Modify

Opened 11 years ago

Closed 11 years ago

#1497 closed defect (wontfix)

OpenVPN error while reading p12 file

Reported by: mcasal@… Owned by: nico
Priority: high Milestone:
Component: packages Version:
Keywords: Cc:

Description

In OpenWRT rc6 OpenVPN fails to load the p12 file. Maybe broken dependencies with libssl????

Now i can´t send the error. But its reproducible with actual OpenWRT RC6 and OpenVPN-webif package using certificate in format p12

Attachments (0)

Change History (7)

comment:1 Changed 11 years ago by florian

Post something if you can.

comment:2 Changed 11 years ago by openwrt.spam@…

I have what I think is the same problem. I'm running whiterussion-0.9, I'm certain I'm typing the pass phrase in correctly. I've tried using the certificate.p12 file using the openvpn windows client and it works.

# ls -l /etc/openvpn/certificate.p12
-rw-r--r--    1 root     root         2837 Mar 23 23:24 /etc/openvpn/certificate.p12

# openvpn --client --proto udp --port 1194 --remote blah.blah.com --dev tun --nobind  --ns-cert-type server --pkcs12 /etc/openvpn/certificate.p12 --comp-lzo 
Wed Apr  4 10:00:14 2007 OpenVPN 2.0.8 mipsel-linux [SSL] [LZO] [EPOLL] built on Jan 30 2007
Enter Private Key Password:
Wed Apr  4 10:00:19 2007 Error parsing PKCS#12 file /etc/openvpn/certificate.p12: error:23076071:lib(35):func(118):reason(113): error:23076071:lib(35):func(118):reason(113)
Wed Apr  4 10:00:19 2007 Error: private key password verification failed
Wed Apr  4 10:00:19 2007 Exiting

comment:3 Changed 11 years ago by nico

  • Owner changed from developers to nico
  • Status changed from new to assigned

Can you please attach a test p12 certificate to help us reproduce the issue ?

comment:4 Changed 11 years ago by openwrt.spam@…

I did some digging around and discovered this is due to missing ciphers in the openwrt openvpn package. In my case openwrt is the client. I built my p12 certificate on a fedora core 6 box. The easy-rsa package on fc6 encrypts the certificate using 40 bit RC2, presumably because of the usual concerns over the export of strong crypto. The openvpn package for openwrt doesn't include this cipher....

root@openwrt:~# openssl list-cipher-commands 
aes-128-cbc
aes-128-ecb
aes-192-cbc
aes-192-ecb
aes-256-cbc
aes-256-ecb
base64
bf
bf-cbc
bf-cfb
bf-ecb
bf-ofb
des
des-cbc
des-cfb
des-ecb
des-ede
des-ede-cbc
des-ede-cfb
des-ede-ofb
des-ede3
des-ede3-cbc
des-ede3-cfb
des-ede3-ofb
des-ofb
des3
desx
rc4
rc4-40

It's excluded via the Makefile.

So a possible solution for openvpn is to include that cipher. In fact I preferred that I used strong crypto so I changed the build-key-pkcs12/pkitool script on the cert generation box to include the -descert option to openssl when building a pkcs12 cert. This encrypts the cert using triple-DES, which is in the standard package.

In summary:

If you want to use 40 bit RC2 encrypted p12's you need to include that cipher in the openvpn package. If you want to use the 'standard' openvpn package for openwrt you need to build your certificates using the -descert option.

comment:5 follow-up: Changed 11 years ago by florian

  • Resolution set to wontfix
  • Status changed from assigned to closed

Since it seems to affect only FC6 users, and it is better using stronger crypto, we will not delete this cipher from the excluded list.

comment:6 in reply to: ↑ 5 Changed 11 years ago by anonymous

  • Resolution wontfix deleted
  • Status changed from closed to reopened

Replying to florian:

Since it seems to affect only FC6 users, and it is better using stronger crypto, we will not delete this cipher from the excluded list.

Is there a link to some howto for configuring the package I have exactly the same issue but no access whatsoever to the server to use a stronger encryption. Or can I consider

http://wiki.openwrt.org/BuildingPackagesHowTo

still as an authoritative source for building/modifying packages.

I think I have the same problem but don't have access to the openVPN server. All I know it's embcop 0.7beta

comment:7 Changed 11 years ago by florian

  • Resolution set to wontfix
  • Status changed from reopened to closed

It is pretty easy, you have to edit the openssl makefile located in trunk/package/openssl/Makefile, and apply the following patch :

Index: package/openssl/Makefile
===================================================================
--- package/openssl/Makefile    (revision 7958)
+++ package/openssl/Makefile    (working copy)
@@ -58,7 +58,7 @@
 /etc/ssl/openssl.cnf
 endef

-OPENSSL_NO_CIPHERS:= no-idea no-md2 no-mdc2 no-rc2 no-rc5 no-sha0 no-smime \
+OPENSSL_NO_CIPHERS:= no-idea no-md2 no-mdc2 no-rc5 no-sha0 no-smime \
                                        no-rmd160 no-aes192 no-ripemd no-camellia no-ans1 no-krb5
 OPENSSL_OPTIONS:= shared no-ec no-err no-fips no-hw no-threads zlib-dynamic \
                                        no-engines no-sse2 no-perlasm

Then rebuild openssl :

make package/openssl-clean
make package/openssl-compile

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.