Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Windows busybox install #1077

Open
wants to merge 7 commits into
base: master
Choose a base branch
from

Conversation

TinCanTech
Copy link
Collaborator

@TinCanTech TinCanTech commented Feb 12, 2024

Fully integrate busybox.exe as an alternative to MKSH:sh.exe

@TinCanTech
Copy link
Collaborator Author

Using busybox.exe, Windows Unit-test completes faster than Linux, for the first time. Note: Windows UT is a cut down version anyway but it is now faster.

@TinCanTech
Copy link
Collaborator Author

TinCanTech commented Feb 12, 2024

To test on Windows 11:

Copy From your git repo To: C:\Program Files\Openvpn\easy-rsa:

  • EasyRSA-busybox.bat -> Openvpn/easy-rsa
  • bin/easyrsa-busybox-init.sh -> Openvpn/easy-rsa/bin
  • bin/busybox.exe -> Openvpn/easy-rsa/bin

Start Easy-RSA in a standard command prompt by using: EasyRSA-busybox.bat /na

Once the EasyRSA Shell prompt is given, please enter this script:

easyrsa --pki=erut-w11
easyrsa --pki=erut-w11 init-pki
easyrsa --pki=erut-w11 --verbose --batch --nopass build-ca

Please post the full output.

Errors concerning missing OpenSSL are acceptable.

@TinCanTech TinCanTech force-pushed the windows-busybox-install branch from 483c828 to d4743a9 Compare February 13, 2024 01:42
@TinCanTech
Copy link
Collaborator Author

TinCanTech commented Feb 13, 2024

Successfully tested on Windows 10, using Easy-RSA No-admin mode.

Use this git fu:

git clone https://github.com/Openvpn/easy-rsa.git <FOO>

cd <FOO> # You know what to do ;-)

git checkout -b TinCanTech-windows-busybox-install master
git pull https://github.com/TinCanTech/easy-rsa.git windows-busybox-install

@dsommers
Copy link
Member

I would suggest NOT shipping easy-rsa with busybox on Windows. Using native tools would be preferred, just as native tools are used on the *nix side of this project. OpenSSL is the only external dependency which really makes sense.

If there are issues related to shell compatibilities and related challenges, in my view, it would make more sense to dive into WSL2 and such like environments.

@lstipakov
Copy link
Member

lstipakov commented Feb 13, 2024

Here you go.

log.txt

Since WSL is not part of Windows, I don't think it worth to maintain Windows port, which uses crutches like sh/busybox. With WSL you could just apt install easy-rsa and that's it.

@TinCanTech
Copy link
Collaborator Author

The discussion regarding WSL is moot:

  • You are free to choose to use WSL.
  • For problems with WSL, please raise a detailed issue about it.
  • WSL is not officially supported but that can change.

The resistance to busybox.exe replacing MKSH is a surprise to me:

  • busybox is fully open source with a proven track record.
  • busybox is actively maintained.
  • busybox for Windows is an ideal replacement for MKSH.

I will complete this PR but will refrain from merging to allow further discussion.

@TinCanTech
Copy link
Collaborator Author

PROS: This is my argument to support Windows as a non-admin user:

  • User installs OpenVPN with Easy-RSA. Requires admin access.
    In my opinion, Easy-RSA should be installed by default.
  • From this point forward, any user of that system can generate a certificate signing request, using Easy-RSA provided tools.

CONS: Personally, I am fundamentally against relying on WSL.

@dsommers
Copy link
Member

dsommers commented Feb 13, 2024

For each external dependency you pull in, you need to ensure the project has capacity to pay attention to security vulnerabilities and provide duly updates whenever something critical arrives. Since this project provides a zip file with Windows binaries, the project is responsible to ensure these are up-to-date with the latest security fixes.

That is why it is generally better to use what is already provided by the platform itself and have as few external dependencies as possible. You reduce the amount of code you need to pay attention to.

I don't know where the previous set of Windows binaries comes from or how it is being packaged into this project. This project should regardless have as a goal to build binaries it ships and verify that the code it ships is not carrying any possible supply chain attacks. If the CA private key leaks, then the whole CA is busted.

In regards to busybox, I do know that is a very attractive target for attacks - and new issues are discovered regularly. That does not mean that the previous mksh approach automatically is any safer, especially if you depend on pre-built binaries. But busybox is a known attractive target.

So if swapping to busybox, do ensure there is a security process in place and the ability to quickly do new releases.

When it comes to WSL (I presume @lstipakov meant "now" and not "not"), that is an infrastructure provided by Microsoft and gives you a native Linux environment to work in - where all the dependencies Easy-RSA need are already under maintenance by others. In fact, this project could even drop shipping OpenSSL binaries too. This would ensure this project can fully focus on Easy-RSA and not needing to be that concerned about shipping and maintaining external dependencies.

@TinCanTech
Copy link
Collaborator Author

@dsommers Thank you.

I respect your opinion regarding the industry standards of security for external dependencies.

However, from an Easy-RSA specific point of view, I disagree with you as follows.

You say:

  • I don't know where the previous set of Windows binaries comes from or

This is the very origin of the current problems facing Easy-RSA:

  • Those binaries MUST be updated or replaced.
  • They cannot be updated, therefore, they MUST be replaced.
  • They will be replaced by busybox, which has the same risk exposure as existing binaries.

You say:

  • In regards to busybox, I do know that is a very attractive target for attacks

Easy-RSA use of busybox is extremely limited:

  • Easy-RSA busybox is built with ZERO network support.
  • Easy-RSA use of busybox has no daemon style processes.
  • busybox is actively maintained.
  • The "very attractive target" is very well defended.

You say:

  • -When it comes to WSL ,<s> that is an infrastructure provided by Microsoft and gives you a native Linux environment to work in

As an Easy-RSA user, if I must use Windows then I prefer not to have to rely on WSL. WSL is NOT open source.

And, food for thought: What if MKSH were still actively maintained, would this discussion even take place ?

@TinCanTech
Copy link
Collaborator Author

TinCanTech commented Feb 14, 2024

The last problem is that of Easy-RSA integrated building of busybox-for-windows.

This is a huge commitment, for which, I do understand the resistance toward.

If I were a gambler, I would bet my bottom dollar that OpenSSL (built by Easy-RSA) is a far more signifificant security risk than Busybox.

However, given Full Admin access, easyrsa still woks. So, we can sit tight..

Choose: Rock or Sea.

@lstipakov
Copy link
Member

Note that with WSL we do not need to ship anything at all - not easyrsa scripts nor openssl binary. EasyRSA is already in Ubuntu 22.04, which WSL uses by default.

lev@lev-x1-11:~$ apt show easy-rsa
Package: easy-rsa
Version: 3.0.8-1ubuntu1
Priority: extra
Section: universe/utils
Origin: Ubuntu
Maintainer: Ubuntu Developers <[email protected]>
Original-Maintainer: Michele Orrù <[email protected]>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 137 kB
Depends: openssl
Recommends: opensc
Homepage: https://github.com/OpenVPN/easy-rsa
Download-Size: 44.1 kB
APT-Manual-Installed: yes
APT-Sources: http://archive.ubuntu.com/ubuntu jammy/universe amd64 Packages
Description: Simple shell based CA utility
 This package eases the creation of certificates, for example for
 openvpn clients.
 .
 This was formerly part of the openvpn package.

I suggest we just ship only readme.txt in easyrsa folder and explain there WSL move.

@dsommers
Copy link
Member

dsommers commented Feb 14, 2024

Note that with WSL we do not need to ship anything at all - not easyrsa scripts nor openssl binary. EasyRSA is already in Ubuntu 22.04, which WSL uses by default.

That is why the "Windows binary distribution" is quite pointless. Easy-RSA does not provide an installer by itself, it requires users to unzip a file and use the command line to use it from there. You need to have some technical experience just to come this far.

If the user is instead instructed (as @lstipakov suggests) to setup WSL, which then gives you an Ubuntu environment out-of-the-box ... you still have a proper POSIX compliant environment and all external third-party dependencies included as part of the apt install easy-rsa step. And you get automatic updates via apt update+ apt upgrade.

The argument that WSL is not open source, is also only partly true. WSL is more or less a virtual machine running a complete Linux distribution, but made far more user friendly that users don't have to setup and install the Linux distro themselves - it comes pre-setup. So when you are inside the WSL "container", you are in an open source environment. The only "non-open source" part here is the glue layers between the virtual machine instance and the Windows environment it runs under.

Also consider that you don't need to care explicitly about Windows behaviours when going the WSL approach. You only need to ensure it works well under a recent enough and updated Ubuntu distribution. That is less maintenance burden for this project.

@TinCanTech
Copy link
Collaborator Author

TinCanTech commented Feb 14, 2024

For the record:

  • Users can use WSL and Easy-RSA should work.

  • WSL ships with Easy-RSA Version: 3.0.8-1ubuntu1, which has known bugs.

  • WSL is a virtual machine. This is a known weakness for gathering quality entropy.

  • Users can use Easy-RSA Windows tools and they will work but may require elevated privileges.

  • I accept that Shipping a new binary, busybox.exe, to fix the current problem with Windows 11 is a maintenance burden.

  • I still consider busybox for Windows to be a suitable replacement for the current tools, however, that is not a popular opinion.

  • Openvpn are considering removing Easy-RSA from the OpenVPN-Windows-Installer.

Closing this PR as unsuitable - #1078

@TinCanTech
Copy link
Collaborator Author

Reopening temporarily.

@TinCanTech TinCanTech reopened this Feb 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants