Bug 1081708
| Summary: | [REGRESSION] openvpn can't connect to host (SSL3_GET_SERVER_CERTIFICATE) | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Igor Gnatenko <ignatenko> |
| Component: | openssl | Assignee: | Tomas Mraz <tmraz> |
| Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | urgent | Docs Contact: | |
| Priority: | urgent | ||
| Version: | rawhide | CC: | fedora, gwync, ignatenko, nonamedotc, tmraz |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-04-04 09:28:50 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Igor Gnatenko
2014-03-27 19:22:06 UTC
probably bug not in openssl, because with openssl-1.0.1e-37.fc21.x86_64 it also doesn't work. I don't know how-to debug this issue. openvpn is the same version. I've tried rebuild ovpn and see interesting thing: it can't build, because have error like my error. My $0.02: If it's broken for the same EVR of openssl on 21 that works on f20, there's something different about the two. In addition to trying the openvpn command with gdb and posting a backtrace here, I'd suggest grabbing both RPM files, unpacking them with rpm2cpio and running ldd on the solibs. There maybe differences in linked libs or versions of linked libs that might shed light on this. I suppose the certificate is signed with use of MD5 hash. This was disabled in Rawhide as certificates signed with MD5 hashes are not secure. Please update your certificates to be signed with at least SHA1 or even better SHA256. (In reply to Tomas Mraz from comment #4) > I suppose the certificate is signed with use of MD5 hash. This was disabled > in Rawhide as certificates signed with MD5 hashes are not secure. Please > update your certificates to be signed with at least SHA1 or even better > SHA256. How I can check this case ? I can't found is possible using SHA1 or SHA256 in smoothwall... You need to get the peer certificate saved into cert.pem file and then you can find out with command: openssl x509 -in cert.pem -text -noout | grep Algorithm $ openssl x509 -in cacert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 10708266483781753264 (0x949b67a1d60859b0)
Signature Algorithm: sha1WithRSAEncryption
[truncated]
But servercert.pem (I think it downloading from server automatic) has md5.
$ openssl x509 -in servercert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4 (0x4)
Signature Algorithm: md5WithRSAEncryption
[truncated]
Yes, that's a problem. Recreate it with sha1 or sha256. (In reply to Tomas Mraz from comment #9) > Yes, that's a problem. Recreate it with sha1 or sha256. Thank you for detection problem. I'm newbie in certificates, but I couldn't find this setting in smoothwall and couldn't find more info about that in google. Probably I can generate it from my local PC and upload to gateway ? You need to have the certificate signed with the key of the CA certificate. Unfortunately I do not know much about your gateway setup and whether you have access to the CA certificate private key etc. The openssl package contains the 'openssl ca' command to sign server certificates with CA cert/key. yeah. I've changed our infrastructure with using sha256 and it's working again. Thank you for discovering place of bug and propose fix. I don't know what do with this bug. Close it if you want ;) Would it be possible to get better error messages from OpenSSL/OpenVPN here (something about the signature type being unsupported) at least? |