On Fri 03/01/2025 00:29, Jeremie Courreges-Anglas wrote:
>
> I'd like to know whether the mbedtls FLAVOR can also use
> pkcs11-helper. Seems to work just fine with ''openvpn
> --show-pkcs11-ids'' but this is no actual test.
>
> Klemens: could you please test the mbedtls FLAVOR for your use case?
>
> Bjorn, do you see a drawback with enabling pkcs11 support? The
> resulting openvpn--mbedtls binary starts being directly linked to
> libcrypto, but:
> - libcrypto comes from libpkcs11-helper-1.pc but openvpn itself
> doesn't start using libcrypto itself
> - mbedtls and libcrypto shouldn't conflict
>
> Input and oks welcome.
Although i'm not using openvpn any more, i do not see drawbacks with enabling
pkcs11 support in the mbedtls FLAVOR. I think i do not have the means to test
properly but looking out the output of 'ldd openvpn' i would not be surprised if
there is an issue with getting stuff to work: there is an opportunity for
libcrypto and libmbedtls* to conflict.
openvpn:
Start End Type Open Ref GrpRef Name
00000f37976e0000 00000f37977b7000 exe 2 0 0 openvpn
00000f39b5495000 00000f39b54c5000 rlib 0 1 0 /usr/local/lib/liblzo2.so.1.0
00000f3a3ea1a000 00000f3a3ea51000 rlib 0 1 0 /usr/local/lib/liblz4.so.3.3
00000f39ae96a000 00000f39aebbc000 rlib 0 1 0 /usr/lib/libcrypto.so.55.0
00000f39d3f3b000 00000f39d3f54000 rlib 0 1 0 /usr/local/lib/libpkcs11-helper.so.0.0
00000f39b9fb8000 00000f39b9fee000 rlib 0 2 0 /usr/local/lib/libmbedtls.so.7.0
00000f39cc205000 00000f39cc212000 rlib 0 5 0 /usr/lib/libpthread.so.27.1
00000f3a2c91d000 00000f3a2c940000 rlib 0 3 0 /usr/local/lib/libmbedx509.so.3.2
00000f3a54ffd000 00000f3a55087000 rlib 0 4 0 /usr/local/lib/libmbedcrypto.so.5.0
00000f39a23e4000 00000f39a24eb000 rlib 0 1 0 /usr/lib/libc.so.100.3
00000f3a0a5f4000 00000f3a0a5f4000 ld.so 0 1 0 /usr/libexec/ld.so
Just sent a different mail to kn@ (same thread) with some tweaks for his test
with a modification for the pkcs11-helper port. With this I would expect that
there is no conflict between libcrypto en libmbedtls*. Not sure how I can test
further.
openvpn:
Start End Type Open Ref GrpRef Name
0000059243798000 000005924386f000 exe 2 0 0 openvpn
00000594e0c6c000 00000594e0c9c000 rlib 0 1 0 /usr/local/lib/liblzo2.so.1.0
000005949e97c000 000005949e9b3000 rlib 0 1 0 /usr/local/lib/liblz4.so.3.3
0000059541133000 0000059541169000 rlib 0 2 0 /usr/local/lib/libmbedtls.so.7.0
00000594c0eba000 00000594c0ec7000 rlib 0 5 0 /usr/lib/libpthread.so.27.1
00000594b0353000 00000594b0376000 rlib 0 3 0 /usr/local/lib/libmbedx509.so.3.2
000005949ff7e000 00000594a0008000 rlib 0 4 0 /usr/local/lib/libmbedcrypto.so.5.0
000005952ce7e000 000005952ce97000 rlib 0 1 0 /usr/local/lib/libpkcs11-helper.so.0.0
00000595404ec000 00000595405f3000 rlib 0 1 0 /usr/lib/libc.so.100.3
00000594520e1000 00000594520e1000 ld.so 0 1 0 /usr/libexec/ld.so
No comments:
Post a Comment