auth SHA512 not being supported?

[GoogleCodeExporter]

What steps will reproduce the problem?
1. Configure "auth SHA512" on both client and server
2. Linux and Windows clients will be able to connect
3. Tunnelblicjk will fail

Original issue reported on code.google.com by ralf.hil...@charite.de on 22 Apr 2009 at 9:57

[GoogleCodeExporter]

Tue 04/21/09 12:55 PM: Message hash algorithm 'SHA512' not found (OpenSSL)

Original comment by ralf.hil...@charite.de on 22 Apr 2009 at 10:44

[GoogleCodeExporter]

OpenVPN uses OpenSSL as provided by OS X. The OS X version does not include 
SHA512.

Original comment by jkbull...@gmail.com on 30 Aug 2009 at 4:47

• Changed state: WontFix
• Added labels: Type-Other
• Removed labels: Type-Defect

[GoogleCodeExporter]

Uhm... I'm not really convinced. I get the same error using latest Tunnelblick 
(3.0b22).

This seems strange:

$ sudo /Applications/Tunnelblick.app/Contents/Resources/openvpn --show-digests 
| grep
SHA512

$ openssl dgst -sha512
SHA512(/Users/dentarg/.vimrc)=
d7e26a11e37289f3c434a01931027bcbeff4742fa3cf5cf19a789277abfa259d7859244b280b148e
a28f1c13a03895b7c6314e0ae8b369874805ebd88c3ab854

$ openssl version -a
OpenSSL 0.9.8k 25 Mar 2009
built on: Tue Apr 21 23:28:32 UTC 2009
platform: darwin64-x86_64-llvm
options:  bn(64,64) md2(int) rc4(ptr,char) des(idx,cisc,16,int) blowfish(ptr2) 
compiler: -arch x86_64 -fmessage-length=0 -pipe -Wno-trigraphs -fpascal-strings
-fasm-blocks -O3 -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN 
-DMD32_REG_T=int
-DOPENSSL_NO_IDEA -DOPENSSL_PIC -DOPENSSL_THREADS -DZLIB 
-mmacosx-version-min=10.6
OPENSSLDIR: "/System/Library/OpenSSL"

$ sudo /Applications/Tunnelblick.app/Contents/Resources/openvpn --version
OpenVPN 2.1_rc20 i386-apple-darwin10.0.0 [SSL] [LZO2] [PKCS11] built on Nov  1 
2009
Developed by James Yonan
Copyright (C) 2002-2009 OpenVPN Technologies, Inc. <sales@openvpn.net>

Original comment by deentarg on 22 Nov 2009 at 8:00

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

With further investigation, here's what is happening:

Tunnelblick is compiled using the OS X 10.4 (Tiger) Software Development Kit 
(SDK) so a single Tunnelblick binary can run on 
Tiger or Leopard or Snow Leopard. The SDK includes information about what 
functionality is available in OpenSSL.

When Tunnelblick is compiled, OpenVPN is also compiled, using the same SDK. The 
OpenSSL functionality that OpenVPN uses is 
determined by the SDK.

So when OpenVPN is compiled, it sees only the OpenSSL functionality that is 
available on Tiger. This functionality does not 
include SHA512 or SHA256.

When running on Leopard or Snow Leopard, any additional OpenSSL functionality 
is ignored by OpenVPN even if it is available, 
because it only uses the functionality available on Tiger.

The only solution that I can see is to compile separate binaries for Tiger and 
Leopard (and perhaps Snow Leopard?).

Since it is only OpenVPN that would need the different binaries, we could 
compile a separate OpenVPN binary for each OS version 
(using that version's SDK), include each one in Tunnelblick, and choose which 
to use at run time depending on what OS version 
Tunnelblick is running under.

An alternative would be to create separate Tunnelblick binaries for different 
versions of OS X. I assume that will be necessary 
anyway when the next version of OS X is released, because I assume the next 
version won't include certain deprecated OS 
functions that are in Tiger.

I've changed this Issue from WontFix to Accepted.

Original comment by jkbull...@gmail.com on 18 Apr 2010 at 1:29

• Changed state: Accepted

[GoogleCodeExporter]

Clarification:

If the next version of Mac OS X doesn't include certain deprecated OS functions 
that are in Tiger, we may

(A) Freeze development of the Tiger version of Tunnelblick and only develop new 
versions of Tunnelblick for 
Leopard and/or Snow Leopard and/or the next version of Mac OS X

or

(B) Use conditional compilation to make one binary for Tiger and a separate 
binary for newer versions of OS X, so 
that development would continue for all versions of OS X but there would be two 
separate binaries;

or

(C) Create a single binary which reacts dynamically to which version of Mac OS 
X is running and adjusts its 
behavior accordingly.

My preference would be (C)

Original comment by jkbull...@gmail.com on 18 Apr 2010 at 2:57

[GoogleCodeExporter]

Another option, suggested to me privately, is to build the latest (stable) 
version of the OpenSSL libraries into 
Tunnelblick's copy of OpenVPN. This would allow a single binary of Tunnelblick 
on all versions of OS X to use all 
the hash algorithms.

That's the best solution that I can see, but it requires more work, especially 
making sure that the OpenSSL 
library version we choose works properly on 10.4 - 10.6 and PPC and Intel. (I 
think it should; I don't think there 
is much OS-dependent code in the OpenSSL libraries, but there could be 
PPC/Intel issues.)

Original comment by jkbull...@gmail.com on 24 Apr 2010 at 12:08

[GoogleCodeExporter]

r2014 fixes this problem by imbedding the OpenSSL 1.0.0a library into 
Tunnelblick's copy of OpenVPN.

So all digests, ciphers, and TLS ciphers available in OpenSSL 1.0.0a can be 
used in Tunnelblick, regardless of the OS X Version on which it is running 
(Tiger, Leopard, or Snow Leopard).

Original comment by jkbull...@gmail.com on 9 Sep 2010 at 2:06

• Changed state: Fixed