Windows busybox install

[TinCanTech]

Fully integrate busybox.exe as an alternative to MKSH:sh.exe

[TinCanTech]

Using busybox.exe, Windows Unit-test completes faster than Linux, for the first time. Note: Windows UT is a cut down version anyway but it is now faster.

[TinCanTech]

To test on Windows 11:

Copy From your git repo To: C:\Program Files\Openvpn\easy-rsa:

• EasyRSA-busybox.bat -> Openvpn/easy-rsa
• bin/easyrsa-busybox-init.sh -> Openvpn/easy-rsa/bin
• bin/busybox.exe -> Openvpn/easy-rsa/bin

Start Easy-RSA in a standard command prompt by using: EasyRSA-busybox.bat /na

Once the EasyRSA Shell prompt is given, please enter this script:

easyrsa --pki=erut-w11
easyrsa --pki=erut-w11 init-pki
easyrsa --pki=erut-w11 --verbose --batch --nopass build-ca

Please post the full output.

Errors concerning missing OpenSSL are acceptable.

[TinCanTech]

Successfully tested on Windows 10, using Easy-RSA No-admin mode.

Use this git fu:

git clone https://github.com/Openvpn/easy-rsa.git <FOO>

cd <FOO> # You know what to do ;-)

git checkout -b TinCanTech-windows-busybox-install master
git pull https://github.com/TinCanTech/easy-rsa.git windows-busybox-install

[dsommers]

I would suggest NOT shipping easy-rsa with busybox on Windows. Using native tools would be preferred, just as native tools are used on the *nix side of this project. OpenSSL is the only external dependency which really makes sense.

If there are issues related to shell compatibilities and related challenges, in my view, it would make more sense to dive into WSL2 and such like environments.

[lstipakov]

Here you go.

log.txt

Since WSL is not part of Windows, I don't think it worth to maintain Windows port, which uses crutches like sh/busybox. With WSL you could just apt install easy-rsa and that's it.

[TinCanTech]

The discussion regarding WSL is moot:

• You are free to choose to use WSL.
• For problems with WSL, please raise a detailed issue about it.
• WSL is not officially supported but that can change.

The resistance to busybox.exe replacing MKSH is a surprise to me:

• busybox is fully open source with a proven track record.
• busybox is actively maintained.
• busybox for Windows is an ideal replacement for MKSH.

I will complete this PR but will refrain from merging to allow further discussion.

[TinCanTech]

PROS: This is my argument to support Windows as a non-admin user:

• User installs OpenVPN with Easy-RSA. Requires admin access.
  In my opinion, Easy-RSA should be installed by default.
• From this point forward, any user of that system can generate a certificate signing request, using Easy-RSA provided tools.

CONS: Personally, I am fundamentally against relying on WSL.

[dsommers]

For each external dependency you pull in, you need to ensure the project has capacity to pay attention to security vulnerabilities and provide duly updates whenever something critical arrives. Since this project provides a zip file with Windows binaries, the project is responsible to ensure these are up-to-date with the latest security fixes.

That is why it is generally better to use what is already provided by the platform itself and have as few external dependencies as possible. You reduce the amount of code you need to pay attention to.

I don't know where the previous set of Windows binaries comes from or how it is being packaged into this project. This project should regardless have as a goal to build binaries it ships and verify that the code it ships is not carrying any possible supply chain attacks. If the CA private key leaks, then the whole CA is busted.

In regards to busybox, I do know that is a very attractive target for attacks - and new issues are discovered regularly. That does not mean that the previous mksh approach automatically is any safer, especially if you depend on pre-built binaries. But busybox is a known attractive target.

So if swapping to busybox, do ensure there is a security process in place and the ability to quickly do new releases.

When it comes to WSL (I presume @lstipakov meant "now" and not "not"), that is an infrastructure provided by Microsoft and gives you a native Linux environment to work in - where all the dependencies Easy-RSA need are already under maintenance by others. In fact, this project could even drop shipping OpenSSL binaries too. This would ensure this project can fully focus on Easy-RSA and not needing to be that concerned about shipping and maintaining external dependencies.

[TinCanTech]

@dsommers Thank you.

I respect your opinion regarding the industry standards of security for external dependencies.

However, from an Easy-RSA specific point of view, I disagree with you as follows.

You say:

• I don't know where the previous set of Windows binaries comes from or

This is the very origin of the current problems facing Easy-RSA:

• Those binaries MUST be updated or replaced.
• They cannot be updated, therefore, they MUST be replaced.
• They will be replaced by busybox, which has the same risk exposure as existing binaries.

You say:

• In regards to busybox, I do know that is a very attractive target for attacks

Easy-RSA use of busybox is extremely limited:

• Easy-RSA busybox is built with ZERO network support.
• Easy-RSA use of busybox has no daemon style processes.
• busybox is actively maintained.
• The "very attractive target" is very well defended.

You say:

• -When it comes to WSL ,<s> that is an infrastructure provided by Microsoft and gives you a native Linux environment to work in

As an Easy-RSA user, if I must use Windows then I prefer not to have to rely on WSL. WSL is NOT open source.

And, food for thought: What if MKSH were still actively maintained, would this discussion even take place ?

[TinCanTech]

The last problem is that of Easy-RSA integrated building of busybox-for-windows.

This is a huge commitment, for which, I do understand the resistance toward.

If I were a gambler, I would bet my bottom dollar that OpenSSL (built by Easy-RSA) is a far more signifificant security risk than Busybox.

However, given Full Admin access, easyrsa still woks. So, we can sit tight..

Choose: Rock or Sea.

[lstipakov]

Note that with WSL we do not need to ship anything at all - not easyrsa scripts nor openssl binary. EasyRSA is already in Ubuntu 22.04, which WSL uses by default.

lev@lev-x1-11:~$ apt show easy-rsa
Package: easy-rsa
Version: 3.0.8-1ubuntu1
Priority: extra
Section: universe/utils
Origin: Ubuntu
Maintainer: Ubuntu Developers <[email protected]>
Original-Maintainer: Michele Orrù <[email protected]>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 137 kB
Depends: openssl
Recommends: opensc
Homepage: https://github.com/OpenVPN/easy-rsa
Download-Size: 44.1 kB
APT-Manual-Installed: yes
APT-Sources: http://archive.ubuntu.com/ubuntu jammy/universe amd64 Packages
Description: Simple shell based CA utility
 This package eases the creation of certificates, for example for
 openvpn clients.
 .
 This was formerly part of the openvpn package.

I suggest we just ship only readme.txt in easyrsa folder and explain there WSL move.

[dsommers]

Note that with WSL we do not need to ship anything at all - not easyrsa scripts nor openssl binary. EasyRSA is already in Ubuntu 22.04, which WSL uses by default.

That is why the "Windows binary distribution" is quite pointless. Easy-RSA does not provide an installer by itself, it requires users to unzip a file and use the command line to use it from there. You need to have some technical experience just to come this far.

If the user is instead instructed (as @lstipakov suggests) to setup WSL, which then gives you an Ubuntu environment out-of-the-box ... you still have a proper POSIX compliant environment and all external third-party dependencies included as part of the apt install easy-rsa step. And you get automatic updates via apt update+ apt upgrade.

The argument that WSL is not open source, is also only partly true. WSL is more or less a virtual machine running a complete Linux distribution, but made far more user friendly that users don't have to setup and install the Linux distro themselves - it comes pre-setup. So when you are inside the WSL "container", you are in an open source environment. The only "non-open source" part here is the glue layers between the virtual machine instance and the Windows environment it runs under.

Also consider that you don't need to care explicitly about Windows behaviours when going the WSL approach. You only need to ensure it works well under a recent enough and updated Ubuntu distribution. That is less maintenance burden for this project.

[TinCanTech]

For the record:

• Users can use WSL and Easy-RSA should work.

• WSL ships with Easy-RSA Version: 3.0.8-1ubuntu1, which has known bugs.

• WSL is a virtual machine. This is a known weakness for gathering quality entropy.

• Users can use Easy-RSA Windows tools and they will work but may require elevated privileges.

• I accept that Shipping a new binary, busybox.exe, to fix the current problem with Windows 11 is a maintenance burden.

• I still consider busybox for Windows to be a suitable replacement for the current tools, however, that is not a popular opinion.

• Openvpn are considering removing Easy-RSA from the OpenVPN-Windows-Installer.

Closing this PR as unsuitable - #1078

[TinCanTech]

Reopening temporarily.