Bug 1174915 - OPENSSL_ENABLE_MD5_VERIFY can not be used with NetworkManager & OpenVPN to re-enable MD5 certificate verification
Summary: OPENSSL_ENABLE_MD5_VERIFY can not be used with NetworkManager & OpenVPN to re...
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 21
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
: 1175481 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-12-16 18:05 UTC by Jarkko Oranen
Modified: 2017-04-19 22:10 UTC (History)
15 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2015-01-30 23:54:43 UTC


Attachments (Terms of Use)

Description Jarkko Oranen 2014-12-16 18:05:41 UTC
Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Jarkko Oranen 2014-12-16 18:06:40 UTC
Eh, I accidentally pressed enter and submitted the bug before filling it out. Give me a moment, I'll see if I can fix it.

Comment 2 Jarkko Oranen 2014-12-16 18:20:18 UTC
Looks like I can't.

Anyway, the issue is as follows:

1) MD5 was disabled by default in Fedora 21 and an environment variable was introduced to re-enable it in OpenSSL. This broke my ability to connect to an OpenVPN server which unfortunately uses an old certificate.

2) Putting the environment variable in a systemd config drop-in is ineffective because openssl uses secure_getenv and the process context change from NetworkManager_t to openvpn_t causes AT_SECURE to be set


I've worked around the issue with a simple SELinux policy addition:

allow NetworkManager_t openvpn_t:process { noatsecure };

Other services launched by NetworkManager are likely similarly affected.

With this loaded, the environment variable works and I can connect to the insecure server again.

Fixing this directly in NetworkManager or the VPN plugin by allowing some way of defining environment variables may be a good option as well, but I don't have a preference.

Comment 3 Ilkka Tengvall 2014-12-23 07:48:14 UTC
*** Bug 1175481 has been marked as a duplicate of this bug. ***

Comment 4 Ilkka Tengvall 2014-12-23 07:53:54 UTC
I closed the bug report of mine as a duplicate of this issue, as Jarkko already has a proposed bugfix in this report.

Comment 5 Daniel Walsh 2014-12-23 19:10:57 UTC
61ebb1a659e4f2a9f1f7ad017b1b4e264593515a adds the rule for openvpn.

Comment 6 Steve 2015-01-08 13:24:20 UTC
So I'm confused - is this already fixed? or how long does it take for fix to propagate into distro?

Comment 7 Daniel Walsh 2015-01-08 16:02:43 UTC
Fixed in Fedora stream

Comment 8 Steve 2015-01-08 16:07:31 UTC
Ahh. Thanks Daniel!

Comment 9 Lukas Vrabec 2015-01-15 14:38:09 UTC
commit 98e82178721238e515c8f38be2ab403125230cdd
Author: Dan Walsh <dwalsh@redhat.com>
Date:   Tue Dec 23 14:10:14 2014 -0500

    Allow NetworkManager to noatsecure openvpn

Comment 10 Fedora Update System 2015-01-27 16:49:19 UTC
selinux-policy-3.13.1-105.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-105.fc21

Comment 11 Ilkka Tengvall 2015-01-28 12:25:43 UTC
I can verify it works on my f21, thanks. I downloaded it from koji.

Comment 12 Fedora Update System 2015-01-30 04:32:16 UTC
Package selinux-policy-3.13.1-105.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-105.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-1337/selinux-policy-3.13.1-105.fc21
then log in and leave karma (feedback).

Comment 13 Fedora Update System 2015-01-30 23:54:43 UTC
selinux-policy-3.13.1-105.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Ludek Finstrle 2015-05-05 08:12:25 UTC
Hi,

  the exactly same problem is in CentOS 7.1. Do I need to create new bug for it?

Thanks,

Luf

Comment 15 Piotr Dobrogost 2016-04-01 12:23:04 UTC
I'm observing this problem when running OpenVPN as a systemd service in Fedora 24.
Could anyone tell us if the fix for OpenVPN from comment #5 (commit 61ebb1a659e4f2a9f1f7ad017b1b4e264593515a) was reverted in the meantime?

Comment 16 goranj 2016-06-29 20:56:51 UTC
SeLinux blocks OpenVPN client in Fedora 24. After stoping SeLinux OpenVPN clients fails to connect with this erros message:

VERIFY ERROR: depth=0, error=certificate signature failure: C=CO, ST=ST, O=O, OU=OU, CN=server, dnQualifier=server
OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
TLS_ERROR: BIO read tls_read_plaintext error
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed

Comment 17 Tomas Mraz 2016-06-30 07:09:48 UTC
Just use certificates with SHA256 signature and not MD5.

Comment 18 goranj 2016-06-30 20:25:51 UTC
(In reply to Tomas Mraz from comment #17)
> Just use certificates with SHA256 signature and not MD5.

Thank you or your response sir

Comment 19 goranj 2016-06-30 20:26:14 UTC
(In reply to Tomas Mraz from comment #17)
> Just use certificates with SHA256 signature and not MD5.

Thank you for your response sir

Comment 20 Mads Kiilerich 2017-04-19 22:10:30 UTC
Note that this workaround also doesn't work in Fedora 26 - https://bugzilla.redhat.com/show_bug.cgi?id=1443749


Note You need to log in before you can comment on or make changes to this bug.