Closed GoogleCodeExporter closed 9 years ago
Tue 04/21/09 12:55 PM: Message hash algorithm 'SHA512' not found (OpenSSL)
Original comment by ralf.hil...@charite.de
on 22 Apr 2009 at 10:44
OpenVPN uses OpenSSL as provided by OS X. The OS X version does not include
SHA512.
Original comment by jkbull...@gmail.com
on 30 Aug 2009 at 4:47
Uhm... I'm not really convinced. I get the same error using latest Tunnelblick
(3.0b22).
This seems strange:
$ sudo /Applications/Tunnelblick.app/Contents/Resources/openvpn --show-digests
| grep
SHA512
$ openssl dgst -sha512
SHA512(/Users/dentarg/.vimrc)=
d7e26a11e37289f3c434a01931027bcbeff4742fa3cf5cf19a789277abfa259d7859244b280b148e
a28f1c13a03895b7c6314e0ae8b369874805ebd88c3ab854
$ openssl version -a
OpenSSL 0.9.8k 25 Mar 2009
built on: Tue Apr 21 23:28:32 UTC 2009
platform: darwin64-x86_64-llvm
options: bn(64,64) md2(int) rc4(ptr,char) des(idx,cisc,16,int) blowfish(ptr2)
compiler: -arch x86_64 -fmessage-length=0 -pipe -Wno-trigraphs -fpascal-strings
-fasm-blocks -O3 -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN
-DMD32_REG_T=int
-DOPENSSL_NO_IDEA -DOPENSSL_PIC -DOPENSSL_THREADS -DZLIB
-mmacosx-version-min=10.6
OPENSSLDIR: "/System/Library/OpenSSL"
$ sudo /Applications/Tunnelblick.app/Contents/Resources/openvpn --version
OpenVPN 2.1_rc20 i386-apple-darwin10.0.0 [SSL] [LZO2] [PKCS11] built on Nov 1
2009
Developed by James Yonan
Copyright (C) 2002-2009 OpenVPN Technologies, Inc. <sales@openvpn.net>
Original comment by deentarg
on 22 Nov 2009 at 8:00
[deleted comment]
With further investigation, here's what is happening:
Tunnelblick is compiled using the OS X 10.4 (Tiger) Software Development Kit
(SDK) so a single Tunnelblick binary can run on
Tiger or Leopard or Snow Leopard. The SDK includes information about what
functionality is available in OpenSSL.
When Tunnelblick is compiled, OpenVPN is also compiled, using the same SDK. The
OpenSSL functionality that OpenVPN uses is
determined by the SDK.
So when OpenVPN is compiled, it sees only the OpenSSL functionality that is
available on Tiger. This functionality does not
include SHA512 or SHA256.
When running on Leopard or Snow Leopard, any additional OpenSSL functionality
is ignored by OpenVPN even if it is available,
because it only uses the functionality available on Tiger.
The only solution that I can see is to compile separate binaries for Tiger and
Leopard (and perhaps Snow Leopard?).
Since it is only OpenVPN that would need the different binaries, we could
compile a separate OpenVPN binary for each OS version
(using that version's SDK), include each one in Tunnelblick, and choose which
to use at run time depending on what OS version
Tunnelblick is running under.
An alternative would be to create separate Tunnelblick binaries for different
versions of OS X. I assume that will be necessary
anyway when the next version of OS X is released, because I assume the next
version won't include certain deprecated OS
functions that are in Tiger.
I've changed this Issue from WontFix to Accepted.
Original comment by jkbull...@gmail.com
on 18 Apr 2010 at 1:29
Clarification:
If the next version of Mac OS X doesn't include certain deprecated OS functions
that are in Tiger, we may
(A) Freeze development of the Tiger version of Tunnelblick and only develop new
versions of Tunnelblick for
Leopard and/or Snow Leopard and/or the next version of Mac OS X
or
(B) Use conditional compilation to make one binary for Tiger and a separate
binary for newer versions of OS X, so
that development would continue for all versions of OS X but there would be two
separate binaries;
or
(C) Create a single binary which reacts dynamically to which version of Mac OS
X is running and adjusts its
behavior accordingly.
My preference would be (C)
Original comment by jkbull...@gmail.com
on 18 Apr 2010 at 2:57
Another option, suggested to me privately, is to build the latest (stable)
version of the OpenSSL libraries into
Tunnelblick's copy of OpenVPN. This would allow a single binary of Tunnelblick
on all versions of OS X to use all
the hash algorithms.
That's the best solution that I can see, but it requires more work, especially
making sure that the OpenSSL
library version we choose works properly on 10.4 - 10.6 and PPC and Intel. (I
think it should; I don't think there
is much OS-dependent code in the OpenSSL libraries, but there could be
PPC/Intel issues.)
Original comment by jkbull...@gmail.com
on 24 Apr 2010 at 12:08
r2014 fixes this problem by imbedding the OpenSSL 1.0.0a library into
Tunnelblick's copy of OpenVPN.
So all digests, ciphers, and TLS ciphers available in OpenSSL 1.0.0a can be
used in Tunnelblick, regardless of the OS X Version on which it is running
(Tiger, Leopard, or Snow Leopard).
Original comment by jkbull...@gmail.com
on 9 Sep 2010 at 2:06
Original issue reported on code.google.com by
ralf.hil...@charite.de
on 22 Apr 2009 at 9:57