openvpn-otp didn't working on debian stretch

[unix196]

Good day. I receive this error after run openvpn server with plugin openvpn-otp:

/usr/sbin/openvpn --daemon ovpn-server --status /run/openvpn/server.status 10 --reneg-sec 86400  --cd /etc/openvpn --config /etc/openvpn/server.conf

/var/log/openvpn/openvpn-server.log <==
Mon Aug 17 15:15:18 2020 PLUGIN_INIT: could not load plugin shared object /usr/lib/openvpn/openvpn-otp.so: /usr/lib/openvpn/openvpn-otp.so: undefined symbol: EVP_MD_CTX_free: No such file or directory (errno=2)
Mon Aug 17 15:15:18 2020 Exiting due to fatal error

Server config:

/etc/openvpn/server.conf:
...
plugin "/usr/lib/openvpn/openvpn-otp.so" otp_secrets=/etc/openvpn/otp_secrets

Verion OS: Debian GNU/Linux 9.12 (stretch) openvpn-otp build as debian package.

dpkg -l | grep openvp
ii  openvpn                       2.4.8-stretch0                    amd64        virtual private network daemon
ii  openvpn-otp                   1.0-1~stretch                     amd64        This plug-in adds support for time based OTP (totp) and HMAC

dpkg -L openvpn-otp
/usr/lib/openvpn/openvpn-otp.la
/usr/lib/openvpn/openvpn-otp.so

dpkg -l | grep ssl
ii  libssl-dev:amd64              1.1.0l-1~deb9u1                   amd64        Secure Sockets Layer toolkit - development files
ii  libssl-doc                    1.1.0l-1~deb9u1                   all          Secure Sockets Layer toolkit - development documentation
ii  libssl1.0.2:amd64             1.0.2u-1~deb9u1                   amd64        Secure Sockets Layer toolkit - shared libraries
ii  libssl1.1:amd64               1.1.0l-1~deb9u1                   amd64        Secure Sockets Layer toolkit - shared libraries
ii  openssl                       1.1.0l-1~deb9u1                   amd64        Secure Sockets Layer toolkit - cryptographic utility

openssl version
OpenSSL 1.1.0l  10 Sep 2019

ldd /usr/lib/openvpn/openvpn-otp.so
    linux-vdso.so.1 (0x00007ffff62bd000)
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f8afdbd3000)
    /lib64/ld-linux-x86-64.so.2 (0x00007f8afe17b000)

I saw old issue with comment - https://github.com/evgeny-gridasov/openvpn-otp/issues/29#issuecomment-442696402, but I try install different verions of openvpn server (2.4.9, 2.4.8, 2.4.7 - use repo from openvpn ) - error is the same.
I suspect that trouble with openssl, but I don't know how fix that.

[evgeny-gridasov]

Hi unix196, Have you tried compiling it from source? I'm not sure what the package maintainers did to compile it, so it is difficult to tell what is going on. It is OpenSSL related. EVP_MD_CTX_free is available from OpenSSL 1.1.0, not sure why it is not available in your build of OpenSSL.

Could you please run ldd against openvpn binary and provide results here?

[unix196]

openvpn --version
OpenVPN 2.4.8 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct 30 2019
library versions: OpenSSL 1.0.2u  20 Dec 2019, LZO 2.08

Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=yes enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_password_save=yes enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_plugindir='${prefix}/lib/openvpn' with_sysroot=no

ldd /usr/sbin/openvpn
    linux-vdso.so.1 (0x00007ffd94ddd000)
    libnsl.so.1 => /lib/x86_64-linux-gnu/libnsl.so.1 (0x00007fc230433000)
    libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x00007fc23021b000)
    liblzo2.so.2 => /lib/x86_64-linux-gnu/liblzo2.so.2 (0x00007fc22fff3000)
    liblz4.so.1 => /usr/lib/x86_64-linux-gnu/liblz4.so.1 (0x00007fc22fddb000)
    libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fc22fbbb000)
    libpkcs11-helper.so.1 => /usr/lib/x86_64-linux-gnu/libpkcs11-helper.so.1 (0x00007fc22f99b000)
    libcrypto.so.1.0.2 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.2 (0x00007fc22f533000)
    libssl.so.1.0.2 => /usr/lib/x86_64-linux-gnu/libssl.so.1.0.2 (0x00007fc22f2c3000)
    libsystemd.so.0 => /lib/x86_64-linux-gnu/libsystemd.so.0 (0x00007fc230a9b000)
    libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fc22f0bb000)
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fc22ed1b000)
    /lib64/ld-linux-x86-64.so.2 (0x00007fc230913000)
    libselinux.so.1 => /lib/x86_64-linux-gnu/libselinux.so.1 (0x00007fc22eaf3000)
    librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007fc22e8eb000)
    liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5 (0x00007fc22e6c3000)
    libgcrypt.so.20 => /lib/x86_64-linux-gnu/libgcrypt.so.20 (0x00007fc22e3b3000)
    libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007fc22e13b000)
    libgpg-error.so.0 => /lib/x86_64-linux-gnu/libgpg-error.so.0 (0x00007fc22df23000)

Have you tried compiling it from source

I think that maintain my version openssl in production - not a good idea. This option would be possible if I run openvpn in docker, but in future I plan run it on hardware server.

[evgeny-gridasov]

This is where your problem is. OpenVPN is linked against libssl 1.0.2 but should be 1.1

libssl.so.1.0.2 => /usr/lib/x86_64-linux-gnu/libssl.so.1.0.2 (0x00007fc22f2c3000)

You need to either recompile OpenVPN against libssl 1.1 or recompile the plugin against the version you have installed. I would also suggest you send an email to package maintainers to fix that. Can I ask, where did you get the openvpn-otp deb file, is it part of Debian now?

[unix196]

Oh, I think I started to understand where the problem is - I build deb on one VM, then clone this VM and install assembled deb package. From documentation I need install libssl-dev/openssl-devel/libressl-devel, on build machine I setup libssl-dev:

dpkg -l | grep ssl
ii  libssl-dev:amd64              1.1.0l-1~deb9u1                   amd64        Secure Sockets Layer toolkit - development files
ii  libssl-doc                    1.1.0l-1~deb9u1                   all          Secure Sockets Layer toolkit - development documentation
ii  libssl1.0.2:amd64             1.0.2u-1~deb9u1                   amd64        Secure Sockets Layer toolkit - shared libraries
ii  libssl1.1:amd64               1.1.0l-1~deb9u1                   amd64        Secure Sockets Layer toolkit - shared libraries
ii  openssl                       1.1.0l-1~deb9u1                   amd64        Secure Sockets Layer toolkit - cryptographic utility

I don't really understand how to fix it yet, but I figured out where to dig.

[unix196]

You need to either recompile OpenVPN against libssl 1.1 or recompile the plugin against the version you have installed.

I'm all the same not clear understand what should be done: on my distro - debian 9 stretch, all version openvpn use libssl.so.1.0.2 (ldd /usr/sbin/openvpn), though on server I have also installed package libssl1.1. I did make install plugin openvpn-otp, apt-get install openvpn and receive the same error (EVP_MD_CTX_free: No such file or...) (all action I do on one machine). Can I get along without recompile OpenVPN against libssl 1.1? ( because on production it will require build my deb package openvpn, maintain it).

[unix196]

figured out:

apt-get install libssl1.0-dev
The following packages will be REMOVED:
  libssl-dev
The following NEW packages will be installed:
  libssl1.0-dev

Package libssl-dev no need to install on build machine, needed libssl1.0-dev