On Fri, Jan 03, 2025 at 07:52:21AM +0100, Bjorn Ketelaars wrote:
> On Fri 03/01/2025 00:29, Jeremie Courreges-Anglas wrote:
> >
> > I'd like to know whether the mbedtls FLAVOR can also use
> > pkcs11-helper. Seems to work just fine with ''openvpn
> > --show-pkcs11-ids'' but this is no actual test.
> >
> > Klemens: could you please test the mbedtls FLAVOR for your use case?
> >
> > Bjorn, do you see a drawback with enabling pkcs11 support? The
> > resulting openvpn--mbedtls binary starts being directly linked to
> > libcrypto, but:
> > - libcrypto comes from libpkcs11-helper-1.pc but openvpn itself
> > doesn't start using libcrypto itself
> > - mbedtls and libcrypto shouldn't conflict
> >
> > Input and oks welcome.
>
> Although i'm not using openvpn any more,
Ah ha. Did you have a reason to use this flavor? IIUC using the
openvpn--mbedtls package isn't equivalent to using the OpenVPN-NL fork
sponsored and vetted by the dutch government. If someone wants an
openvpn version to work in that environment then a different port for
OpenVPN-NL would be needed instead.
If there's no incentive to keep this openvpn,mbedtls FLAVOR, I will
probably drop it.
> i do not see drawbacks with enabling
> pkcs11 support in the mbedtls FLAVOR. I think i do not have the means to test
> properly but looking out the output of 'ldd openvpn' i would not be surprised if
> there is an issue with getting stuff to work: there is an opportunity for
> libcrypto and libmbedtls* to conflict.
If you know why they can conflict, please share the details!
--
jca
No comments:
Post a Comment