On Thu, 2016-03-10 at 12:44 +0100, Lars Müller wrote:
On Wed, Mar 09, 2016 at 10:45:59PM +0100, Hans Witvliet wrote:
This afternoon @work, i had to compare different openvpn-setups.
For years I used openvpn on opensuse or sles without the need to
recompile myself for funky options.
However, today I wasn't pleased. I found that the compile-option pkcs11
had been turned off. (openvpn-2.3.6 @SLE_11_SP3, from the OBS)
OBS network:vpn/openvpn or which project/ package?
OBS network:vpn/openvpn is at 2.3.10. So please ensure to state about
which project you're talking.
Effectively, this means that strong two-factor-authentication is not
possible anymore without recompiling. A very serious step back with
regards to security. For some it would turn this rpm useless.
Can anyone elaborate if this was a SuSE decision? If so, why?
From OBS network:vpn/openvpn there is nothing obvious which turns pkcs11
off. Neither from the spec file, package change log, or the build log.
Cheers,
Lars
Hi Lars,
It was indeed from network:vpn/openvpn/SLE_11_SP3/x86_64/
the rpm I used is old, but I had to stick to that version, for
compatibility reasons.
When I get back at the office, I'll see if i can upgrade.
But I think the issue remains the same....
If I check the compile options, I see:
OpenVPN 2.3.10 x86_64-suse-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH]
[IPv6] built on Jan 4 2016
library versions: OpenSSL 0.9.8j-fips 07 Jan 2009, LZO 2.03
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc.
Compile time defines: enable_crypto=yes enable_crypto_ofb_cfb=yes
enable_debug=yes enable_def_auth=yes enable_dlopen=unknown
enable_dlopen_self=unknown enable_dlopen_self_static=unknown
enable_fast_install=needless enable_fragment=yes enable_http_proxy=yes
enable_iproute2=yes enable_libtool_lock=yes enable_lzo=yes
enable_lzo_stub=no enable_management=yes enable_multi=yes
enable_multihome=yes enable_pam_dlopen=no enable_password_save=yes
enable_pedantic=no enable_pf=yes enable_pkcs11=no
enable_plugin_auth_pam=yes enable_plugin_down_root=yes
enable_plugins=yes enable_port_share=yes enable_selinux=no
enable_server=yes enable_shared=yes
enable_shared_with_static_runtimes=no enable_small=no enable_socks=yes
enable_ssl=yes enable_static=yes enable_strict=no
enable_strict_options=no enable_systemd=no enable_win32_dll=yes
enable_x509_alt_username=yes with_crypto_library=openssl with_gnu_ld=yes
with_mem_check=no with_plugindir='$(libdir)/openvpn/plugins'
with_sysroot=no
So it exlicitly says: enable_pkcs11=no
While on my other system, I get:
OpenVPN 2.3.2 i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11]
[eurephia] [MH] [IPv6] built on Dec 1 2014
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc.
Compile time defines: enable_crypto=yes enable_debug=yes
enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown
enable_dlopen_self=unknown enable_dlopen_self_static=unknown
enable_eurephia=yes enable_fast_install=yes enable_fragment=yes
enable_http_proxy=yes enable_iproute2=yes enable_libtool_lock=yes
enable_lzo=yes enable_lzo_stub=no enable_maintainer_mode=no
enable_management=yes enable_multi=yes enable_multihome=yes
enable_pam_dlopen=no enable_password_save=yes enable_pedantic=no
enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes
enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes
enable_selinux=no enable_server=yes enable_shared=yes
enable_shared_with_static_runtimes=no enable_small=no enable_socks=yes
enable_ssl=yes enable_static=yes enable_strict=no
enable_strict_options=no enable_systemd=no enable_win32_dll=yes
enable_x509_alt_username=yes with_crypto_library=openssl with_gnu_ld=yes
with_ifconfig_path=/sbin/ifconfig with_iproute_path=/sbin/ip
with_mem_check=no with_plugindir='${prefix}/lib/openvpn'
with_route_path=/sbin/route with_sysroot=no
here it gives me: enable_pkcs11=yes
I am aware that the latter is a 32-bit Ubuntu version,
but if I dig a little bit deeper..:
OpenVPN 2.2.2 x86_64-suse-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11]
[eurephia] built on Dec 14 2011
Compile time defines: ENABLE_CLIENT_SERVER ENABLE_DEBUG ENABLE_EUREPHIA
ENABLE_FRAGMENT ENABLE_HTTP_PROXY ENABLE_MANAGEMENT ENABLE_MULTIHOME
ENABLE_PASSWORD_SAVE ENABLE_PORT_SHARE ENABLE_SOCKS
ENABLE_X509ALTUSERNAME USE_CRYPTO USE_LIBDL USE_LZO USE_PKCS11 USE_SSL
That is on my old openSUSE_12.2
here it also says: USE_PKCS11
I know that I use this option since openvpn_2.1.4 on SuSE machines
It could be that along the version-road, the default value in the
tarball has been switched off, but other distro's have it compiled with
"ON".
Sorry for being verbose :-)
Greetings, Hans.
--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org
To contact the owner, e-mail: opensuse-factory+owner@opensuse.org