Trying to run openvpn with another engine

R

rogeriohblima

Well, I made a new engine (new-engine) to run openvpn with it. It works in Linux, but in the FreeBSB it doesn't (I already compiled in that machine). Below is the error when I try to connect:

1660243594532.png


I already put my new-engine.so in the folder /usr/lib/engines/ and my config file is below:

Code: 
port 1194
proto udp
dev tun
secret static.key
engine new-engine

And I already put the section about my engine in the openssl.cnf:

Code: 
 openssl_conf = openssl_init

[openssl_init]
oid_section = new_oids
engines = engine_section

[engine_section]
new-engine = new-engine_config

[new-engine_config]
engine_id = new-engine
dynamic_path = /usr/lib/engines/new-engine.so
init=1
 
Is the OPENSSL_CONF environment variable defined?

The substring 'new-engine' must be replaced by the substring 'new_engine' everywhere except the library file name.

config - OpenSSL Documentation

www.openssl.org www.openssl.org
Each section in a configuration file consists of a number of name and value pairs of the form name=value
The name string can contain any alphanumeric characters as well as a few punctuation symbols such as . , ; and _.
Click to expand...
 
How does it look on my computer:

in FreeBSD (I'm on Linux now, so here's a picture):
aa.png


in Linux:
Code: 
lanin@debian2:/etc/openvpn$ ls -lR .
.:
итого 36
-rw-r--r-- 1 root root 1184 авг 31  2021 ca.crt
drwxr-xr-x 2 root root 4096 мая 14  2021 client
-rw-r--r-- 1 root root  408 авг 31  2021 client.conf
-rw-r--r-- 1 root root 1204 авг 31  2021 lanin01.crt
-rw------- 1 root root 1704 авг 31  2021 lanin01.key
-rw-r--r-- 1 root root  188 авг 18 17:42 openvpn-status.log
drwxr-xr-x 2 root root 4096 мая 14  2021 server
-rw-r--r-- 1 root root  636 дек 29  2010 ta.key
-rw-r--r-- 1 root root 1468 фев 20  2019 update-resolv-conf
 
(rebooted to FreeBSD)
Code: 
[lanin@freebsd ~]$ pkg info openssl | grep Version
Version        : 1.1.1q,1
[lanin@freebsd ~]$ pkg info openvpn | grep Version
Version        : 2.5.7_1
[lanin@freebsd ~]$ service openvpn status
openvpn is running as pid 1914.
[lanin@freebsd ~]$ ls -l -D %F /usr/local/etc/openvpn
total 40
-rw-r--r--  1 lanin  wheel  1184 2021-08-31 ca.crt
drwxr-xr-x  2 lanin  wheel   512 2021-05-14 client
-rw-r--r--  1 lanin  wheel   473 2022-04-11 client.conf
-rw-r--r--  1 lanin  wheel  1204 2021-08-31 lanin01.crt
-rw-------  1 lanin  wheel  1704 2021-08-31 lanin01.key
-rw-r--r--  1 lanin  wheel  1201 2017-08-03 openvpn
-rw-r--r--  1 lanin  wheel   167 2022-08-18 openvpn-status.log
drwxr-xr-x  2 lanin  wheel   512 2021-05-14 server
-rw-r--r--  1 lanin  wheel   636 2010-12-29 ta.key
-rw-r--r--  1 lanin  wheel  1468 2019-02-20 update-resolv-conf
[lanin@freebsd ~]$
 
I understand that our 'configs' are different (since I installed openvpn and openssl using pkg), I just show the permissions of the config files (where a promlem might be).
 
The problem is likely with the permissions or naming in /usr/lib/engines/, maybe not as much with config files although OpenSSL not loading your config file is also highly probable.
 
Yes, openSSL can't read its own files - it doesn't read openvpn's config files (so the problem not in openvpn and its config files)

And yes, the problem is either in the files' paths or files' permissions...
 
Such a thought...
Have you tried manually load the library ?
Something like this - a.c:
Code: 
#include <stdio.h>
#include <dlfcn.h>
int main(){
void * dl;
void (*fn)(void);
const char * err;
dl= dlopen("/usr/lib/engines/new-engine.so",RTLD_LAZY);
if(!dl){
printf("dlopen() error: %s\n", dlerror());
return 1;
}
dlerror();
*(void**) (&fn) = dlsym(dl, "new_engine_get_handle"); //some symbol exported by new-engine.so
if ((err = dlerror()) != NULL){
printf("%s\n", err);
return 1;
}
dlclose(dl);
printf("ok\n");
return 0;
}

gcc a.c -o a -ldl
gcc a.c -o a -lc - https://www.freebsd.org/cgi/man.cgi?query=dlsym

Edit : The goal is to check if there are any errors when loading new-engine.so
 
Last edited:
Andrey Lanin said:
If the 'configs' are the same, and the software is compiled on FreeBSD, could it be a problem with config files permissions ? Are they the same as in Linux ?
Click to expand...
No, they aren't the same.

Andrey Lanin said:
(rebooted to FreeBSD)
Code: 
[lanin@freebsd ~]$ pkg info openssl | grep Version
Version        : 1.1.1q,1
[lanin@freebsd ~]$ pkg info openvpn | grep Version
Version        : 2.5.7_1
[lanin@freebsd ~]$ service openvpn status
openvpn is running as pid 1914.
[lanin@freebsd ~]$ ls -l -D %F /usr/local/etc/openvpn
total 40
-rw-r--r--  1 lanin  wheel  1184 2021-08-31 ca.crt
drwxr-xr-x  2 lanin  wheel   512 2021-05-14 client
-rw-r--r--  1 lanin  wheel   473 2022-04-11 client.conf
-rw-r--r--  1 lanin  wheel  1204 2021-08-31 lanin01.crt
-rw-------  1 lanin  wheel  1704 2021-08-31 lanin01.key
-rw-r--r--  1 lanin  wheel  1201 2017-08-03 openvpn
-rw-r--r--  1 lanin  wheel   167 2022-08-18 openvpn-status.log
drwxr-xr-x  2 lanin  wheel   512 2021-05-14 server
-rw-r--r--  1 lanin  wheel   636 2010-12-29 ta.key
-rw-r--r--  1 lanin  wheel  1468 2019-02-20 update-resolv-conf
[lanin@freebsd ~]$
Click to expand...

When I remove the line engine newengine, the openvpn works! So, my config file permissions are good:
Code: 
port 1194
proto udp
dev tun
secret static.key
engine newengine

Andrey Lanin said:
I understand that our 'configs' are different (since I installed openvpn and openssl using pkg), I just show the permissions of the config files (where a promlem might be).
Click to expand...
I installed openvpn and openssl using pkg too.

msplsh said:
The problem is likely with the permissions or naming in /usr/lib/engines/, maybe not as much with config files although OpenSSL not loading your config file is also highly probable.
Click to expand...
My engine are 444 in the folder /usr/lib/engines/ (the same permission than other engines).

Andrey Lanin said:
Yes, openSSL can't read its own files - it doesn't read openvpn's config files (so the problem not in openvpn and its config files)

And yes, the problem is either in the files' paths or files' permissions...
Click to expand...
The path to engines:
Code: 
OPENSSLDIR: "/etc/ssl"
ENGINESDIR: "/usr/lib/engines"

And the folder /usr/lib/engines:
Code: 
root@freebsd:~ # ls -la /usr/lib/engines/
total 80
drwxr-xr-x   2 root  wheel    512 Aug 17 15:58 .
drwxr-xr-x  11 root  wheel  17408 Aug 17 16:48 ..
-r--r--r--   1 root  wheel   4184 Dec  2  2021 capi.so
-r--r--r--   1 root  wheel  35328 Aug 11 16:35 newengine.so
-r--r--r--   1 root  wheel   8536 Dec  2  2021 padlock.so
 
rogeriohblima said:
When I remove the line engine newengine, the openvpn works!
Click to expand...
Still sounds like OpenSSL is having some problem locating the engine, perhaps due to not using openssl.cnf.
I see you have OpenSSL from ports loaded, but OpenVPN seems to be using the one from base, as ports is 1.1.1q and your log says 1.1.1l-freebsd. So the location of the config file needs to be for base, not ports. Also, if you're using service openvpn start that is probably not picking up OPENSSL_CONF, so I guess you'll have to set that somewhere else.

Looks like there's an openvpn_flags variable for rc.conf where you should use --engine to enable alternate engines for OpenVPN. The man page doesn't really help with where to put the openssl.cnf file there, either.
 
I think so too. OpenVPN, being installed from pkg, looks for OpenSSL (with its regular engines) in its usual place and does find OpenSSL 1.1.1q (which is installed from pkg). OpenSSL 1.1.1q looking for its config in ususal place. OpenSSL 1.1.1q knows nothing about the new engine. New engine and OpenSSL 1.1.1l with which it works (and its config) are installed not from pkg, and are located not in regular place.

Sorry for my garbage post.
 
You must log in or register to reply here.
Back
Top