Configure/Compiling with Non-Default Libraries

[Nayk0105]

After my initial posts with user chemal above, I went ahead with builtin OpenSSL 1.0.1e. Everything (OpenSSL + OpenVPN + EasyRSA3) worked out fine UNTIL...

I tried to sign a CSR (certificate signing request, generated under Cisco 3000 series) under my newly built PKI (openssl 1.0.1e powered, easyrsa3 enabled). It wouldn't sign and gave me this error

"Check that the request matches the signature
Signature verification problems..."

Unfortunately, this is not easyrsa error but straight OpenSSL bug described here,
http://openssl.6102.n7.nabble.com/opens ... 45531.html
Note that one of the reply is by Dr Stephen N. Henson

Ok, this problem did not exist if you generate a CSR under easyrsa and sign it with the same easyrsa. It came up when CSR is generated in different pki, i.e Cisco 3005 in my case. To solve it, you need to upgrade to OpenSSL 1.0.1g as suggested in the link.

This is WHY I got tired and decided to dig back into LibreSSL. And I am glad I did. LibreSSL is forked from OpenSSL 1.0.1g version. So I didn't expect this problem to exist and I was right. After building LibreSSL, I tried the same thing and it signed

[Nayk0105]

You should also consider upgrading LibreSSL, esp in its early days under Linux. User chemal talked about it above.

In my case with OpenVPN, it is easy.
- Rebuilt OpenVPN with updated package in the same way
- Modify this line in your easyrsa vars file,
set_var EASYRSA_OPENSSL "/usr/local/libressl/bin/openssl"

[Nayk0105]

One more thing...

Take note that EasyRSA defaults to "cn_only" credentials in certificates. This is fine as long as you keep using it under the same roof. When you tried to
import to different concentrator, especially older vendor software such as Cisco 3005, it threw errors that didn't make any sense like this

Invalid certificate chain

The problem is it expects "org" structure in certificates. Regenerate the cert with org fields and you'll be fine.