkcs11-helper release 1.31 dropped.

The patch set for RFC7512 applied to OpenVPN Windows builds also gained an additional fix. Seems to be a notation issue and not effect any OpenVPN use case. It has also not (yet?) made its way into Fedora. (which should still be the "official" upstream?)

becm avatar Nov 12 '25 16:11 becm

Continuing to use some "upstream" version (fedora?) would be nice but they have not yet updated it for 1.31 (there is a minor conflict).

See https://gerrit.openvpn.net/c/openvpn/+/1368 for a local fix

P.S. The current version of the patch we have does not look identical to the fedora version. May be same in content but what we have looks manually cobbled together.

selvanair avatar Nov 12 '25 19:11 selvanair

The sync-up applied in OpenVPN/openvpn-build#203 seems to not have made its way to the openvpn repo. ☹

becm avatar Nov 14 '25 00:11 becm

That one was lost when generic build was removed and someone started from scratch here, it seems. Can be changed in master (2.8) after fedora patch gets updated.

selvanair avatar Nov 14 '25 02:11 selvanair

Update to pkcs11-helper and adjusted patch got applied as 3d0d4b1(master) and 031fdbc(release/2.6).

Depending on the activities in Fedora and the original patch source, there might arise the decision to:

  • wait until release/2.7 and to not apply a big delta during the release phase or
  • apply an official version as soon as possible to not have potential deviations during 2.7 lifetime.

becm avatar Nov 19 '25 15:11 becm

I'm not sure if I understand what we should do, but I guess @selvanair understands this better and will tell me ;-) - from my point of view, this is a helper we ship on windows, and we want to have some patches, so we update pkcs11-helper & patches as needed, even in the middle of a release train.

cron2 avatar Nov 19 '25 15:11 cron2

No further actions yet. → optionally; close issue and somebody hopefully remembers the pending cleanup.

Neither the Fedora repo nor the original PR the path originates from are up-to-date. There might be a time later on (hopefully soon) when there are clean upstream version(s) that can be used. Current patch seems to be an older variant of an "official" Fedora version with adjustments by @selvanair to make it work with pkcs11-helper 1.31.

Depending on the strategy on if/where/how to get the latest upstream version, the content of the patch may change (massively) with the result of applying it (hopefully) not so much. (→ basically the same action applied in the openvpn-build repo)

becm avatar Nov 19 '25 15:11 becm

We can't depend on Fedora for this -- like right now we want 1.31 for security reasons, but Fedora is not yet updated. Also, Fedora patch is not meant for Windows --- though it may work right now, it could break in future.

My take is that a long time ago we decided to include an "unoffical" patch for pkcs11-helper in our Windows builds. That implicitly meant we took custody of it in some form, and will keep it up to date as long as practical. We just continue doing that in a minimalist way.

selvanair avatar Nov 19 '25 18:11 selvanair