OpenVPN: OpenSSL error: cannot load engine 'padlock'
-
I can rebuild it again and see. I know the openvpn22 port was broken quite a bit for 2.0.x builds, but I can't remember if I've rebuilt openvpn 2.3 since then to see if it had any issues.
-
Thanks jim - and supposedly openvpn22 was broken by me while syncing to upstream - sorry about that.
-
OpenVPN 2.3 is rebuilt, new snap run is starting now. Try it again later this evening once it's all uploaded.
-
I've upgraded to the latest built (2.1-BETA1 (i386) built on Fri Jan 25 11:42:50 EST 2013) - still same error as statet above:
…
OpenVPN 2.3.0 i386-portbld-freebsd8.3 [SSL (OpenSSL)] [LZO] [eurephia] [MH] [IPv6] built on Jan 25 2013
openvpn[17542]: Exiting due to fatal error
openvpn[17542]: OpenSSL error: cannot load engine 'padlock'
… -
aha, I see why.
Somehow it's latching onto the openssl from ports, and not from the base system, and we don't compile the openssl from ports with padlock support (not sure when that started to get included…)
-
Next build will be fixed for this.
Also, the next build will include ipsec-tool 0.8.1. Since I had to fix up openssl for this, I went ahead and used it for that.
-
Thank you guys for looking into this.
Upgraded to 2.1-BETA1 (i386) built on Fri Jan 25 17:42:51 EST 2013 FreeBSD 8.3-RELEASE-p5
I get still the same error.
-
That's not the new image.
It's uploading right now.
-
Thank you Jim for your efforts, if things work fine with padlock, I'd like to make a PR to the port maintainer concerning the messed up naming of the padlock patches you had to override in the openssl port.
It doesn't seem many people use padlock - otherwise that would have been fixed upstream already. ;-) -
I'm not sure, if this is already the new image…I just tried it:
2.1-BETA1 (i386) built on Fri Jan 25 22:52:45 EST 2013 FreeBSD 8.3-RELEASE-p5
Still no working OpenVPN with padlock enabled.
-
Same error? Different error?
-
I still get the same error.
-
ok, I think I see what it is now, it didn't copy all of the package version's files to the image, so it's missing the .so files for the other engines. I'll fix that shortly.
-
OK the next new image to go up should have the fixes.
It's not up yet, it will take ~3-4 hours to build and upload.
-
New image is up now.
-
Upgraded to the latest built (2.1-BETA1 (i386) built on Sat Jan 26 10:18:38 EST 2013 FreeBSD 8.3-RELEASE-p5):
…
openvpn[18810]: Initializing OpenSSL support for engine 'padlock
…It works again :)
Thanx jimp & MatSim for the fast fix. You guys doing an amazing work!
-
@MatSim:
Thank you Jim for your efforts, if things work fine with padlock, I'd like to make a PR to the port maintainer concerning the messed up naming of the padlock patches you had to override in the openssl port.
It doesn't seem many people use padlock - otherwise that would have been fixed upstream already. ;-)Feel free to push that one up to FreeBSD. It was a simple fix, rename the patches and "make makesum" to update the checksum/names.
I guess nobody goes out of their way to use the ports openssl+padlock, but it does work with the base version so people probably just use that.
-
Done, for the reference: http://www.freebsd.org/cgi/query-pr.cgi?pr=175622
-
In addition to the other fixes I made, I just added some smarter code to the openvpn engine option that does better checking for not just the engines on the system but also which engines are actually usable.
That way if something like this were to happen in the future, the VPN wouldn't have failed, it just would not have used the padlock engine.
