Bug 1440468 - OpenVPN 2.4 in F26 lacks --pkcs12 support when built against mbed TLS
Summary: OpenVPN 2.4 in F26 lacks --pkcs12 support when built against mbed TLS
Alias: None
Product: Fedora
Classification: Fedora
Component: openvpn
Version: 26
Hardware: x86_64
OS: Linux
Target Milestone: ---
Assignee: David Sommerseth
QA Contact: Fedora Extras Quality Assurance
Depends On: 1444994 1445349
TreeView+ depends on / blocked
Reported: 2017-04-09 07:36 UTC by Alexandre Roumiantsev
Modified: 2017-05-14 20:21 UTC (History)
6 users (show)

Fixed In Version: openvpn-2.4.2-1.fc26
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2017-05-14 20:21:13 UTC
Type: Bug

Attachments (Terms of Use)
openvpn configuration file (456 bytes, text/plain)
2017-04-10 18:00 UTC, Alexandre Roumiantsev
no flags Details
configuration file for Network Manager (208 bytes, text/plain)
2017-04-10 18:02 UTC, Alexandre Roumiantsev
no flags Details

Description Alexandre Roumiantsev 2017-04-09 07:36:10 UTC
Description of problem: My VPN connection won't work after upgrading to F26:
Here is error message:
Apr  9 10:28:53 notebook nm-openvpn[2946]: Options error: Unrecognized option or missing or extra parameter(s) in [CMD-LINE]:1: pkcs12 (2.4.1)

Version-Release number of selected component (if applicable):
NetworkManager-openvpn.x86_64          1:1.2.8-2.fc26              @@commandline
NetworkManager-openvpn-gnome.x86_64    1:1.2.8-2.fc26              @@commandline
openvpn.x86_64                         2.4.1-3.fc26                @fedora      

How reproducible:

Steps to Reproduce:

Actual results:

Expected results:

Additional info: My VPN connection work successfully with F25 ( and early versions ) long time.  I get the error message above after upgrading to F26. Same error if I reset my VPN connection ( delete old one and install new under F26 ). 
My attempt to add pkcs12 line in config file allow go throw syntax check, but connection could not be esteblished - server part does not know such option.

Comment 1 David Sommerseth 2017-04-10 17:32:49 UTC

*** This bug has been marked as a duplicate of bug 1432152 ***

Comment 2 David Sommerseth 2017-04-10 17:39:57 UTC
Sorry!  This is a different issue (PKCS#12) than bug #1432152 (PKCS#11).

But my gut feeling is that it is related to the move from using OpenSSL to mbed TLS.  It might be the Fedora mbed TLS builds is also lacking PKCS#12 support.

Workaround - extract certs and keys from the pkcs#12 file.

$ openssl pkcs12 -in $PKCS12FILE -nokeys -cacerts > openvpn-ca.crt
$ openssl pkcs12 -in $PKCS12FILE -nokeys -clcerts > openvpn-cert.crt
$ openssl pkcs12 -in $PKCS12FILE -nocerts -nodes > openvpn-private.key

If you skip '-nodes' in the last line private key file will be password encrypted.

I will look into the mbed TLS packaging and see what is needed to change to resolve this issue.

Comment 3 David Sommerseth 2017-04-10 17:46:05 UTC
Btw ... can you also please provide a configuration file?

Comment 4 Alexandre Roumiantsev 2017-04-10 18:00:23 UTC
Created attachment 1270548 [details]
openvpn configuration file

Comment 5 Alexandre Roumiantsev 2017-04-10 18:02:17 UTC
Created attachment 1270549 [details]
configuration file for Network Manager

Comment 6 Alexandre Roumiantsev 2017-04-10 18:05:23 UTC
Hello, David.
Thank you for attention to my request. Find in attachment openvpn configuration file and the file, which was used by Network Manager to create this connection (openvpn configuration file)
Best regards, Alexandre.

Comment 7 David Woodhouse 2017-04-10 20:13:39 UTC
See the openconnect test suite for a set of certificate files you should probably be testing with...

Comment 8 David Sommerseth 2017-04-10 21:45:45 UTC
I'm quite surprised.  When starting to test your configuration, it seems to "work" (pass and start connecting to a server of mine) when compiled with OpenSSL. When doing the same test with mbed TLS, it is a very different story.

The quick answer is: The current state is that the mbed TLS implementation in OpenVPN does _not_ support --pkcs12.  This is something I was not aware of.  When looking at the mbed TLS API, it seems to be quite a bit more work to implement the missing pieces for PKCS#12 support.

Tomorrow I will get in touch with some guys knowing the mbed TLS implementation far better.  Perhaps we can put down a plan to resolve this.  But I can not make any promises now.

The short version of why we've switched to mbed TLS in F26 is that F26 want to ship with openssl-1.1.  OpenVPN is not prepared for that yet (Only ~50% if the contributed patches to make this work is reviewed and applied to the upstream OpenVPN tree)  So in the mean time it was decided to ship an OpenVPN built against mbed TLS instead - knowing it was not 100% feature compatible with the OpenSSL builds.  But it would be better with a reduced OpenVPN than no OpenVPN.  

Once OpenVPN can build against OpenSSL 1.1, I will switch back.  But right now, that isn't an option.

Comment 9 David Sommerseth 2017-04-17 17:01:36 UTC
I have checked this more carefully now.  The mbed TLS library completely lacks support for PKCS#12 files.  Which makes it impossible to make use of those files as it is today.  There are some partial PKCS#12 support, but that only covers password encryption used in PKCS#8 private keys and not the PKCS#12 file container.  So I am sorry to say that the mbed TLS library and PKCS#12 files is currently a dead-end.

On the other hand, I have recently discovered the compat-openssl10.  But that breaks PKCS#11 support, as there are package conflicts between openssl-devel and compat-openssl10-devel when installing the needed pkcs11-helper-devel package.

So currently, I have the options of:  a)  Keep mbed TLS builds and break PKCS#12, or b) Switch to compat-openssl10 and break PKCS#11 smart card support.

To be honest ... I have no idea which path is the least painful for most of the users.  Had I known that, I'd do a decision right now.

I have reached out to Tomas Mraz (openssl/compat-openssl10 maintainer) and Kalev Lember (pkcs11-helper maintainer) to see if we can find a way to avoid the pkcs11-helper situation.  If that is doable, I will soon switch back to OpenSSL again.

Comment 10 David Sommerseth 2017-04-20 11:15:34 UTC
Using compat-openssl10 is not possible for OpenVPN, as it depends on pkcs11-helper also being built against compat-openssl10.

I have asked for confirmation if the mbed TLS builds with PKCS#11 support is working.  If it is, I will prefer PKCS#11 support over PKCS#12.  The reason for that is that PKCS#11 have a workaround (you can split that file up into CA, Certificate and Private Key files using the "openssl pkcs12" command).

If however PKCS#11 support is _not_ functional with mbed TLS, I will switch to build OpenVPN against compat-openssl10 without PKCS#11 support.  Which re-enables PKCS#12 support.

Comment 11 Fedora Update System 2017-05-11 20:24:05 UTC
openvpn-2.4.2-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-89d98779ec

Comment 12 Fedora Update System 2017-05-13 01:12:30 UTC
openvpn-2.4.2-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-89d98779ec

Comment 13 Alexandre Roumiantsev 2017-05-14 05:31:52 UTC
Work well for me now

Comment 14 Fedora Update System 2017-05-14 20:21:13 UTC
openvpn-2.4.2-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.