# Trying to run openvpn with another engine



## rogeriohblima (Aug 11, 2022)

Well, I made a new engine (new-engine) to run openvpn with it. It works in Linux, but in the FreeBSB it doesn't (I already compiled in that machine). Below is the error when I try to connect:






I already put my new-engine.so in the folder /usr/lib/engines/ and my config file is below:


```
port 1194
proto udp
dev tun
secret static.key
engine new-engine
```

And I already put the section about my engine in the openssl.cnf:


```
openssl_conf = openssl_init

[openssl_init]
oid_section = new_oids
engines = engine_section

[engine_section]
new-engine = new-engine_config

[new-engine_config]
engine_id = new-engine
dynamic_path = /usr/lib/engines/new-engine.so
init=1
```


----------



## _al (Aug 12, 2022)

Try to rename section [new-engine_config] to [new_engine_config]






						/docs/man1.1.1/man5/config.html
					






					www.openssl.org
				





> A configuration file is divided into a number of sections. Each section starts with a line *[ section_name ]* and ends when a new section is started or end of file is reached. A section name can consist of alphanumeric characters and underscores.


----------



## rogeriohblima (Aug 15, 2022)

Andrey Lanin said:


> Try to rename section [new-engine_config] to [new_engine_config]
> 
> 
> 
> ...


Thanks for your answer. I do what you said, but the error continues the same.


----------



## _al (Aug 15, 2022)

Is the OPENSSL_CONF environment variable defined?

The substring 'new-engine' must be replaced by the substring 'new_engine' everywhere except the library file name.





						/docs/man1.1.1/man5/config.html
					






					www.openssl.org
				





> Each section in a configuration file consists of a number of name and value pairs of the form *name=value*
> The *name* string can contain any alphanumeric characters as well as a few punctuation symbols such as *.* *,* *;* and *_*.


----------



## rogeriohblima (Aug 17, 2022)

Andrey Lanin said:


> Is the OPENSSL_CONF environment variable defined?
> 
> The substring 'new-engine' must be replaced by the substring 'new_engine' everywhere except the library file name.
> 
> ...


I did these things, but the error persists...


----------



## _al (Aug 17, 2022)

In this case, I think you need to debug the code where the library is loading


----------



## rogeriohblima (Aug 18, 2022)

I understood, but that code works on Linux with the same openssl version (1.1.1).


----------



## _al (Aug 18, 2022)

rogeriohblima said:


> I understood, but that code works on Linux with the same openssl version (1.1.1).


If the 'configs' are the same, and the software is compiled on FreeBSD, could it be a problem with config files permissions ? Are they the same as in Linux ?


----------



## _al (Aug 18, 2022)

How does it look on my computer:

*in FreeBSD* (I'm on Linux now, so here's a picture):




*in Linux:*

```
lanin@debian2:/etc/openvpn$ ls -lR .
.:
итого 36
-rw-r--r-- 1 root root 1184 авг 31  2021 ca.crt
drwxr-xr-x 2 root root 4096 мая 14  2021 client
-rw-r--r-- 1 root root  408 авг 31  2021 client.conf
-rw-r--r-- 1 root root 1204 авг 31  2021 lanin01.crt
-rw------- 1 root root 1704 авг 31  2021 lanin01.key
-rw-r--r-- 1 root root  188 авг 18 17:42 openvpn-status.log
drwxr-xr-x 2 root root 4096 мая 14  2021 server
-rw-r--r-- 1 root root  636 дек 29  2010 ta.key
-rw-r--r-- 1 root root 1468 фев 20  2019 update-resolv-conf
```


----------



## _al (Aug 18, 2022)

(rebooted to FreeBSD)

```
[lanin@freebsd ~]$ pkg info openssl | grep Version
Version        : 1.1.1q,1
[lanin@freebsd ~]$ pkg info openvpn | grep Version
Version        : 2.5.7_1
[lanin@freebsd ~]$ service openvpn status
openvpn is running as pid 1914.
[lanin@freebsd ~]$ ls -l -D %F /usr/local/etc/openvpn
total 40
-rw-r--r--  1 lanin  wheel  1184 2021-08-31 ca.crt
drwxr-xr-x  2 lanin  wheel   512 2021-05-14 client
-rw-r--r--  1 lanin  wheel   473 2022-04-11 client.conf
-rw-r--r--  1 lanin  wheel  1204 2021-08-31 lanin01.crt
-rw-------  1 lanin  wheel  1704 2021-08-31 lanin01.key
-rw-r--r--  1 lanin  wheel  1201 2017-08-03 openvpn
-rw-r--r--  1 lanin  wheel   167 2022-08-18 openvpn-status.log
drwxr-xr-x  2 lanin  wheel   512 2021-05-14 server
-rw-r--r--  1 lanin  wheel   636 2010-12-29 ta.key
-rw-r--r--  1 lanin  wheel  1468 2019-02-20 update-resolv-conf
[lanin@freebsd ~]$
```


----------



## _al (Aug 18, 2022)

I understand that our 'configs' are different (since I installed openvpn and openssl using pkg), I just show the permissions of the config files (where a promlem might be).


----------



## msplsh (Aug 18, 2022)

The problem is likely with the permissions or naming in /usr/lib/engines/, maybe not as much with config files although OpenSSL not loading your config file is also highly probable.


----------



## _al (Aug 18, 2022)

Yes, openSSL can't read its own files - it doesn't read openvpn's config files (so the problem not in openvpn and its config files)

And yes, the problem is either in the files' paths or files' permissions...


----------



## _al (Aug 18, 2022)

Such a thought...
Have you tried manually load the library ?
Something like this  - a.c:

```
#include <stdio.h>
#include <dlfcn.h>
int main(){
void * dl;
void (*fn)(void);
const char * err;
dl= dlopen("/usr/lib/engines/new-engine.so",RTLD_LAZY);
if(!dl){
printf("dlopen() error: %s\n", dlerror());
return 1;
}
dlerror();
*(void**) (&fn) = dlsym(dl, "new_engine_get_handle"); //some symbol exported by new-engine.so
if ((err = dlerror()) != NULL){
printf("%s\n", err);
return 1;
}
dlclose(dl);
printf("ok\n");
return 0;
}
```

gcc a.c -o a -ldl
`gcc a.c -o a -lc`  - https://www.freebsd.org/cgi/man.cgi?query=dlsym

*Edit : *The goal is to check if there are any errors when loading new-engine.so


----------



## rogeriohblima (Aug 18, 2022)

Andrey Lanin said:


> If the 'configs' are the same, and the software is compiled on FreeBSD, could it be a problem with config files permissions ? Are they the same as in Linux ?


No, they aren't the same.



Andrey Lanin said:


> (rebooted to FreeBSD)
> 
> ```
> [lanin@freebsd ~]$ pkg info openssl | grep Version
> ...



When I remove the line `engine newengine`, the openvpn works! So, my config file permissions are good:

```
port 1194
proto udp
dev tun
secret static.key
engine newengine
```



Andrey Lanin said:


> I understand that our 'configs' are different (since I installed openvpn and openssl using pkg), I just show the permissions of the config files (where a promlem might be).


I installed openvpn and openssl using pkg too.



msplsh said:


> The problem is likely with the permissions or naming in /usr/lib/engines/, maybe not as much with config files although OpenSSL not loading your config file is also highly probable.


My engine are 444 in the folder /usr/lib/engines/ (the same permission than other engines).



Andrey Lanin said:


> Yes, openSSL can't read its own files - it doesn't read openvpn's config files (so the problem not in openvpn and its config files)
> 
> And yes, the problem is either in the files' paths or files' permissions...


The path to engines:

```
OPENSSLDIR: "/etc/ssl"
ENGINESDIR: "/usr/lib/engines"
```

And the folder /usr/lib/engines:

```
root@freebsd:~ # ls -la /usr/lib/engines/
total 80
drwxr-xr-x   2 root  wheel    512 Aug 17 15:58 .
drwxr-xr-x  11 root  wheel  17408 Aug 17 16:48 ..
-r--r--r--   1 root  wheel   4184 Dec  2  2021 capi.so
-r--r--r--   1 root  wheel  35328 Aug 11 16:35 newengine.so
-r--r--r--   1 root  wheel   8536 Dec  2  2021 padlock.so
```


----------



## msplsh (Aug 18, 2022)

rogeriohblima said:


> When I remove the line `engine newengine`, the openvpn works!


Still sounds like OpenSSL is having some problem locating the engine, perhaps due to not using openssl.cnf.
I see you have OpenSSL from ports loaded, but OpenVPN seems to be using the one from base, as ports is 1.1.1q and your log says 1.1.1l-freebsd.  So the location of the config file needs to be for base, not ports.  Also, if you're using `service openvpn start` that is probably not picking up OPENSSL_CONF, so I guess you'll have to set that somewhere else.

Looks like there's an openvpn_flags variable for rc.conf where you should use --engine to enable alternate engines for OpenVPN.  The man page doesn't really help with where to put the openssl.cnf file there, either.


----------



## _al (Aug 19, 2022)

I think so too.  OpenVPN, being installed from pkg, looks for OpenSSL (with its regular engines) in its usual place and does find OpenSSL 1.1.1q (which is installed from pkg).  OpenSSL 1.1.1q looking for its config in ususal place. OpenSSL 1.1.1q knows nothing about the new engine. New engine and OpenSSL 1.1.1l with which it works (and its config) are installed not from pkg, and are located not in regular place.

*Sorry for my garbage post.*


----------

