On Fri, Jan 03, 2025 at 07:52:21AM +0100, Bjorn Ketelaars wrote: > On Fri 03/01/2025 00:29, Jeremie Courreges-Anglas wrote: > > > > I'd like to know whether the mbedtls FLAVOR can also use > > pkcs11-helper. Seems to work just fine with ''openvpn > > --show-pkcs11-ids'' but this is no actual test. > > > > Klemens: could you please test the mbedtls FLAVOR for your use case? > > > > Bjorn, do you see a drawback with enabling pkcs11 support? The > > resulting openvpn--mbedtls binary starts being directly linked to > > libcrypto, but: > > - libcrypto comes from libpkcs11-helper-1.pc but openvpn itself > > doesn't start using libcrypto itself > > - mbedtls and libcrypto shouldn't conflict > > > > Input and oks welcome. > > Although i'm not using openvpn any more,
Ah ha. Did you have a reason to use this flavor? IIUC using the openvpn--mbedtls package isn't equivalent to using the OpenVPN-NL fork sponsored and vetted by the dutch government. If someone wants an openvpn version to work in that environment then a different port for OpenVPN-NL would be needed instead. If there's no incentive to keep this openvpn,mbedtls FLAVOR, I will probably drop it. > i do not see drawbacks with enabling > pkcs11 support in the mbedtls FLAVOR. I think i do not have the means to test > properly but looking out the output of 'ldd openvpn' i would not be surprised > if > there is an issue with getting stuff to work: there is an opportunity for > libcrypto and libmbedtls* to conflict. If you know why they can conflict, please share the details! -- jca
