security/openvpn: remove 2048-bit legacy Diffie HellmanHEADmain

I received a fallout complaint from i386 FreeBSD 15-PRERELEASE
builders that, as of now, has no other explanation than a tightened
(if intermediately) SECLEVEL on that machine, and that's due to
Diffie-Hellman 2048 bit parameters, and self-tests are failing
with stereotypical "ee key too small" and "dh key too small".

While it's not clear what the exact cause of the failure is and
if we had a glitch in the OpenSSL 3.5.1 import (Enji updated
the main branch to 3.5.2 shortly after), let's modernize the
setup a bit.

Fallout and Builder logs (I take it the 2nd URL states
that the FreeBSD src branch was at commit c6778f3a442):
https://pkg-status.freebsd.org/beefy17/data/main-i386-default/p98b748365fe6_sc6778f3a442/logs/openvpn-2.6.14.log
https://pkg-status.freebsd.org/beefy17/build.html?mastername=main-i386-default&build=p98b748365fe6_sc6778f3a442

2025-08-20 11:46:39 OpenVPN 2.6.14 i386-portbld-freebsd15.0 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] [DCO]
2025-08-20 11:46:39 Note: dev-type not tun, disabling data channel offload.
2025-08-20 11:46:39 library versions: OpenSSL 3.5.1 1 Jul 2025, LZO 2.10
2025-08-20 11:46:39 OpenVPN 2.6.14 i386-portbld-freebsd15.0 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] [DCO]
2025-08-20 11:46:39 DCO version: FreeBSD 15.0-PRERELEASE 1500061
2025-08-20 11:46:39 library versions: OpenSSL 3.5.1 1 Jul 2025, LZO 2.10
2025-08-20 11:46:39 DCO version: FreeBSD 15.0-PRERELEASE 1500061
2025-08-20 11:46:39 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2025-08-20 11:46:39 GDG: problem writing to routing socket: Invalid argument (errno=22)
2025-08-20 11:46:39 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2025-08-20 11:46:39 OpenSSL: error:030000A8:digital envelope routines::unknown security bits:
2025-08-20 11:46:39 OpenSSL: error:0A00018A:SSL routines::dh key too small:
2025-08-20 11:46:39 SSL_CTX_set0_tmp_dh_pkey
2025-08-20 11:46:39 Exiting due to fatal error
2025-08-20 11:46:39 OpenSSL: error:030000A8:digital envelope routines::unknown security bits:
2025-08-20 11:46:39 OpenSSL: error:0A00018F:SSL routines::ee key too small:
2025-08-20 11:46:39 Cannot load inline certificate file
2025-08-20 11:46:39 Exiting due to fatal error
FAIL: t_cltsrv.sh

That prompted upstream to file a bug and the suggestion to strip
dh2048.pem from installing the demo file and sample configuration should
not affect existing setups, however, if someone would have used
the shipped dh2048.pem file, that would have to be regenerated with
openssl dhparam -out dh2048.pem 2048.

https://github.com/OpenVPN/openvpn/issues/819
https://gerrit.openvpn.net/c/openvpn/+/1145

Upstream changelog, as of v3 of the latter:

| Remove use of 'dh dh2048.pem' from sample configs, remove 'dh2048.pem' file
|
| Since commit bd9aa06feb41 (Jan 2015) OpenVPN has allowed to use
| '--dh none' to disable traditional Diffie Hellman, since more secure
| ECDH algorithms are available that do not use explicit DH parameters.
|
| If configured with a suffiently high securelevel (3+), or if running in
| FIPS mode, OpenSSL 3.5 will refuse 2048 bit DH files, making our tests
| fail.
|
| Thus, remove all the DH2048 stuff from our sample configs.

Obtained from:	Gert Doering

While here, delete files/patch-src_plugins_auth-pam_auth-pam.c
because upstream (namely Antonio Quartulli) had fixed that omission
in v2.6-beta1 already (in 2022, as of OpenVPN's commit 0fed64a91d894b46).

Nobody has been able yet to reproduce the test failure other than by
forcing SECLEVEL=3, so let's just push this and see if we receive
pkg-fallout again next time i386 gets its ports built. Upstream
considers the patch necessary anyways, so let's not waste too much
time on testing on a dying system.

0 files changed, 0 insertions, 0 deletions