Hi all, I falsely assumed openssl.cnf was a default file from OpenSSL release packages, even though it was heavily modified for easy-rsa. The root cause of the issue seems to be that OpenSSL 1.0.0 does not like undefined variables in openssl.cnf. I fixed the Windows side today, and a preliminary patch is available here:
<http://build.openvpn.net/0001-Updated-easy-rsa-for-OpenSSL-1.0.0.patch> This patch applies on top of "Fix a build-ca issue on Windows" in "master" and fixes Trac ticket #125. A few other things still need fixing : - Lack of file called "easy-rsa/2.0/openssl.cnf" will probably break "domake-win" builds - or at least easy-rsa on installers generated with it. - openssl-1.0.0.cnf has not yet been tested on *NIX - changes to "easy-rsa/2.0/vars" script have not been tested The added environment variables should not have negative side-effects. I'll test Windows installer generation tomorrow to make sure easy-rsa works out of the box on Windows. Help with *NIX+OpenSSL 1.0.0 and "domake-win" would be appreciated. Samuli > On 20/06/11 12:30, Jan Just Keijser wrote: > [...snip...] > >> Samuli, can you please look closer into this? I did a more careful > diff > >> from 2.0/openssl.cnf and Windows/openssl.cnf ... and it seems quite > >> different. Can we please unite them? > >> > >> JJK: Do you know which differences are needed between Windows and > >> non-Windows? > >> > >> > > I just checked that the openssl.cnf file shipped with the windows > version > > of openvpn 2.1.4 is identical to the easy-rsa/2.0 version - is > there any > > reason not to do the same for openvpn 2.2? > > > Good question! > > Samuli, what do you think? Could we actually just move the > 2.0/openssl.cnf > to a common directory where the installers will pick this config file? To > have the same file in more places in the source tree sounds chaotic > for me, > especially when 2.1.4 uses the same file everywhere. > > I'd suggest ./easy-rsa as a good common base. > > I'm also wondering if we need to still carry easy-rsa/1.0 in the source > tree. It looks rather dead ... > > $ git log --follow --oneline ./easy-rsa/1.0/ > 3c7f2f5 version 2.1_beta1 > > Compared to this: > > $ git log --follow --oneline ./easy-rsa/2.0/ > 6dc6019 pkitool lacks expected option "--help" > 2d4e768 bash->bourne script cleanup > 564a210 Updated copyright date to 2010. > 9f4725e pkitool lacks expected option "--help" > d7fa38f Update copyright to 2009. > 2534aa4 Fixed revoke-full to deal with issue arising from addition ... > dbec0a2 Modified pkitool to allow flexibility in separating the Com... > d56dec6 Change to pkitool/openssl.cnf so that calling scripts can s... > 367ed08 Copyright notice changed to reflect change in name of Telet... > 1c0cc4a Copyright change OpenVPN Solutions LLC -> Telethra, Inc. > eca8691 Updated copyright notice to 2008. > 4d90d73 Updated version & changelog. > d4fb6d4 Set tool defaults in pkitool. > eba4632 Added note about alternative version of easy-rsa that suppo... > 8d54351 Clean up configure on FreeBSD for recent autotool versions ... > acb567c A few more updates: -r 1015:1025 https://svn.openvpn.net/pr... > a8105c6 Merged PKCS#11 extensions to easy-rsa/2.0 (Alon Bar-Lev). ... > 513baee Small fixes: * Fixed variable declaration in crypto.c that ... > 411e89a Merged --remote-cert-ku, --remote-cert-eku, and --remote-ce... > 8810c26 Moved easy-rsa 2.0 scripts to easy-rsa/2.0 to be compatible... > > $ git log --follow --oneline ./easy-rsa/Windows/ > 54c739e Revert "Add new openssl.cnf to easy-rsa/Windows" > 663860a Add new openssl.cnf to easy-rsa/Windows > 3810843 Fix a build-ca issue on Windows > 6b2883a Change all CRLF linefeeds to LF linefeeds > d0b4271 In Windows build, package a statically linked openssl.exe t... > 4030142 The easy-rsa directory installed by the windows installer c... > 6fbf66f This is the start of the BETA21 branch. It includes the --t... > > > kind regards, > > David Sommerseth
