Your message dated Sat, 14 Jun 2008 18:04:01 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#483500: fixed in openssl-blacklist 0.4
has caused the Debian Bug report #483500,
regarding OpenVPN using openssl-vulnkey instead of openvpn-vulnkey ?
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
483500: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=483500
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: openvpn
Version: 2.1~rc7-2
Severity: important
NB: this is discussed in Ubuntu bug #230197
https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/230197
When upgrading from 2.1~rc7-1 to 2.1~rc7-2, I noticed a change in the
way OpenVPN was handling my private key. Instead of asking once for
passphrase, it was asking it four times !
2.7~rc7-1
~$ sudo openvpn --config /etc/openvpn/myconfig
[...]
Thu May 29 05:14:08 2008 us=971390 OpenVPN 2.1_rc7 i486-pc-linux-gnu
[SSL] [LZO2] [EPOLL] built on Apr 7 2008
Enter Private Key Password:
[...]
2.7~rc7-2
~$ sudo openvpn --config /etc/openvpn/myconfig
[...]
Thu May 29 05:19:08 2008 us=535971 OpenVPN 2.1_rc7 i486-pc-linux-gnu
[SSL] [LZO2] [EPOLL] built on May 18 2008
Thu May 29 05:12:08 2008 us=536149 /usr/sbin/openssl-vulnkey -q
/etc/openvpn/cert.key
Enter pass phrase for /etc/openvpn/cert.key:
Enter pass phrase for /etc/openvpn/cert.key:
Enter pass phrase for /etc/openvpn/cert.key:
Enter Private Key Password:
[...]
Basically, we can see OpenVPN is invoking openssl-vulnkey which actually
requires checking the private key three times, asking for passphrase
each time:
~$ sudo openssl-vulnkey /etc/openvpn/cert.key
Enter pass phrase for /etc/openvpn/cert.key:
Enter pass phrase for /etc/openvpn/cert.key:
Enter pass phrase for /etc/openvpn/cert.key:
Not blacklisted: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx /etc/openvpn/cert.key
If you use openvpn-vulnkey, no passphrase is asked:
~$ sudo openvpn-vulnkey /etc/openvpn/cert.key
Not blacklisted: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx /etc/openvpn/cert.key
In addition to obvious usability impact, having to enter four times
your private key passphrase, openssl-vulnkey will ask for passphrase
again on reconnect, making openvpn unable to reconnect by itself when
persist options are set.
As we have a openvpn-blacklist package, should OpenVPN use
openvpn-vulnkey instead of openssl-vulnkey ? As a matter of fact,
I could not find any call to openvpn-vulnkey when launching OpenVPN.
This bug is related to bugs #482498 (network-manager-openvpn:
openssl-vulnkey passphrase dialog hangs) and #483020 (openssl-vulnkey
hangs on connecting), having network-manager-openvpn not being able to
launch connections anymore:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=482498
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=483020
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.25 (SMP w/2 CPU cores; PREEMPT)
Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash
Versions of packages openvpn depends on:
ii debconf [debconf-2.0] 1.5.22 Debian configuration management sy
ii libc6 2.7-11 GNU C Library: Shared libraries
ii liblzo2-2 2.03-1 data compression library
ii libpam0g 0.99.7.1-6 Pluggable Authentication Modules l
ii libssl0.9.8 0.9.8g-10 SSL shared libraries
ii openssl-blacklist 0.3 list of blacklisted OpenSSL RSA ke
ii openvpn-blacklist 0.3 list of blacklisted OpenVPN RSA sh
openvpn recommends no packages.
-- debconf information:
* openvpn/vulnerable_prng:
openvpn/change_init: false
openvpn/stop2upgrade: false
openvpn/default_port:
openvpn/change_init2: true
openvpn/create_tun: false
--- End Message ---
--- Begin Message ---
Source: openssl-blacklist
Source-Version: 0.4
We believe that the bug you reported is fixed in the latest version of
openssl-blacklist, which is due to be installed in the Debian FTP archive:
openssl-blacklist-extra_0.4_all.deb
to pool/main/o/openssl-blacklist/openssl-blacklist-extra_0.4_all.deb
openssl-blacklist_0.4.dsc
to pool/main/o/openssl-blacklist/openssl-blacklist_0.4.dsc
openssl-blacklist_0.4.tar.gz
to pool/main/o/openssl-blacklist/openssl-blacklist_0.4.tar.gz
openssl-blacklist_0.4_all.deb
to pool/main/o/openssl-blacklist/openssl-blacklist_0.4_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jamie Strandboge <[EMAIL PROTECTED]> (supplier of updated openssl-blacklist
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 10 Jun 2008 09:09:48 -0400
Source: openssl-blacklist
Binary: openssl-blacklist openssl-blacklist-extra
Architecture: source all
Version: 0.4
Distribution: unstable
Urgency: low
Maintainer: Kees Cook <[EMAIL PROTECTED]>
Changed-By: Jamie Strandboge <[EMAIL PROTECTED]>
Description:
openssl-blacklist - list of blacklisted OpenSSL RSA keys
openssl-blacklist-extra - list of non-default blacklisted OpenSSL RSA keys
Closes: 483500
Changes:
openssl-blacklist (0.4) unstable; urgency=low
.
* allow checking of certificate requests
* only check moduli with an exponent of 65537 (the default on Debian/Ubuntu)
* update gen_certs.sh for when ~/.rnd does not exist when openssl is run
which can happen with openssl 0.9.8g and higher
* update gen_certs.sh to use '0' (in case of PID randomization)
* added more examples
* only prompt once for password (Closes: #483500)
* properly cache database reads when bits are same
* added '-m' and '-b' arguments. This is helpful for applications calling
openssl-vulnkey when the modulus and bits are known, such as openvpn.
* man page updates
* added test.sh
* added blacklists for when ~/.rnd does not exist when openssl is run
(LP: #232104)
* added 512 bit and partial 4096 blacklists (need le64) (LP: #231014)
* reorganized source databases, and ship the new gen_certs.sh format
* debian/rules: updated to use new blacklist format and organization
* create openssl-blacklist-extra package (but don't ship 4096 yet)
Checksums-Sha1:
185ddc8aa22b01e8f6f38bc933c73070871f9499 1081 openssl-blacklist_0.4.dsc
45792725b913a5e843fb0ae4fbf89e9efd1a0c6f 30175858 openssl-blacklist_0.4.tar.gz
41855263cb41ad89739eb038f50a86614c5a486f 6333310 openssl-blacklist_0.4_all.deb
1ff6b5fee914bfa3995f4de7eca1a703bc6c44b0 3160374
openssl-blacklist-extra_0.4_all.deb
Checksums-Sha256:
dbdbebb7319c4b4840de2c7b88128824148c6003a3b93019863a9395bca0acf3 1081
openssl-blacklist_0.4.dsc
2a9491dc1d3e4511307342217d58fb553699e1bbe51364fbc729d1b61c5adecf 30175858
openssl-blacklist_0.4.tar.gz
2880f46f22ad476d6f57c3599dd8abe35534cb1c4e9d1cf775b0e679fea444c1 6333310
openssl-blacklist_0.4_all.deb
505fb23ef8cf1554984bff70b55bc7b295aa968407e7ee33931ccdf049e5dd80 3160374
openssl-blacklist-extra_0.4_all.deb
Files:
02f74893a2341c680ea8db1dc2b4a67c 1081 net optional openssl-blacklist_0.4.dsc
ddaae8869033957fe1ae78214f846e2a 30175858 net optional
openssl-blacklist_0.4.tar.gz
92b0db2cd7e2171e23ea28cd546e3599 6333310 net optional
openssl-blacklist_0.4_all.deb
ee8d574037c937b481fa7bc55892d845 3160374 net optional
openssl-blacklist-extra_0.4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Kees Cook <[EMAIL PROTECTED]>
iEYEARECAAYFAkhQK/EACgkQH/9LqRcGPm0lYQCcDWjy/JcWTudXzFqLhuaM8Dtt
xHgAnjwpzAxGAgbuv/9Lf90eHt1QJkcn
=BXWL
-----END PGP SIGNATURE-----
--- End Message ---
