Similar questions have been asked before, but the answers no longer seem to apply as the flags have changed for the configure script. I am trying to compile OpenVPN from the git source on Ubuntu 14.04.5 on both x86 and x64. I have OpenSSL 1.0.1t built and installed to /usr/local/ssl. I've tried various combinations of the configure options and the compiler seems to recognize since
./configure OPENSSL_LIBS="-L/usr/local/ssl/ -lssl -lcrypto" OPENSSL_CFLAGS="-I/usr/local/ssl/include/"
finishes with no errors, but ./configure OPENSSL_LIBS="-L/usr/local/ssl/" OPENSSL_CFLAGS="-I/usr/local/ssl/include/" results in configure: error: openssl check failed. Once you do make and make install, it still reports the system version of OpenSSL:
root@anonymous:/usr/local/src/openvpn# openvpn --version OpenVPN 2.3_git [git:master/d1bd37fd508ee046] x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH] [IPv6] built on Aug 16 2016 library versions: OpenSSL 1.0.1f 6 Jan 2014, LZO 2.06 Originally developed by James Yonan Copyright (C) 2002-2010 OpenVPN Technologies, Inc. Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no enable_werror=no enable_win32_dll=yes enable_x509_alt_username=no with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_plugindir='$(libdir)/openvpn/plugins' with_sysroot=no
System OpenSSL:
root@anonymous:/usr/local/src/openvpn# openssl version OpenSSL 1.0.1f 6 Jan 2014
Compiled OpenSSL:
root@anonymous:/usr/local/ssl/bin# ./openssl version OpenSSL 1.0.1t 3 May 2016
I know it has to be something simple, but I saw other users asking about this on the OpenVPN Forums with no responses as of yet.
Below is the procedure I used to build OpenVPN with OpenSSL 1.0.2. OpenSSL 1.0.1 vs. 1.0.2 vs. 1.1.0 should not matter. However, some Confugre scripts dies on OpenSSL 1.1.0 because 1.1.0 uses OPENSSL_init_ssl rather than SSL_library_init. Note the use of RPATH's on Linux (OS X would use a different technique).
OpenSSL configuration options are mostly documented at Compilation and Installation | Configure Options on their wiki. I did not find similar for OpenVPN, and ./configure --help was not very helpful. Often, for an Autools project, you need to --with-ssl=, but OpenVPN does not appear to have that option. For OpenVPN, the process below went adhoc using Autools CFLAGS.
Both libraries disabled compression because it can leak information. For more details, see Spot me if you can: Uncovering spoken phrases in encrypted VoIP conversations. The problem is the variable bit rate encoding, and the fundamental design is prevalent in other compression libraries (like zlib).
OpenSSL 1.0.2
$ wget https://www.openssl.org/source/openssl-1.0.2h.tar.gz $ tar xzf openssl-1.0.2h.tar.gz $ cd openssl-1.0.2h $ ./config shared no-ssl2 no-ssl3 no-comp enable-ec_nistp_64_gcc_128 -Wl,-rpath=/usr/local/ssl/lib --prefix=/usr/local/ssl $ make -j 4 $ make test $ sudo make install
You can check the openssl program is using the expected shared objects with:
$ ldd /usr/local/ssl/bin/openssl linux-vdso.so.1 => (0x00007ffc36578000) libssl.so.1.0.0 => /usr/local/ssl/lib/libssl.so.1.0.0 (0x00007f94b48fb000) libcrypto.so.1.0.0 => /usr/local/ssl/lib/libcrypto.so.1.0.0 (0x00007f94b448b000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f94b40c6000) libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f94b3ec2000) /lib64/ld-linux-x86-64.so.2 (0x00007f94b4b6c000)
You can also make sure the new openssl is on-path with the following. Its not required for your issue, however.
$ sudo ln -s /usr/local/ssl/bin/openssl /usr/local/bin/openssl $ which openssl /usr/local/bin/openssl
OpenVPN 2.3.11
$ wget https://swupdate.openvpn.org/community/releases/openvpn-2.3.11.tar.gz $ tar xzf openvpn-2.3.11.tar.gz $ cd openvpn-2.3.11 $ CFLAGS="-I/usr/local/ssl/include -Wl,-rpath=/usr/local/ssl/lib -L/usr/local/ssl/lib" ./configure --disable-lzo $ make -j 4
Next, check the OpenVPN program to see what its linking to:
$ find . -type f -name openvpn ./src/openvpn/openvpn $ ldd ./src/openvpn/openvpn linux-vdso.so.1 => (0x00007ffc8bfc4000) libssl.so.1.0.0 => /usr/local/ssl/lib/libssl.so.1.0.0 (0x00007f74f49f3000) libcrypto.so.1.0.0 => /usr/local/ssl/lib/libcrypto.so.1.0.0 (0x00007f74f4583000) libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f74f437f000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f74f3fba000) /lib64/ld-linux-x86-64.so.2 (0x00007f74f4c64000)
Next, run the self tests:
$ make check ... make[3]: Entering directory `/home/jwalton/openvpn-2.3.11/tests' ./t_client.sh: cannot find 't_client.rc' in build dir ('..') ./t_client.sh: or source directory ('.'). SKIPPING TEST. SKIP: t_client.sh Testing cipher AES-128-CBC... OK Testing cipher AES-128-CFB... OK Testing cipher AES-128-CFB1... OK ...
Install OpenVPN if it tests OK:
$ sudo make install $ command -v openvpn /usr/local/sbin/openvpn
Finally, check it:
$ /usr/local/sbin/openvpn --version OpenVPN 2.3.11 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [EPOLL] [MH] [IPv6] built on Aug 17 2016 library versions: OpenSSL 1.0.2h 3 May 2016 Originally developed by James Yonan Copyright (C) 2002-2010 OpenVPN Technologies, Inc. ...
If interested, you can find a build script to automate the process at Noloader | Build-Scripts. It includes one for OpenVPN.
OpenVPN reports the version of the runtime library, so what you are seeing here is linking/dynamic library behaviour. Probably your ld.so.conf is setup to prefer /usr/lib/.so over /usr/local/lib/.so
