Description of problem: Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Eh, I accidentally pressed enter and submitted the bug before filling it out. Give me a moment, I'll see if I can fix it.
Looks like I can't. Anyway, the issue is as follows: 1) MD5 was disabled by default in Fedora 21 and an environment variable was introduced to re-enable it in OpenSSL. This broke my ability to connect to an OpenVPN server which unfortunately uses an old certificate. 2) Putting the environment variable in a systemd config drop-in is ineffective because openssl uses secure_getenv and the process context change from NetworkManager_t to openvpn_t causes AT_SECURE to be set I've worked around the issue with a simple SELinux policy addition: allow NetworkManager_t openvpn_t:process { noatsecure }; Other services launched by NetworkManager are likely similarly affected. With this loaded, the environment variable works and I can connect to the insecure server again. Fixing this directly in NetworkManager or the VPN plugin by allowing some way of defining environment variables may be a good option as well, but I don't have a preference.
*** Bug 1175481 has been marked as a duplicate of this bug. ***
I closed the bug report of mine as a duplicate of this issue, as Jarkko already has a proposed bugfix in this report.
61ebb1a659e4f2a9f1f7ad017b1b4e264593515a adds the rule for openvpn.
So I'm confused - is this already fixed? or how long does it take for fix to propagate into distro?
Fixed in Fedora stream
Ahh. Thanks Daniel!
commit 98e82178721238e515c8f38be2ab403125230cdd Author: Dan Walsh <dwalsh> Date: Tue Dec 23 14:10:14 2014 -0500 Allow NetworkManager to noatsecure openvpn
selinux-policy-3.13.1-105.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-105.fc21
I can verify it works on my f21, thanks. I downloaded it from koji.
Package selinux-policy-3.13.1-105.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-105.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-1337/selinux-policy-3.13.1-105.fc21 then log in and leave karma (feedback).
selinux-policy-3.13.1-105.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
Hi, the exactly same problem is in CentOS 7.1. Do I need to create new bug for it? Thanks, Luf
I'm observing this problem when running OpenVPN as a systemd service in Fedora 24. Could anyone tell us if the fix for OpenVPN from comment #5 (commit 61ebb1a659e4f2a9f1f7ad017b1b4e264593515a) was reverted in the meantime?
SeLinux blocks OpenVPN client in Fedora 24. After stoping SeLinux OpenVPN clients fails to connect with this erros message: VERIFY ERROR: depth=0, error=certificate signature failure: C=CO, ST=ST, O=O, OU=OU, CN=server, dnQualifier=server OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed TLS_ERROR: BIO read tls_read_plaintext error TLS Error: TLS object -> incoming plaintext read error TLS Error: TLS handshake failed
Just use certificates with SHA256 signature and not MD5.
(In reply to Tomas Mraz from comment #17) > Just use certificates with SHA256 signature and not MD5. Thank you or your response sir
(In reply to Tomas Mraz from comment #17) > Just use certificates with SHA256 signature and not MD5. Thank you for your response sir
Note that this workaround also doesn't work in Fedora 26 - https://bugzilla.redhat.com/show_bug.cgi?id=1443749