Bug 1175481
Summary: | MD5 certs prevent openvpn connection | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Ilkka Tengvall <ikke> |
Component: | NetworkManager-openvpn | Assignee: | Dan Williams <dcbw> |
Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 21 | CC: | bugzilla, choeger, dcbw, huzaifas, psimerda, steve, stmagna, thaller, tmraz, zoltank |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-12-23 07:48:14 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Ilkka Tengvall
2014-12-17 20:02:23 UTC
there is comment about secure_getenv possibly having effect on this: https://bugzilla.redhat.com/show_bug.cgi?id=1157260#c17 To clarify comment#1, myself and others have verified that the environment variable is being set properly (via /proc/<pid>/environ) however the workaround is not being activated. Additionally, forcing the workaround by patching openssl DOES work. Also, the same workaround works for other applications or when launching openvpn standalone. So secure_getenv must be not returning anything. It returns NULL when (from the manpage): * the process's effective user ID did not match its real user ID or the process's effective group ID did not match its real group ID (typically this is the result of executing a set-user-ID or set- group-ID program); * the effective capability bit was set on the executable file; or * the process has a nonempty permitted capability set. So one of these must be happening when run under NetworkManager (and not from command line usage). Anyone in NM camp know about these three possibilities? +1. I ran into exactly the same issue and attempted exactly the same troubleshooting steps as Ilkka Tengvall. Our system engineers are promising to regenerate certificates with SHA256 - but I don't know when they will get around to do so. bug#1174915 is a duplicate but provides the correct fix and fuller analysis of the problem. This should be marked dup of that and the NetworkManager / selinux policy team should address this issue please. Yes, we truly have lousy communications within the company, Jarkko and I are collegues :) If it works for Jarkko, it works for me. We can close this ticket. *** This bug has been marked as a duplicate of bug 1174915 *** |