Bug 1160818 - cannot connect with md5 signed certificates even with the openssl workaround
Summary: cannot connect with md5 signed certificates even with the openssl workaround
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: NetworkManager-openvpn
Version: 21
Hardware: i686
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Dan Williams
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-11-05 17:30 UTC by Zoltan Kota
Modified: 2014-12-16 21:36 UTC (History)
7 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2014-11-21 09:56:37 UTC


Attachments (Terms of Use)

Description Zoltan Kota 2014-11-05 17:30:27 UTC
Description of problem:

OpenSSL was patched in F21 to disallow verification of certificates that are signed with MD5 algorithm. Certificates signed with MD5 algorithm are not present on public https web sites anymore but they can be still in use on private networks or used for authentication on openvpn based VPNs such as in bug 1157260. As a temporary measure the OPENSSL_ENABLE_MD5_VERIFY environment variable can be set to allow verification of certificates signed with MD5 algorithm.

I've tried to apply the environment variable workaround for NetworkManager, but it does not work for me.

In a virtual machine with F20 I updated the F20 openssl-1.0.1e-40.fc20 to openssl-1.0.1e-40.fc21. After the update I get the error as expected. But after adding "Environment="OPENSSL_ENABLE_MD5_VERIFY=1" to /usr/lib/systemd/system/NetworkManager.service the openvpn connection started to work.

The same change under F21 does not help, I still get the error.

I don't know if it is a NetworkManager or systemd issue, or something else.  

See also bug #1157260.

Comment 1 Zoltan Kota 2014-11-06 08:47:05 UTC
Some additional info:

In a terminal, after setting the above environment variable (export OPENSSL_ENABLE_MD5_VERIFY=1) starting openvpn directly (openvpn --config myconfig) seems to accept the certificate. If I start it with systemctl (systemctl start openvpn@myconfig) I get the error message and doesn't connect.

Comment 2 Zoltan Kota 2014-11-21 09:56:37 UTC
Finally I managed to get it work. I don't really know what the problem was. I reconfigured NetworkManager and friends, and in the meantime I applied F21 updates... So, adding 'Environment="OPENSSL_ENABLE_MD5_VERIFY=1"' to /usr/lib/systemd/system/NetworkManager.service allows the connection for NetworkManager.
Thus the bug can be closed I think.

Comment 3 Ilkka Tengvall 2014-12-16 21:33:29 UTC
Zoltan, it would be great to know what fixed it for you, since it doesn't work for me on two different machines. The difference in my case was I copied the /usr/lib... file to /etc/systemd/system and modified it instead. I can see the variable gets set to network manager and openvpn, but it won't work.

Comment 4 Ilkka Tengvall 2014-12-16 21:36:21 UTC
and btw, adding it on command line does the trick. So the gui startup of openvpn tunnel via network-manager won't work, to be more precise.


Note You need to log in before you can comment on or make changes to this bug.