Bug 1575007 - Cannot connect to openvpn server because private key cannot be decrypted
Summary: Cannot connect to openvpn server because private key cannot be decrypted
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: openssl
Version: 28
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-05-04 14:05 UTC by Michael Lipp
Modified: 2018-05-05 21:16 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-05-05 21:16:01 UTC
Type: Bug


Attachments (Terms of Use)

Description Michael Lipp 2018-05-04 14:05:46 UTC
Description of problem:

After upgrading to Fedora 28, my private key can no longer be decrypted. This prevents the connection to the (open)VPN. To simplify things, I have tried to decrypt the certificate from the command line, which fails as well.

Version-Release number of selected component (if applicable):

Fedora 29

How reproducible:

Using a certificate previously generated for openvpn, I try:

openssl pkcs12 -export -in test.crt -inkey test.key -out test.p12

Actual results:

unable to load private key
140632796387136:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:crypto/evp/evp_enc.c:569:
140632796387136:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:crypto/pkcs12/p12_decr.c:63:
140632796387136:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:crypto/pkcs12/p12_decr.c:94:
140632796387136:error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 lib:crypto/pem/pem_pkey.c:87:

Expected results:

Should work

Comment 1 Tomas Mraz 2018-05-04 14:24:49 UTC
That just looks like you provided wrong passphrase for decryption of the test.key.

Also did you use any non-ascii characters in the passphrase?

What Fedora did you upgrade from?

Comment 2 Michael Lipp 2018-05-04 14:32:49 UTC
> That just looks like you provided wrong passphrase for decryption of the test.key.

(1) Being used for a VPN connection, the passphrase was stored and not changed during or after the upgrade. (2) When reproducing the problem with openssl, I tried several times and I strongly doubt that I failed every time.

> Also did you use any non-ascii characters in the passphrase?
Yes, but this has never been a problem

> What Fedora did you upgrade from?
27

Comment 3 Michael Lipp 2018-05-04 14:36:55 UTC
BTW the error in the journal when trying to connect to the VPN is:

SIGUSR1[soft,private-key-password-failure] received, process restarting

Comment 4 Tomas Mraz 2018-05-04 16:02:51 UTC
As I cannot reproduce the problem, could you please try to somehow make it reproducible for me?

I would need a test key with a test passphrase created on Fedora 27 that cannot be loaded on Fedora 28.

I suppose you would not want to give up your key, can you recreate the problem with some test key?

Comment 5 Michael Lipp 2018-05-05 21:16:01 UTC
I tried it the other way round and copied the private key to an F27 installation. I couldn't decrypt it there neither. So whatever happened during the upgrade, it is not a F28-specific decryption error. I'll close this for now and see what happens when i upgrade the next machine.


Note You need to log in before you can comment on or make changes to this bug.