[opensuse-factory] openvpn / pkcs11
Hi all, This afternoon @work, i had to compare different openvpn-setups. For years I used openvpn on opensuse or sles without the need to recompile myself for funky options. However, today I wasn't pleased. I found that the compile-option pkcs11 had been turned off. (openvpn-2.3.6 @SLE_11_SP3, from the OBS) Effectively, this means that strong two-factor-authentication is not possible anymore without recompiling. A very serious step back with regards to security. For some it would turn this rpm useless. Can anyone elaborate if this was a SuSE decision? If so, why? Unfortuately, i'm forced to use also Ubuntu. On a 14.04_LTS, this option is left on. Hence I noticed the difference. I think our community will we helped if this important option was turned back ON again. Locally compiling yourself isn't such a big deal for me, but it might be for others. Kind regards, Hans. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Wed, Mar 09, 2016 at 10:45:59PM +0100, Hans Witvliet wrote:
This afternoon @work, i had to compare different openvpn-setups. For years I used openvpn on opensuse or sles without the need to recompile myself for funky options.
However, today I wasn't pleased. I found that the compile-option pkcs11 had been turned off. (openvpn-2.3.6 @SLE_11_SP3, from the OBS)
OBS network:vpn/openvpn or which project/ package? OBS network:vpn/openvpn is at 2.3.10. So please ensure to state about which project you're talking.
Effectively, this means that strong two-factor-authentication is not possible anymore without recompiling. A very serious step back with regards to security. For some it would turn this rpm useless.
Can anyone elaborate if this was a SuSE decision? If so, why?
From OBS network:vpn/openvpn there is nothing obvious which turns pkcs11 off. Neither from the spec file, package change log, or the build log. Cheers, Lars -- Lars Müller [ˈlaː(r)z ˈmʏlɐ] Samba Team + SUSE Labs SUSE Linux, Maxfeldstraße 5, 90409 Nürnberg, Germany
On Thu, 2016-03-10 at 12:44 +0100, Lars Müller wrote:
On Wed, Mar 09, 2016 at 10:45:59PM +0100, Hans Witvliet wrote:
This afternoon @work, i had to compare different openvpn-setups. For years I used openvpn on opensuse or sles without the need to recompile myself for funky options.
However, today I wasn't pleased. I found that the compile-option pkcs11 had been turned off. (openvpn-2.3.6 @SLE_11_SP3, from the OBS)
OBS network:vpn/openvpn or which project/ package?
OBS network:vpn/openvpn is at 2.3.10. So please ensure to state about which project you're talking.
Effectively, this means that strong two-factor-authentication is not possible anymore without recompiling. A very serious step back with regards to security. For some it would turn this rpm useless.
Can anyone elaborate if this was a SuSE decision? If so, why?
From OBS network:vpn/openvpn there is nothing obvious which turns pkcs11 off. Neither from the spec file, package change log, or the build log.
Cheers,
Lars
Hi Lars, It was indeed from network:vpn/openvpn/SLE_11_SP3/x86_64/ the rpm I used is old, but I had to stick to that version, for compatibility reasons. When I get back at the office, I'll see if i can upgrade. But I think the issue remains the same.... If I check the compile options, I see: OpenVPN 2.3.10 x86_64-suse-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jan 4 2016 library versions: OpenSSL 0.9.8j-fips 07 Jan 2009, LZO 2.03 Originally developed by James Yonan Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net> Compile time defines: enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_http_proxy=yes enable_iproute2=yes enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_password_save=yes enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_socks=yes enable_ssl=yes enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no enable_win32_dll=yes enable_x509_alt_username=yes with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_plugindir='$(libdir)/openvpn/plugins' with_sysroot=no So it exlicitly says: enable_pkcs11=no While on my other system, I get: OpenVPN 2.3.2 i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec 1 2014 Originally developed by James Yonan Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net> Compile time defines: enable_crypto=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_eurephia=yes enable_fast_install=yes enable_fragment=yes enable_http_proxy=yes enable_iproute2=yes enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no enable_maintainer_mode=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_password_save=yes enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_socks=yes enable_ssl=yes enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no enable_win32_dll=yes enable_x509_alt_username=yes with_crypto_library=openssl with_gnu_ld=yes with_ifconfig_path=/sbin/ifconfig with_iproute_path=/sbin/ip with_mem_check=no with_plugindir='${prefix}/lib/openvpn' with_route_path=/sbin/route with_sysroot=no here it gives me: enable_pkcs11=yes I am aware that the latter is a 32-bit Ubuntu version, but if I dig a little bit deeper..: OpenVPN 2.2.2 x86_64-suse-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] built on Dec 14 2011 Compile time defines: ENABLE_CLIENT_SERVER ENABLE_DEBUG ENABLE_EUREPHIA ENABLE_FRAGMENT ENABLE_HTTP_PROXY ENABLE_MANAGEMENT ENABLE_MULTIHOME ENABLE_PASSWORD_SAVE ENABLE_PORT_SHARE ENABLE_SOCKS ENABLE_X509ALTUSERNAME USE_CRYPTO USE_LIBDL USE_LZO USE_PKCS11 USE_SSL That is on my old openSUSE_12.2 here it also says: USE_PKCS11 I know that I use this option since openvpn_2.1.4 on SuSE machines It could be that along the version-road, the default value in the tarball has been switched off, but other distro's have it compiled with "ON". Sorry for being verbose :-) Greetings, Hans. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hi Hans, just for curiosity I tried to build openvpn (from leap ...) on my openSUSE 13.1 machine. The result was - no pkcs - the reason shows from within config.log in the BUILD - directory: configure:15641: checking for PKCS11_HELPER configure:15648: $PKG_CONFIG --exists --print-errors "libpkcs11-helper-1 >= 1.11" Requested 'libpkcs11-helper-1 >= 1.11' but version of pkcs11-helper is 1.09 configure:15651: $? = 1 configure:15665: $PKG_CONFIG --exists --print-errors "libpkcs11-helper-1 >= 1.11" Requested 'libpkcs11-helper-1 >= 1.11' but version of pkcs11-helper is 1.09 configure:15668: $? = 1 configure:15682: result: no Requested 'libpkcs11-helper-1 >= 1.11' but version of pkcs11-helper is 1.09 configure:15715: checking for OPENSSL_CRYPTO and then #define CONFIGURE_DEFINES "enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no \ enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes \ enable_http_proxy=yes enable_iproute2=yes enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no enable_management=yes enable_multi=yes \ enable_multihome=yes enable_pam_dlopen=no enable_password_save=yes enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes \ enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes \ enable_shared_with_static_runtimes=no enable_small=no enable_socks=yes enable_ssl=yes enable_static=yes enable_strict=no \ enable_strict_options=no enable_systemd=yes enable_win32_dll=yes enable_x509_alt_username=yes with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_plugindir='$(libdir)/openvpn/plugins' with_sysroot=no" "enable_pkcs11=no" could it potentially be that you are running into a similar issue? Just to make sure .... Take care Dieter Jurzitza N�����r��y隊Z)z{.���r�+�맲��r��z�^�ˬz��N�(�֜��^� ޭ隊Z)z{.���r�+��0�����Ǩ�
Hi Hans, well, I did some more investigations. After upgrading pkcs-helper the enable_pkcs still showed "no" in the config.log file. However, after adding an --enable-pkcs to configure in the specfile pkcs was enabled. Therefore my first comment was kind of misleading, it seems like pkcs needs to be explicitly enabled when building on 13.1 - independent of the fact that I had to upgrade the helper - library. Take care Dieter Jurzitza
On Fri, 2016-03-11 at 06:29 +0000, Jurzitza, Dieter wrote:
Hi Hans, well, I did some more investigations. After upgrading pkcs-helper the enable_pkcs still showed "no" in the config.log file. However, after adding an
--enable-pkcs
to configure in the specfile pkcs was enabled. Therefore my first comment was kind of misleading, it seems like pkcs needs to be explicitly enabled when building on 13.1 - independent of the fact that I had to upgrade the helper - library.
Take care
Thanks Dieter, So does that imply that along the history of the openvpn-tar-ball from upstream, the default settings have been changed? That pkcs used to be enabled by default (and you could disable it when you re-compile), And that it is now the other way round: that it is disabled by default, that if you want it, you should rebuild after explicitly enabling ? greetings, Hans -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Jurzitza, Dieter wrote:
Dieter Jurzitza
N�����r��y隊Z)z{.���r�+�맲��r��z�^�ˬz��N�(�֜��^� ޭ隊Z)z{.���r�+��0�����Ǩrg== BTW, your email shows this "mlmmj" bug, which unfortunately has the state RESOLVED WONTFIX: https://bugzilla.novell.com/show_bug.cgi?id=848112
Dieter, please turn off BASE64 encoding in your mailer to avoid the bug. Greetings, Björn -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (4)
-
Bjoern Voigt -
Hans Witvliet -
Jurzitza, Dieter -
Lars Müller