Bug 1174915

Summary: OPENSSL_ENABLE_MD5_VERIFY can not be used with NetworkManager & OpenVPN to re-enable MD5 certificate verification
Product: [Fedora] Fedora Reporter: Jarkko Oranen <oranenj>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 21CC: bbaetz, dominick.grift, dwalsh, ikke, jolebole, luf, lvrabec, mads, mgrepl, plautrba, redhat-bugzilla, sander, tmraz, voj-tech, zoltank
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-105.fc21 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-01-30 23:54:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jarkko Oranen 2014-12-16 18:05:41 UTC 
Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Jarkko Oranen 2014-12-16 18:06:40 UTC 
Eh, I accidentally pressed enter and submitted the bug before filling it out. Give me a moment, I'll see if I can fix it.
Comment 2 Jarkko Oranen 2014-12-16 18:20:18 UTC 
Looks like I can't.

Anyway, the issue is as follows:

1) MD5 was disabled by default in Fedora 21 and an environment variable was introduced to re-enable it in OpenSSL. This broke my ability to connect to an OpenVPN server which unfortunately uses an old certificate.

2) Putting the environment variable in a systemd config drop-in is ineffective because openssl uses secure_getenv and the process context change from NetworkManager_t to openvpn_t causes AT_SECURE to be set


I've worked around the issue with a simple SELinux policy addition:

allow NetworkManager_t openvpn_t:process { noatsecure };

Other services launched by NetworkManager are likely similarly affected.

With this loaded, the environment variable works and I can connect to the insecure server again.

Fixing this directly in NetworkManager or the VPN plugin by allowing some way of defining environment variables may be a good option as well, but I don't have a preference.
Comment 3 Ilkka Tengvall 2014-12-23 07:48:14 UTC 
*** Bug 1175481 has been marked as a duplicate of this bug. ***
Comment 4 Ilkka Tengvall 2014-12-23 07:53:54 UTC 
I closed the bug report of mine as a duplicate of this issue, as Jarkko already has a proposed bugfix in this report.
Comment 5 Daniel Walsh 2014-12-23 19:10:57 UTC 
61ebb1a659e4f2a9f1f7ad017b1b4e264593515a adds the rule for openvpn.
Comment 6 Steve 2015-01-08 13:24:20 UTC 
So I'm confused - is this already fixed? or how long does it take for fix to propagate into distro?
Comment 7 Daniel Walsh 2015-01-08 16:02:43 UTC 
Fixed in Fedora stream
Comment 8 Steve 2015-01-08 16:07:31 UTC 
Ahh. Thanks Daniel!
Comment 9 Lukas Vrabec 2015-01-15 14:38:09 UTC 
commit 98e82178721238e515c8f38be2ab403125230cdd
Author: Dan Walsh <dwalsh>
Date:   Tue Dec 23 14:10:14 2014 -0500

    Allow NetworkManager to noatsecure openvpn
Comment 10 Fedora Update System 2015-01-27 16:49:19 UTC 
selinux-policy-3.13.1-105.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-105.fc21
Comment 11 Ilkka Tengvall 2015-01-28 12:25:43 UTC 
I can verify it works on my f21, thanks. I downloaded it from koji.
Comment 12 Fedora Update System 2015-01-30 04:32:16 UTC 
Package selinux-policy-3.13.1-105.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-105.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-1337/selinux-policy-3.13.1-105.fc21
then log in and leave karma (feedback).
Comment 13 Fedora Update System 2015-01-30 23:54:43 UTC 
selinux-policy-3.13.1-105.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Ludek Finstrle 2015-05-05 08:12:25 UTC 
Hi,

  the exactly same problem is in CentOS 7.1. Do I need to create new bug for it?

Thanks,

Luf
Comment 15 Piotr Dobrogost 2016-04-01 12:23:04 UTC 
I'm observing this problem when running OpenVPN as a systemd service in Fedora 24.
Could anyone tell us if the fix for OpenVPN from comment #5 (commit 61ebb1a659e4f2a9f1f7ad017b1b4e264593515a) was reverted in the meantime?
Comment 16 goranj 2016-06-29 20:56:51 UTC 
SeLinux blocks OpenVPN client in Fedora 24. After stoping SeLinux OpenVPN clients fails to connect with this erros message:

VERIFY ERROR: depth=0, error=certificate signature failure: C=CO, ST=ST, O=O, OU=OU, CN=server, dnQualifier=server
OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
TLS_ERROR: BIO read tls_read_plaintext error
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed
Comment 17 Tomas Mraz 2016-06-30 07:09:48 UTC 
Just use certificates with SHA256 signature and not MD5.
Comment 18 goranj 2016-06-30 20:25:51 UTC 
(In reply to Tomas Mraz from comment #17)
> Just use certificates with SHA256 signature and not MD5.

Thank you or your response sir
Comment 19 goranj 2016-06-30 20:26:14 UTC 
(In reply to Tomas Mraz from comment #17)
> Just use certificates with SHA256 signature and not MD5.

Thank you for your response sir
Comment 20 Mads Kiilerich 2017-04-19 22:10:30 UTC 
Note that this workaround also doesn't work in Fedora 26 - https://bugzilla.redhat.com/show_bug.cgi?id=1443749