[PR PATCH] openvpn: add mbedtls build option.

[PR PATCH] openvpn: add mbedtls build option.

[travankor]

[-- Attachment #1: Type: text/plain, Size: 381 bytes --]

There is a new pull request by travankor against master on the void-packages repository

https://github.com/travankor/void-packages openvpn
https://github.com/void-linux/void-packages/pull/23429

openvpn: add mbedtls build option.
Default to it since openvpn is broken with libressl-3.1.X.

A patch file from https://github.com/void-linux/void-packages/pull/23429.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-openvpn-23429.patch --]
[-- Type: text/x-diff, Size: 1784 bytes --]

From ab534b57aff132f0c8e2a0e51bbfc013739659e1 Mon Sep 17 00:00:00 2001
From: travankor <travankor@tuta.io>
Date: Mon, 6 Jul 2020 15:13:09 -0700
Subject: [PATCH] openvpn: add mbedtls build option.

Default to it since openvpn is broken with libressl-3.1.X.
---
 srcpkgs/openvpn/template | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/srcpkgs/openvpn/template b/srcpkgs/openvpn/template
index a348cfba8d2..ea91ee802de 100644
--- a/srcpkgs/openvpn/template
+++ b/srcpkgs/openvpn/template
@@ -1,12 +1,13 @@
 # Template file for 'openvpn'
 pkgname=openvpn
 version=2.4.9
-revision=2
+revision=3
 build_style=gnu-configure
-configure_args="--enable-pkcs11 --enable-iproute2 --disable-systemd"
+configure_args="$(vopt_enable pkcs11) --enable-iproute2 --disable-systemd
+ $(vopt_with mbedtls crypto-library=mbedtls)"
 hostmakedepends="iproute2 pkg-config"
-makedepends="libressl-devel lzo-devel pam-devel pkcs11-helper-devel
- cmocka-devel"
+makedepends="$(vopt_if mbedtls mbedtls-devel libressl-devel) lzo-devel pam-devel
+ $(vopt_if pkcs11 pkcs11-helper-devel) cmocka-devel"
 depends="iproute2"
 short_desc="Easy-to-use, robust, and highly configurable VPN"
 maintainer="Orphaned <orphan@voidlinux.org>"
@@ -15,6 +16,12 @@ homepage="https://www.openvpn.net"
 distfiles="http://build.openvpn.net/downloads/releases/${pkgname}-${version}.tar.xz"
 checksum=641f3add8694b2ccc39fd4fd92554e4f089ad16a8db6d2b473ec284839a5ebe2
 
+build_options="mbedtls pkcs11"
+build_options_default="mbedtls"
+desc_option_mbedtls="Build with mbedtls support"
+desc_option_pkcs11="Enable support for PKCS#11"
+vopt_conflict mbedtls pkcs11
+
 post_install() {
 	vmkdir usr/share/examples/${pkgname}
 	cp -r sample/sample-config-files/* ${DESTDIR}/usr/share/examples/${pkgname}

Re: openvpn: add mbedtls build option.

[travankor]

[-- Attachment #1: Type: text/plain, Size: 195 bytes --]

New comment by travankor on void-packages repository

https://github.com/void-linux/void-packages/pull/23429#issuecomment-654530176

Comment:
@jkoderu-git This should fix the issue with openvpn.

Re: openvpn: add mbedtls build option.

[mobinmob]

[-- Attachment #1: Type: text/plain, Size: 184 bytes --]

New comment by mobinmob on void-packages repository

https://github.com/void-linux/void-packages/pull/23429#issuecomment-654691501

Comment:
That is nice - mbedtls has LTS releases ;)

Re: openvpn: add mbedtls build option.

[jkoderu-git]

[-- Attachment #1: Type: text/plain, Size: 188 bytes --]

New comment by jkoderu-git on void-packages repository

https://github.com/void-linux/void-packages/pull/23429#issuecomment-654881215

Comment:
Thank you so much @travankor for your help!

Re: openvpn: add mbedtls build option.

[Johnnynator]

[-- Attachment #1: Type: text/plain, Size: 237 bytes --]

New comment by Johnnynator on void-packages repository

https://github.com/void-linux/void-packages/pull/23429#issuecomment-656757855

Comment:
Did you check if this fixes the problematic servers? (only aware of ProtonVPN confis so far)

Re: openvpn: add mbedtls build option.

[ericonr]

[-- Attachment #1: Type: text/plain, Size: 205 bytes --]

New comment by ericonr on void-packages repository

https://github.com/void-linux/void-packages/pull/23429#issuecomment-656778087

Comment:
Can we be sure this doesn't break other uses of OpenVPN as well?

Re: openvpn: add mbedtls build option.

[travankor]

[-- Attachment #1: Type: text/plain, Size: 908 bytes --]

New comment by travankor on void-packages repository

https://github.com/void-linux/void-packages/pull/23429#issuecomment-656906045

Comment:
`mbedtls` is officially supported by openvpn. This should be 100% interoperable with other openvpn instances. (Some trivia: This version of openvpn was sponsored by the Dutch government for their restricted communication channels.)

The features that don't work compared to the openssl build:
```
 * PKCS#12 file support
 * --capath support - Loading certificate authorities from a directory
 * Windows CryptoAPI support
 * X.509 alternative username fields (must be "CN")
```

This is why the `mbedtls` and `pkcs12` options conflict since the build fails with both turned on.

---
Admittedly, I don't know the reason why libressl is causing problems and to what extent things are broken with openvpn. And yes, I tested protonovpn, which seems to work.

Re: openvpn: add mbedtls build option.

[travankor]

[-- Attachment #1: Type: text/plain, Size: 481 bytes --]

New comment by travankor on void-packages repository

https://github.com/void-linux/void-packages/pull/23429#issuecomment-656952817

Comment:
>Can we be sure this doesn't break other uses of OpenVPN as well?

Can you suggest some to test? Keep in mind that I can't really test every use case (like the ones involving corporate networks).

So far, I think the main difference is that the mbedtls version is a little slower and less responsive than the openssl/libressl version.

Re: openvpn: add mbedtls build option.

[ericonr]

[-- Attachment #1: Type: text/plain, Size: 329 bytes --]

New comment by ericonr on void-packages repository

https://github.com/void-linux/void-packages/pull/23429#issuecomment-656960389

Comment:
> Can you suggest some to test?

I have no idea, because I don't use it myself. Just want to avoid a regression for OpenVPN users whose setup is working with the latest LibreSSL version.

Re: openvpn: add mbedtls build option.

[travankor]

[-- Attachment #1: Type: text/plain, Size: 264 bytes --]

New comment by travankor on void-packages repository

https://github.com/void-linux/void-packages/pull/23429#issuecomment-656965893

Comment:
The best solution is to use Openssl. The other options are either 1) mbedtls or 2) patch libressl and/or openvpn to work.

Re: [PR PATCH] [Merged]: openvpn: add mbedtls build option.

[Johnnynator]

[-- Attachment #1: Type: text/plain, Size: 226 bytes --]

There's a merged pull request on the void-packages repository

openvpn: add mbedtls build option.
https://github.com/void-linux/void-packages/pull/23429

Description:
Default to it since openvpn is broken with libressl-3.1.X.

Re: openvpn: add mbedtls build option.

[Redcroft]

[-- Attachment #1: Type: text/plain, Size: 235 bytes --]

New comment by Redcroft on void-packages repository

https://github.com/void-linux/void-packages/pull/23429#issuecomment-658110857

Comment:
Hi,

This has broken pcks12 for me, is there anyway we can re-enable this option?

Thanks

Re: openvpn: add mbedtls build option.

[ericonr]

[-- Attachment #1: Type: text/plain, Size: 222 bytes --]

New comment by ericonr on void-packages repository

https://github.com/void-linux/void-packages/pull/23429#issuecomment-658131558

Comment:
@Redcroft could you open a separate issue, please? That way it's easier to track.

Re: openvpn: add mbedtls build option.

[ericonr]

[-- Attachment #1: Type: text/plain, Size: 318 bytes --]

New comment by ericonr on void-packages repository

https://github.com/void-linux/void-packages/pull/23429#issuecomment-658131558

Comment:
@Redcroft could you open a separate issue, please? That way it's easier to track. If you know how to build the package yourself, you can build it with the `pcks11` build option.