Ubuntu
openvpn package

openvpn: Fail to build against OpenSSL 3.0

Bug #1945980 reported by Simon Chopin
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
openvpn (Ubuntu)
Fix Released
Undecided
Bryce Harrington

Bug Description

Hello,

As part of a rebuild against OpenSSL3, this package failed to build on one or
several architectures. You can find the details of the rebuild at

https://people.canonical.com/~schopin/rebuilds/openssl-3.0.0-impish.html

or for the amd64 failed build, directly at

https://launchpad.net/~schopin/+archive/ubuntu/openssl-3.0.0/+build/22099222/+files/buildlog_ubuntu-impish-amd64.openvpn_2.5.1-3ubuntu1.0~ssl3ppa1.1_BUILDING.txt.gz

We're planning to transition to OpenSSL 3.0 for the 22.04 release, and consider
this issue as blocking for this transition.

You can find general migration informations at
https://www.openssl.org/docs/manmaster/man7/migration_guide.html
For your tests, you can build against libssl-dev as found in the PPA
schopin/openssl-3.0.0

There is some work upstream on porting to OpenSSL 3.0, but I'm not sure it addresses the issues
we're seeing in the build.

https://patchwork.openvpn.net/project/openvpn2/list/?series=&submitter=&state=*&q=openssl+3.0&archive=both&delegate=

Related branches

~sergiodj/ubuntu/+source/openvpn:merge-2.5.5-1-jammy
Utkarsh Gupta (community): Approve
Andreas Hasenack: Approve
Diff: 1237 lines (+910/-5)
6 files modified
debian/changelog (+743/-1)
debian/control (+4/-3)
debian/openvpn@.service (+1/-1)
debian/patches/OpenSSL3.patch (+70/-0)
debian/patches/openvpn-fips-2.4.patch (+90/-0)
debian/patches/series (+2/-0)
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in openvpn (Ubuntu):
status: New → Confirmed
Bryce Harrington (bryce)
Changed in openvpn (Ubuntu):
assignee: nobody → Bryce Harrington (bryce)
tags: added: server-next
Revision history for this message
Simon Chopin (schopin) wrote :

Attached is a patch that fixes this issue. Note that I tried the latest upstream release but the failure is the same (and is fixed by the same patch). It is a temporary workaround to keep compatibility with existing OpenVPN setups.

A fixed package has been uploaded to those PPAs:
https://launchpad.net/~schopin/+archive/ubuntu/test-ppa/ (against libssl.1.1)
https://launchpad.net/~schopin/+archive/ubuntu/foudation-openssl3/ (against libssl3)

Ubuntu Foundations Team Bug Bot (crichton)
tags: added: patch
Revision history for this message
Simon Chopin (schopin) wrote :

I tried running the autopkgtests for the libssl3 version, but I *think* I hit https://github.com/OpenVPN/easy-rsa/issues/454

Revision history for this message
Simon Chopin (schopin) wrote :

easy-rsa fix uploaded ( https://bugs.launchpad.net/ubuntu/+source/easy-rsa/+bug/1951581 )

Revision history for this message
Bryce Harrington (bryce) wrote :

PPAs:
  - https://launchpad.net/~bryce/+archive/ubuntu/openvpn-fix-lp1945980
  - https://launchpad.net/~bryce/+archive/ubuntu/openvpn-fix-lp1945980-with-openssl3

Results from https://autopkgtest.ubuntu.com/results/autopkgtest-jammy-bryce-openvpn-fix-lp1945980/?format=plain:
  openvpn @ amd64:
    01.12.21 16:59:01 Log πŸ—’οΈ βœ… Triggers: ['openvpn/2.5.1-3ubuntu3']
  openvpn @ arm64:
    01.12.21 17:00:59 Log πŸ—’οΈ βœ… Triggers: ['openvpn/2.5.1-3ubuntu3']
  openvpn @ armhf:
    01.12.21 16:57:06 Log πŸ—’οΈ βœ… Triggers: ['openvpn/2.5.1-3ubuntu3']
  openvpn @ ppc64el:
    01.12.21 16:59:46 Log πŸ—’οΈ βœ… Triggers: ['openvpn/2.5.1-3ubuntu3']
  openvpn @ s390x:
    01.12.21 16:58:10 Log πŸ—’οΈ βœ… Triggers: ['openvpn/2.5.1-3ubuntu3']

Results from https://autopkgtest.ubuntu.com/results/autopkgtest-jammy-bryce-openvpn-fix-lp1945980-with-openssl3/?format=plain:
  openvpn @ amd64:
    01.12.21 20:55:10 Log πŸ—’οΈ βœ… Triggers: ['openvpn/2.5.1-3ubuntu3']
  openvpn @ arm64:
    01.12.21 20:49:39 Log πŸ—’οΈ βœ… Triggers: ['openvpn/2.5.1-3ubuntu3']
  openvpn @ armhf:
    01.12.21 20:44:53 Log πŸ—’οΈ βœ… Triggers: ['openvpn/2.5.1-3ubuntu3']
  openvpn @ ppc64el:
    01.12.21 20:47:41 Log πŸ—’οΈ βœ… Triggers: ['openvpn/2.5.1-3ubuntu3']
  openvpn @ s390x:
    01.12.21 20:46:47 Log πŸ—’οΈ βœ… Triggers: ['openvpn/2.5.1-3ubuntu3']

Revision history for this message
Bryce Harrington (bryce) wrote :

Upload sponsored for openvpn to jammy:

$ debuild -S -uc -us $(git ubuntu prepare-upload args)
To ssh://git.launchpad.net/~bryce/ubuntu/+source/openvpn
 * [new branch] fix-lp1945980-jammy -> fix-lp1945980-jammy
 dpkg-buildpackage -us -uc -ui -i -I.bzr -I.svn -I.git -S --changes-option=-DVcs-Git=https://git.launchpad.net/~bryce/ubuntu/+source/openvpn --changes-option=-DVcs-Git-Ref=refs/heads/fix-lp1945980-jammy --changes-option=-DVcs-Git-Commit=29164a6582433a3210ffef1b14f10662598ca29f
$ grep ^Vcs ../openvpn_2.5.1-3ubuntu3_source.changes
Vcs-Git: https://git.launchpad.net/~bryce/ubuntu/+source/openvpn
Vcs-Git-Commit: 29164a6582433a3210ffef1b14f10662598ca29f
Vcs-Git-Ref: refs/heads/fix-lp1945980-jammy
$ dput ubuntu ../openvpn_2.5.1-3ubuntu3_source.changes
D: Setting host argument.
Checking signature on .changes
gpg: ../openvpn_2.5.1-3ubuntu3_source.changes: Valid signature from E603B2578FB8F0FB
Checking signature on .dsc
gpg: ../openvpn_2.5.1-3ubuntu3.dsc: Valid signature from E603B2578FB8F0FB
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading openvpn_2.5.1-3ubuntu3.dsc: done.
  Uploading openvpn_2.5.1-3ubuntu3.debian.tar.xz: done.
  Uploading openvpn_2.5.1-3ubuntu3_source.buildinfo: done.
  Uploading openvpn_2.5.1-3ubuntu3_source.changes: done.
Successfully uploaded packages.

Changed in openvpn (Ubuntu):
status: Confirmed → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openvpn - 2.5.1-3ubuntu4

---------------
openvpn (2.5.1-3ubuntu4) jammy; urgency=medium

  * d/p/OpenSSL3.patch: work around the deprecated algorithm mismatch between
    the OpenSSL3 branch and the OpenVPN 2.5 branch (LP: #1945980)

 -- Simon Chopin <email address hidden> Thu, 18 Nov 2021 15:05:21 +0100

Changed in openvpn (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.