Description of problem: Version-Release number of selected component (if applicable): openssl-1.0.1e-42.fc21.x86_64 How reproducible: always Steps to Reproduce: 1. openvpn --config DPiOOS.ovpn Actual results: Thu Mar 27 23:20:40 2014 DEPRECATED OPTION: --tls-remote, please update your configuration Thu Mar 27 23:20:40 2014 OpenVPN 2.3.2 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Sep 12 2013 Enter Auth Username:i.gnatenko Enter Auth Password: Thu Mar 27 23:20:46 2014 Socket Buffers: R=[87380->131072] S=[16384->131072] Thu Mar 27 23:20:46 2014 Attempting to establish TCP connection with [AF_INET]31.13.63.142:443 [nonblock] Thu Mar 27 23:20:47 2014 TCP connection established with [AF_INET]31.13.63.142:443 Thu Mar 27 23:20:47 2014 TCPv4_CLIENT link local: [undef] Thu Mar 27 23:20:47 2014 TCPv4_CLIENT link remote: [AF_INET]31.13.63.142:443 Thu Mar 27 23:20:47 2014 TLS: Initial packet from [AF_INET]31.13.63.142:443, sid=2d5f2a76 abb95477 Thu Mar 27 23:20:47 2014 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Thu Mar 27 23:20:47 2014 VERIFY OK: depth=1, /CN=depart/O=depgup/ST=russia/OU=IT/emailAddress=admin/C=RU/L=moscow Thu Mar 27 23:20:47 2014 VERIFY ERROR: depth=0, error=certificate signature failure: /C=RU/ST=russia/L=moscow/O=depgup/OU=IT/CN=certdepb Thu Mar 27 23:20:47 2014 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Thu Mar 27 23:20:47 2014 TLS Error: TLS object -> incoming plaintext read error Thu Mar 27 23:20:47 2014 TLS Error: TLS handshake failed Thu Mar 27 23:20:47 2014 Fatal TLS error (check_tls_errors_co), restarting Thu Mar 27 23:20:47 2014 SIGUSR1[soft,tls-error] received, process restarting Thu Mar 27 23:20:47 2014 Restart pause, 5 second(s) Expected results: Connection estabilishing OK. Additional info: It works for me on F20 with openssl-1.0.1e-37.fc20.x86_64
probably bug not in openssl, because with openssl-1.0.1e-37.fc21.x86_64 it also doesn't work. I don't know how-to debug this issue. openvpn is the same version.
I've tried rebuild ovpn and see interesting thing: it can't build, because have error like my error.
My $0.02: If it's broken for the same EVR of openssl on 21 that works on f20, there's something different about the two. In addition to trying the openvpn command with gdb and posting a backtrace here, I'd suggest grabbing both RPM files, unpacking them with rpm2cpio and running ldd on the solibs. There maybe differences in linked libs or versions of linked libs that might shed light on this.
I suppose the certificate is signed with use of MD5 hash. This was disabled in Rawhide as certificates signed with MD5 hashes are not secure. Please update your certificates to be signed with at least SHA1 or even better SHA256.
(In reply to Tomas Mraz from comment #4) > I suppose the certificate is signed with use of MD5 hash. This was disabled > in Rawhide as certificates signed with MD5 hashes are not secure. Please > update your certificates to be signed with at least SHA1 or even better > SHA256. How I can check this case ? I can't found is possible using SHA1 or SHA256 in smoothwall...
You need to get the peer certificate saved into cert.pem file and then you can find out with command: openssl x509 -in cert.pem -text -noout | grep Algorithm
$ openssl x509 -in cacert.pem -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 10708266483781753264 (0x949b67a1d60859b0) Signature Algorithm: sha1WithRSAEncryption [truncated]
But servercert.pem (I think it downloading from server automatic) has md5. $ openssl x509 -in servercert.pem -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 4 (0x4) Signature Algorithm: md5WithRSAEncryption [truncated]
Yes, that's a problem. Recreate it with sha1 or sha256.
(In reply to Tomas Mraz from comment #9) > Yes, that's a problem. Recreate it with sha1 or sha256. Thank you for detection problem. I'm newbie in certificates, but I couldn't find this setting in smoothwall and couldn't find more info about that in google. Probably I can generate it from my local PC and upload to gateway ?
You need to have the certificate signed with the key of the CA certificate. Unfortunately I do not know much about your gateway setup and whether you have access to the CA certificate private key etc. The openssl package contains the 'openssl ca' command to sign server certificates with CA cert/key.
yeah. I've changed our infrastructure with using sha256 and it's working again. Thank you for discovering place of bug and propose fix. I don't know what do with this bug. Close it if you want ;)
Would it be possible to get better error messages from OpenSSL/OpenVPN here (something about the signature type being unsupported) at least?