Open TinCanTech opened 7 months ago
Using busybox.exe
, Windows Unit-test completes faster than Linux, for the first time. Note: Windows UT is a cut down version anyway but it is now faster.
To test on Windows 11:
Copy From your git repo To: C:\Program Files\Openvpn\easy-rsa
:
EasyRSA-busybox.bat
-> Openvpn/easy-rsa
bin/easyrsa-busybox-init.sh
-> Openvpn/easy-rsa/bin
bin/busybox.exe
-> Openvpn/easy-rsa/bin
Start Easy-RSA in a standard command prompt by using: EasyRSA-busybox.bat /na
Once the EasyRSA Shell
prompt is given, please enter this script:
easyrsa --pki=erut-w11
easyrsa --pki=erut-w11 init-pki
easyrsa --pki=erut-w11 --verbose --batch --nopass build-ca
Please post the full output.
Errors concerning missing OpenSSL are acceptable.
Successfully tested on Windows 10, using Easy-RSA No-admin mode.
Use this git
fu:
git clone https://github.com/Openvpn/easy-rsa.git <FOO>
cd <FOO> # You know what to do ;-)
git checkout -b TinCanTech-windows-busybox-install master
git pull https://github.com/TinCanTech/easy-rsa.git windows-busybox-install
I would suggest NOT shipping easy-rsa with busybox on Windows. Using native tools would be preferred, just as native tools are used on the *nix side of this project. OpenSSL is the only external dependency which really makes sense.
If there are issues related to shell compatibilities and related challenges, in my view, it would make more sense to dive into WSL2 and such like environments.
Here you go.
Since WSL is not part of Windows, I don't think it worth to maintain Windows port, which uses crutches like sh/busybox. With WSL you could just apt install easy-rsa
and that's it.
The discussion regarding WSL is moot:
The resistance to busybox.exe
replacing MKSH is a surprise to me:
I will complete this PR but will refrain from merging to allow further discussion.
PROS: This is my argument to support Windows as a non-admin user:
CONS: Personally, I am fundamentally against relying on WSL.
For each external dependency you pull in, you need to ensure the project has capacity to pay attention to security vulnerabilities and provide duly updates whenever something critical arrives. Since this project provides a zip file with Windows binaries, the project is responsible to ensure these are up-to-date with the latest security fixes.
That is why it is generally better to use what is already provided by the platform itself and have as few external dependencies as possible. You reduce the amount of code you need to pay attention to.
I don't know where the previous set of Windows binaries comes from or how it is being packaged into this project. This project should regardless have as a goal to build binaries it ships and verify that the code it ships is not carrying any possible supply chain attacks. If the CA private key leaks, then the whole CA is busted.
In regards to busybox, I do know that is a very attractive target for attacks - and new issues are discovered regularly. That does not mean that the previous mksh
approach automatically is any safer, especially if you depend on pre-built binaries. But busybox is a known attractive target.
So if swapping to busybox, do ensure there is a security process in place and the ability to quickly do new releases.
When it comes to WSL (I presume @lstipakov meant "now" and not "not"), that is an infrastructure provided by Microsoft and gives you a native Linux environment to work in - where all the dependencies Easy-RSA need are already under maintenance by others. In fact, this project could even drop shipping OpenSSL binaries too. This would ensure this project can fully focus on Easy-RSA and not needing to be that concerned about shipping and maintaining external dependencies.
@dsommers Thank you.
I respect your opinion regarding the industry standards of security for external dependencies.
However, from an Easy-RSA specific point of view, I disagree with you as follows.
You say:
This is the very origin of the current problems facing Easy-RSA:
You say:
Easy-RSA use of busybox is extremely limited:
You say:
<s>
that is an infrastructure provided by Microsoft and gives you a native Linux environment to work inAs an Easy-RSA user, if I must use Windows then I prefer not to have to rely on WSL. WSL is NOT open source.
And, food for thought: What if MKSH were still actively maintained, would this discussion even take place ?
The last problem is that of Easy-RSA integrated building of busybox-for-windows
.
This is a huge commitment, for which, I do understand the resistance toward.
If I were a gambler, I would bet my bottom dollar that OpenSSL (built by Easy-RSA) is a far more signifificant security risk than Busybox.
However, given Full Admin access, easyrsa
still woks. So, we can sit tight..
Choose: Rock or Sea.
Note that with WSL we do not need to ship anything at all - not easyrsa scripts nor openssl binary. EasyRSA is already in Ubuntu 22.04, which WSL uses by default.
lev@lev-x1-11:~$ apt show easy-rsa
Package: easy-rsa
Version: 3.0.8-1ubuntu1
Priority: extra
Section: universe/utils
Origin: Ubuntu
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Original-Maintainer: Michele Orrù <michele.orru@ens.psl.eu>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 137 kB
Depends: openssl
Recommends: opensc
Homepage: https://github.com/OpenVPN/easy-rsa
Download-Size: 44.1 kB
APT-Manual-Installed: yes
APT-Sources: http://archive.ubuntu.com/ubuntu jammy/universe amd64 Packages
Description: Simple shell based CA utility
This package eases the creation of certificates, for example for
openvpn clients.
.
This was formerly part of the openvpn package.
I suggest we just ship only readme.txt
in easyrsa
folder and explain there WSL move.
Note that with WSL we do not need to ship anything at all - not easyrsa scripts nor openssl binary. EasyRSA is already in Ubuntu 22.04, which WSL uses by default.
That is why the "Windows binary distribution" is quite pointless. Easy-RSA does not provide an installer by itself, it requires users to unzip a file and use the command line to use it from there. You need to have some technical experience just to come this far.
If the user is instead instructed (as @lstipakov suggests) to setup WSL, which then gives you an Ubuntu environment out-of-the-box ... you still have a proper POSIX compliant environment and all external third-party dependencies included as part of the apt install easy-rsa
step. And you get automatic updates via apt update
+ apt upgrade
.
The argument that WSL is not open source, is also only partly true. WSL is more or less a virtual machine running a complete Linux distribution, but made far more user friendly that users don't have to setup and install the Linux distro themselves - it comes pre-setup. So when you are inside the WSL "container", you are in an open source environment. The only "non-open source" part here is the glue layers between the virtual machine instance and the Windows environment it runs under.
Also consider that you don't need to care explicitly about Windows behaviours when going the WSL approach. You only need to ensure it works well under a recent enough and updated Ubuntu distribution. That is less maintenance burden for this project.
For the record:
Users can use WSL and Easy-RSA should work.
WSL ships with Easy-RSA Version: 3.0.8-1ubuntu1, which has known bugs.
WSL is a virtual machine. This is a known weakness for gathering quality entropy.
Users can use Easy-RSA Windows tools and they will work but may require elevated privileges.
I accept that Shipping a new binary, busybox.exe
, to fix the current problem with Windows 11 is a maintenance burden.
I still consider busybox for Windows to be a suitable replacement for the current tools, however, that is not a popular opinion.
Openvpn are considering removing Easy-RSA from the OpenVPN-Windows-Installer.
Closing this PR as unsuitable - #1078
Reopening temporarily.
Fully integrate
busybox.exe
as an alternative to MKSH:sh.exe