Bug 1174915
Summary: | OPENSSL_ENABLE_MD5_VERIFY can not be used with NetworkManager & OpenVPN to re-enable MD5 certificate verification | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Jarkko Oranen <oranenj> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 21 | CC: | bbaetz, dominick.grift, dwalsh, ikke, jolebole, luf, lvrabec, mads, mgrepl, plautrba, redhat-bugzilla, sander, tmraz, voj-tech, zoltank |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.13.1-105.fc21 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-01-30 23:54:43 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jarkko Oranen
2014-12-16 18:05:41 UTC
Eh, I accidentally pressed enter and submitted the bug before filling it out. Give me a moment, I'll see if I can fix it. Looks like I can't. Anyway, the issue is as follows: 1) MD5 was disabled by default in Fedora 21 and an environment variable was introduced to re-enable it in OpenSSL. This broke my ability to connect to an OpenVPN server which unfortunately uses an old certificate. 2) Putting the environment variable in a systemd config drop-in is ineffective because openssl uses secure_getenv and the process context change from NetworkManager_t to openvpn_t causes AT_SECURE to be set I've worked around the issue with a simple SELinux policy addition: allow NetworkManager_t openvpn_t:process { noatsecure }; Other services launched by NetworkManager are likely similarly affected. With this loaded, the environment variable works and I can connect to the insecure server again. Fixing this directly in NetworkManager or the VPN plugin by allowing some way of defining environment variables may be a good option as well, but I don't have a preference. *** Bug 1175481 has been marked as a duplicate of this bug. *** I closed the bug report of mine as a duplicate of this issue, as Jarkko already has a proposed bugfix in this report. 61ebb1a659e4f2a9f1f7ad017b1b4e264593515a adds the rule for openvpn. So I'm confused - is this already fixed? or how long does it take for fix to propagate into distro? Fixed in Fedora stream Ahh. Thanks Daniel! commit 98e82178721238e515c8f38be2ab403125230cdd Author: Dan Walsh <dwalsh> Date: Tue Dec 23 14:10:14 2014 -0500 Allow NetworkManager to noatsecure openvpn selinux-policy-3.13.1-105.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-105.fc21 I can verify it works on my f21, thanks. I downloaded it from koji. Package selinux-policy-3.13.1-105.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-105.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-1337/selinux-policy-3.13.1-105.fc21 then log in and leave karma (feedback). selinux-policy-3.13.1-105.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. Hi, the exactly same problem is in CentOS 7.1. Do I need to create new bug for it? Thanks, Luf I'm observing this problem when running OpenVPN as a systemd service in Fedora 24. Could anyone tell us if the fix for OpenVPN from comment #5 (commit 61ebb1a659e4f2a9f1f7ad017b1b4e264593515a) was reverted in the meantime? SeLinux blocks OpenVPN client in Fedora 24. After stoping SeLinux OpenVPN clients fails to connect with this erros message: VERIFY ERROR: depth=0, error=certificate signature failure: C=CO, ST=ST, O=O, OU=OU, CN=server, dnQualifier=server OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed TLS_ERROR: BIO read tls_read_plaintext error TLS Error: TLS object -> incoming plaintext read error TLS Error: TLS handshake failed Just use certificates with SHA256 signature and not MD5. (In reply to Tomas Mraz from comment #17) > Just use certificates with SHA256 signature and not MD5. Thank you or your response sir (In reply to Tomas Mraz from comment #17) > Just use certificates with SHA256 signature and not MD5. Thank you for your response sir Note that this workaround also doesn't work in Fedora 26 - https://bugzilla.redhat.com/show_bug.cgi?id=1443749 |