This was already fixed in -current but I didn't realise it affected the 7.6 release too so I didn't backport previously. I've now done that; -stable packages for amd64 and i386 should show up later today.
On 2025/01/27 08:21, Grzegorz Świtkowski wrote: > Dears > > OpenBSD installed 24.01.2025 from image install76.img witth syspatch applied: > > uname -a > OpenBSD klocek.my.domain 7.6 GENERIC.MP#0 amd64 > > Installed from packages: > > easy-rsa-3.1.1 small RSA key management package > openvpn-2.6.12 easy-to-use, robust, and highly configurable VPN > > LibreSSL from basesystem: > > openssl version > LibreSSL 4.0.0 > > In such a configuration, easy-rsa gives us following errors (gen-dh, build-ca > and other > commands):: > > ./easyrsa gen-dh > > Easy-RSA error: > > Unsupported SSL library: 4 > > And/or: > > Easy-RSA error: > > build-ca ssl lib: 4 > > This is caused beacuse major version of LibreSSL (4) is unknown for easyrsa > script: > > 886 case "$osslv_major" in > 887 1) no_password='-nodes' ;; > 888 2) no_password='-nodes' ;; > 889 3) > 890 case "$ssl_lib" in > 891 openssl) no_password='-noenc' ;; > 892 libressl) no_password='-nodes' ;; > 893 *) die "Unsupported SSL library: > $ssl_lib" > 894 esac > 895 ;; > 896 *) die "Unsupported SSL library: $osslv_major" > > And: > > 1397 case "$osslv_major" in > 1398 > 1399 # Version agnostic CA generation > 1400 # The only remaining option which is version dependent is > -nodes/-noenc > 1401 1|2|3) > # [SNIP] > 1447 *) die "build-ca ssl lib: $osslv_major" > > I solved the problem by my own, by appying following chagnes: > > diff -ru /usr/local/share/easy-rsa/easyrsa easyrsa > --- /usr/local/share/easy-rsa/easyrsa Fri Sep 27 18:40:44 2024 > +++ easyrsa Mon Jan 27 09:09:10 2025 > @@ -886,7 +886,7 @@ > case "$osslv_major" in > 1) no_password='-nodes' ;; > 2) no_password='-nodes' ;; > - 3) > + 3|4) > case "$ssl_lib" in > openssl) no_password='-noenc' ;; > libressl) no_password='-nodes' ;; > @@ -1398,7 +1398,7 @@ > > # Version agnostic CA generation > # The only remaining option which is version dependent is > -nodes/-noenc > - 1|2|3) > + 1|2|3|4) > # Generate CA Key > case "$EASYRSA_ALGO" in > rsa) > as it is done within current version od easy-rsa script (3.1.8) taken > straight from GitHub. > With changes shown above, whole process of building tls stuff for OpenVPN, > went properly. > Nevertheless I expect this bug is not the only thing in easy rsa script, that > requires > maintenance. > Please, review easy-rsa package. > > WIth regards > Grzegorz Świtkowski >
