Determining the crypto library to be used

Starting with OpenVPN 2.3, it became possible to build OpenVPN using either the OpenSSL cryptographic library or the PolarSSL library. The PolarSSL library is nowadays known as "mbedTLS". The PolarSSL library is used in the OpenVPN Connect apps for both Android and iOS, but the library can be used on all other supported platforms as well.

The goal of this recipe is to show how to determine which cryptographic library is used, including the run-time version number.

Getting ready

Set up the server certificate using the first recipe from Chapter 2Client-server IP-only Networks. Use the client certificate and the intermediary CA certificate from the previous recipe. For this recipe, the computer was running Fedora 22 Linux and OpenVPN 2.3.10, built both for OpenSSL and for PolarSSL. Keep the server configuration file basic-udp-server.conf from the Server-side routing recipe in Chapter 2Client-server IP-only Networks.

How to do it...

  1. Start the regular version of OpenVPN using the standard configuration file:
            [root@server]# openvpn --config  basic-udp-server.conf
    
  2. Check the first few lines of the server log file:
            OpenVPN 2.3.10 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO]         [EPOLL] [PKCS11] [MH] [IPv6] built on Jan  4 2016 
     
            library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.08 
    
  3. Stop the server by killing the openvpn process.
  4. Next, change the system's LD_LIBRARY_PATH to point to a more recent version of OpenSSL:
            [root@server]# export LD_LIBRARY_PATH=..../openssl-1.0.1s
            [root@server]# openvpn --config  basic-udp-server.conf
    
  5. Check the first few lines of the server log file:
            OpenVPN 2.3.10 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO]          [EPOLL] [PKCS11] [MH] [IPv6] built on Jan  4 2016 
     
            library versions: OpenSSL 1.0.1s  1 Mar 2016, LZO 2.08 
    
  6. Again, stop the server by killing the openvpn process.
  7. Switch to the PolarSSL-built version of OpenVPN and start the server again:
            [root@server]# .../openvpn-2.3.10polarssl/openvpn --config  
            basic-udp-server.conf
    
  8. Check the first few lines of the server log file:
            OpenVPN 2.3.10 x86_64-unknown-linux-gnu [SSL (PolarSSL)] [LZO]          [EPOLL] [MH] [IPv6] built on Apr 27 2016 
     
            library versions: PolarSSL 1.3.16, LZO 2.08 
    

How it works...

When OpenVPN starts the cryptographics libraries are loaded and initialized. At this point, the library's version string is retrieved and printed. By using different builds of the crypto libraries we see that only the few first lines of the server logfile alter.

There's more...

The type and build of cryptographics library used determine some of the more advanced features of OpenVPN, as we will see in the next few recipes. The library version string provides vital information for debugging a non-working setup, as we will see in Chapter 6Troubleshooting OpenVPN - Configurations.

See also

  • The next recipe, in which the differences between the cryptographic libraries is explained
  • The How to read the OpenVPN log files recipe, from Chapter 6Troubleshooting OpenVPN - Configurations, which shows in detail how to read the OpenVPN log files
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.144.104.98