| Message ID | 1462893074-29188-1-git-send-email-gustavo@zacarias.com.ar |
|---|---|
| State | Superseded |
| Headers | show |
On 05/10/16 17:11, Gustavo Zacarias wrote: > Now that we need to bump openvpn to version 2.3.11 for security fixes > the time has come to remove the polarssl option. > Add legacy handling explaining the situation: > PolarSSL 1.2.x can coexist with mbedTLS 2.x+, but OpenVPN requires > PolarSSL/mbedTLS 1.3.x (the transition branch) >= 1.3.8 but doesn't > build/work with the 2.x series. And PolarSSL/mbedTLS 1.3.x can't coexist > with mbedTLS 2.x on the same target. > So, unfortunately, openssl is now the only option (until libressl > arrives). > > Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> > --- > Config.in.legacy | 18 ++++++++++++++++++ > package/openvpn/Config.in | 21 +-------------------- > package/openvpn/openvpn.mk | 13 ++----------- > 3 files changed, 21 insertions(+), 31 deletions(-) > > diff --git a/Config.in.legacy b/Config.in.legacy > index 824a220..394e61b 100644 > --- a/Config.in.legacy > +++ b/Config.in.legacy > @@ -145,6 +145,24 @@ endif > ############################################################################### > comment "Legacy options removed in 2016.05" > > +config BR2_PACKAGE_OPENVPN_CRYPTO_OPENSSL > + bool "openvpn openssl crypto backend option removed" > + select BR2_LEGACY > + help > + The OpenVPN openssl crypto backend options has been removed. > + It's now the only possible option. I think we don't need to add this to the legacy handling. The purpose of legacy handling is to warn users that their configuration does not work anymore like it did before. In case an option has been renamed, we make sure that the new name is selected, but we still select BR2_LEGACY because at some point the legacy handling for that option will be removed as well. In this case, however, it doesn't help at all that the user is warned: his openvpn will work exactly the same as it did before, but he has to go and disable this option anyway. So I'd say remove this option from Config.in.legacy... > + > +config BR2_PACKAGE_OPENVPN_CRYPTO_POLARSSL > + bool "openvpn polarssl crypto backend removed" ... but keep this one of course. Regards, Arnout > + select BR2_LEGACY > + help > + The OpenVPN polarssl crypto backend option has been removed. > + Version from 2.3.10 onwards need polarssl >= 1.3.8 but aren't > + compatible with mbedtls (polarssl) series 2.x which is the > + version provided in buildroot. And both can't coexist. > + It now uses OpenSSL as the only option. > + > + > config BR2_PACKAGE_NGINX_HTTP_SPDY_MODULE > bool "nginx http spdy module removed" > select BR2_LEGACY [snip]
On 12/05/16 16:38, Arnout Vandecappelle wrote: >> +config BR2_PACKAGE_OPENVPN_CRYPTO_OPENSSL >> + bool "openvpn openssl crypto backend option removed" >> + select BR2_LEGACY >> + help >> + The OpenVPN openssl crypto backend options has been removed. >> + It's now the only possible option. > > I think we don't need to add this to the legacy handling. > > The purpose of legacy handling is to warn users that their > configuration does not work anymore like it did before. In case an > option has been renamed, we make sure that the new name is selected, but > we still select BR2_LEGACY because at some point the legacy handling for > that option will be removed as well. > > In this case, however, it doesn't help at all that the user is warned: > his openvpn will work exactly the same as it did before, but he has to > go and disable this option anyway. > > So I'd say remove this option from Config.in.legacy... Hi. Yes, i had doubts about it so off it goes, just to warn this was no longer an option. Regards.
diff --git a/Config.in.legacy b/Config.in.legacy index 824a220..394e61b 100644 --- a/Config.in.legacy +++ b/Config.in.legacy @@ -145,6 +145,24 @@ endif ############################################################################### comment "Legacy options removed in 2016.05" +config BR2_PACKAGE_OPENVPN_CRYPTO_OPENSSL + bool "openvpn openssl crypto backend option removed" + select BR2_LEGACY + help + The OpenVPN openssl crypto backend options has been removed. + It's now the only possible option. + +config BR2_PACKAGE_OPENVPN_CRYPTO_POLARSSL + bool "openvpn polarssl crypto backend removed" + select BR2_LEGACY + help + The OpenVPN polarssl crypto backend option has been removed. + Version from 2.3.10 onwards need polarssl >= 1.3.8 but aren't + compatible with mbedtls (polarssl) series 2.x which is the + version provided in buildroot. And both can't coexist. + It now uses OpenSSL as the only option. + + config BR2_PACKAGE_NGINX_HTTP_SPDY_MODULE bool "nginx http spdy module removed" select BR2_LEGACY diff --git a/package/openvpn/Config.in b/package/openvpn/Config.in index 2e37125..8ba4ea1 100644 --- a/package/openvpn/Config.in +++ b/package/openvpn/Config.in @@ -1,6 +1,7 @@ config BR2_PACKAGE_OPENVPN bool "openvpn" depends on BR2_USE_MMU # fork() + select BR2_PACKAGE_OPENSSL help OpenVPN is a full-featured SSL VPN solution which can accomodate a wide range of configurations, including road @@ -33,24 +34,4 @@ config BR2_PACKAGE_OPENVPN_PWSAVE Allow --askpass and --auth-user-pass passwords to be read from a file. -choice - prompt "Crypto backend" - default BR2_PACKAGE_OPENVPN_CRYPTO_OPENSSL - help - Select the cryptographic library to use. - - config BR2_PACKAGE_OPENVPN_CRYPTO_OPENSSL - bool "OpenSSL" - select BR2_PACKAGE_OPENSSL - help - Enable TLS-based key exchange and OpenSSL crypto support. - - config BR2_PACKAGE_OPENVPN_CRYPTO_POLARSSL - bool "PolarSSL" - select BR2_PACKAGE_POLARSSL - help - Enable TLS-based key exchange and PolarSSL crypto support. - -endchoice - endif diff --git a/package/openvpn/openvpn.mk b/package/openvpn/openvpn.mk index 8f02792..1d06636 100644 --- a/package/openvpn/openvpn.mk +++ b/package/openvpn/openvpn.mk @@ -7,12 +7,13 @@ OPENVPN_VERSION = 2.3.9 OPENVPN_SOURCE = openvpn-$(OPENVPN_VERSION).tar.xz OPENVPN_SITE = http://swupdate.openvpn.net/community/releases -OPENVPN_DEPENDENCIES = host-pkgconf +OPENVPN_DEPENDENCIES = host-pkgconf openssl OPENVPN_LICENSE = GPLv2 OPENVPN_LICENSE_FILES = COPYRIGHT.GPL OPENVPN_CONF_OPTS = \ --disable-plugin-auth-pam \ --enable-iproute2 \ + --with-crypto-library=openssl \ $(if $(BR2_STATIC_LIBS),--disable-plugins) OPENVPN_CONF_ENV = IFCONFIG=/sbin/ifconfig \ NETSTAT=/bin/netstat \ @@ -47,16 +48,6 @@ else OPENVPN_CONF_OPTS += --disable-password-save endif -ifeq ($(BR2_PACKAGE_OPENVPN_CRYPTO_OPENSSL),y) -OPENVPN_CONF_OPTS += --with-crypto-library=openssl -OPENVPN_DEPENDENCIES += openssl -endif - -ifeq ($(BR2_PACKAGE_OPENVPN_CRYPTO_POLARSSL),y) -OPENVPN_CONF_OPTS += --with-crypto-library=polarssl -OPENVPN_DEPENDENCIES += polarssl -endif - define OPENVPN_INSTALL_TARGET_CMDS $(INSTALL) -m 755 $(@D)/src/openvpn/openvpn \ $(TARGET_DIR)/usr/sbin/openvpn
Now that we need to bump openvpn to version 2.3.11 for security fixes the time has come to remove the polarssl option. Add legacy handling explaining the situation: PolarSSL 1.2.x can coexist with mbedTLS 2.x+, but OpenVPN requires PolarSSL/mbedTLS 1.3.x (the transition branch) >= 1.3.8 but doesn't build/work with the 2.x series. And PolarSSL/mbedTLS 1.3.x can't coexist with mbedTLS 2.x on the same target. So, unfortunately, openssl is now the only option (until libressl arrives). Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> --- Config.in.legacy | 18 ++++++++++++++++++ package/openvpn/Config.in | 21 +-------------------- package/openvpn/openvpn.mk | 13 ++----------- 3 files changed, 21 insertions(+), 31 deletions(-)