Bug 1160818

Summary: cannot connect with md5 signed certificates even with the openssl workaround
Product: [Fedora] Fedora Reporter: Zoltan Kota <zoltank>
Component: NetworkManager-openvpnAssignee: Dan Williams <dcbw>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 21CC: choeger, dcbw, huzaifas, ikke, psimerda, steve, thaller
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-11-21 09:56:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Zoltan Kota 2014-11-05 17:30:27 UTC 
Description of problem:

OpenSSL was patched in F21 to disallow verification of certificates that are signed with MD5 algorithm. Certificates signed with MD5 algorithm are not present on public https web sites anymore but they can be still in use on private networks or used for authentication on openvpn based VPNs such as in bug 1157260. As a temporary measure the OPENSSL_ENABLE_MD5_VERIFY environment variable can be set to allow verification of certificates signed with MD5 algorithm.

I've tried to apply the environment variable workaround for NetworkManager, but it does not work for me.

In a virtual machine with F20 I updated the F20 openssl-1.0.1e-40.fc20 to openssl-1.0.1e-40.fc21. After the update I get the error as expected. But after adding "Environment="OPENSSL_ENABLE_MD5_VERIFY=1" to /usr/lib/systemd/system/NetworkManager.service the openvpn connection started to work.

The same change under F21 does not help, I still get the error.

I don't know if it is a NetworkManager or systemd issue, or something else.  

See also bug #1157260.
Comment 1 Zoltan Kota 2014-11-06 08:47:05 UTC 
Some additional info:

In a terminal, after setting the above environment variable (export OPENSSL_ENABLE_MD5_VERIFY=1) starting openvpn directly (openvpn --config myconfig) seems to accept the certificate. If I start it with systemctl (systemctl start openvpn@myconfig) I get the error message and doesn't connect.
Comment 2 Zoltan Kota 2014-11-21 09:56:37 UTC 
Finally I managed to get it work. I don't really know what the problem was. I reconfigured NetworkManager and friends, and in the meantime I applied F21 updates... So, adding 'Environment="OPENSSL_ENABLE_MD5_VERIFY=1"' to /usr/lib/systemd/system/NetworkManager.service allows the connection for NetworkManager.
Thus the bug can be closed I think.
Comment 3 Ilkka Tengvall 2014-12-16 21:33:29 UTC 
Zoltan, it would be great to know what fixed it for you, since it doesn't work for me on two different machines. The difference in my case was I copied the /usr/lib... file to /etc/systemd/system and modified it instead. I can see the variable gets set to network manager and openvpn, but it won't work.
Comment 4 Ilkka Tengvall 2014-12-16 21:36:21 UTC 
and btw, adding it on command line does the trick. So the gui startup of openvpn tunnel via network-manager won't work, to be more precise.