Bug#483500: marked as done (OpenVPN using openssl-vulnkey instead of openvpn-vulnkey ?)

Sun, 15 Jun 2008 04:14:58 -0700 

Your message dated Sun, 15 Jun 2008 10:47:04 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#483500: fixed in openvpn 2.1~rc7-4
has caused the Debian Bug report #483500,
regarding OpenVPN using openssl-vulnkey instead of openvpn-vulnkey ?
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
483500: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=483500
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message --- 
Package: openvpn
Version: 2.1~rc7-2
Severity: important


NB: this is discussed in Ubuntu bug #230197
https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/230197

When upgrading from 2.1~rc7-1 to 2.1~rc7-2, I noticed a change in the
way OpenVPN was handling my private key. Instead of asking once for
passphrase, it was asking it four times !

2.7~rc7-1
~$ sudo openvpn --config /etc/openvpn/myconfig
[...]
Thu May 29 05:14:08 2008 us=971390 OpenVPN 2.1_rc7 i486-pc-linux-gnu
[SSL] [LZO2] [EPOLL] built on Apr  7 2008
Enter Private Key Password:
[...]

2.7~rc7-2
~$ sudo openvpn --config /etc/openvpn/myconfig
[...]
Thu May 29 05:19:08 2008 us=535971 OpenVPN 2.1_rc7 i486-pc-linux-gnu
[SSL] [LZO2] [EPOLL] built on May 18 2008
Thu May 29 05:12:08 2008 us=536149 /usr/sbin/openssl-vulnkey -q
/etc/openvpn/cert.key
Enter pass phrase for /etc/openvpn/cert.key:
Enter pass phrase for /etc/openvpn/cert.key:
Enter pass phrase for /etc/openvpn/cert.key:
Enter Private Key Password:
[...]

Basically, we can see OpenVPN is invoking openssl-vulnkey which actually
requires checking the private key three times, asking for passphrase
each time:

~$ sudo openssl-vulnkey /etc/openvpn/cert.key 
Enter pass phrase for /etc/openvpn/cert.key:
Enter pass phrase for /etc/openvpn/cert.key:
Enter pass phrase for /etc/openvpn/cert.key:
Not blacklisted: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx /etc/openvpn/cert.key

If you use openvpn-vulnkey, no passphrase is asked:

~$ sudo openvpn-vulnkey /etc/openvpn/cert.key 
Not blacklisted: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx /etc/openvpn/cert.key


In addition to obvious usability impact, having to enter four times
your private key passphrase, openssl-vulnkey will ask for passphrase
again on reconnect, making openvpn unable to reconnect by itself when
persist options are set.


As we have a openvpn-blacklist package, should OpenVPN use
openvpn-vulnkey instead of openssl-vulnkey ? As a matter of fact,
I could not find any call to openvpn-vulnkey when launching OpenVPN.



This bug is related to bugs #482498 (network-manager-openvpn:
openssl-vulnkey passphrase dialog hangs) and #483020 (openssl-vulnkey
hangs on connecting), having network-manager-openvpn not being able to
launch connections anymore:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=482498
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=483020




-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.25 (SMP w/2 CPU cores; PREEMPT)
Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages openvpn depends on:
ii  debconf [debconf-2.0]         1.5.22     Debian configuration management sy
ii  libc6                         2.7-11     GNU C Library: Shared libraries
ii  liblzo2-2                     2.03-1     data compression library
ii  libpam0g                      0.99.7.1-6 Pluggable Authentication Modules l
ii  libssl0.9.8                   0.9.8g-10  SSL shared libraries
ii  openssl-blacklist             0.3        list of blacklisted OpenSSL RSA ke
ii  openvpn-blacklist             0.3        list of blacklisted OpenVPN RSA sh

openvpn recommends no packages.

-- debconf information:
* openvpn/vulnerable_prng:
  openvpn/change_init: false
  openvpn/stop2upgrade: false
  openvpn/default_port:
  openvpn/change_init2: true
  openvpn/create_tun: false

--- End Message ---
--- Begin Message --- 
Source: openvpn
Source-Version: 2.1~rc7-4

We believe that the bug you reported is fixed in the latest version of
openvpn, which is due to be installed in the Debian FTP archive:

openvpn_2.1~rc7-4.diff.gz
  to pool/main/o/openvpn/openvpn_2.1~rc7-4.diff.gz
openvpn_2.1~rc7-4.dsc
  to pool/main/o/openvpn/openvpn_2.1~rc7-4.dsc
openvpn_2.1~rc7-4_i386.deb
  to pool/main/o/openvpn/openvpn_2.1~rc7-4_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alberto Gonzalez Iniesta <[EMAIL PROTECTED]> (supplier of updated openvpn 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 14 Jun 2008 19:00:40 +0200
Source: openvpn
Binary: openvpn
Architecture: source i386
Version: 2.1~rc7-4
Distribution: unstable
Urgency: low
Maintainer: Alberto Gonzalez Iniesta <[EMAIL PROTECTED]>
Changed-By: Alberto Gonzalez Iniesta <[EMAIL PROTECTED]>
Description: 
 openvpn    - virtual private network daemon
Closes: 483020 483500 484007 484110 484111 484113 486129
Changes: 
 openvpn (2.1~rc7-4) unstable; urgency=low
 .
   * The 'Miriam helped me move to quilt' release
   * Moved all the patches to debian/patches
   * debian/control: Added Build-Dep on quilt
   * Applied patch by Jamie Strandboge to fix openssl-vulnkey
     extra passphrase prompts. Thanks Jamie.
     (Closes: #483020, #483500, #486129)
   * Updated Portuguese debconf templates. (Closes: #484007)
 .
   [ Martin Pitt ]
   * Added note on Out Of Memory issues. (Closes: #484113)
   * Avoid asking about the tun device creation if using udev.
     (Closes: #484111)
   * Reworked init.d script to use LSB functions. (Closes: #484110)
Checksums-Sha1: 
 9958a1c97a840fbb51d59ba9e0d3bec2eac15614 1024 openvpn_2.1~rc7-4.dsc
 62a05c222406409cd464b856031a8ea36f7e87d5 80688 openvpn_2.1~rc7-4.diff.gz
 b51f2836e95c873836ac68b8fa0634113677a9e1 374808 openvpn_2.1~rc7-4_i386.deb
Checksums-Sha256: 
 dd3e50484ae7fc444ca8f0a78d0a03c9017b701e4a20d99ce15063d2a60a7221 1024 
openvpn_2.1~rc7-4.dsc
 1205af287ebece23ed649c127d8eb4386f1ade51c0556485c3ca221f2c8bf9ea 80688 
openvpn_2.1~rc7-4.diff.gz
 e8974590b28fb1ce09446581cbaaccc5314eabbb86f897e308f4472c6ab31ba2 374808 
openvpn_2.1~rc7-4_i386.deb
Files: 
 7ca61c1236717498cabceeb4e79e797b 1024 net optional openvpn_2.1~rc7-4.dsc
 20656aae15e39c26889ef26901af8bfb 80688 net optional openvpn_2.1~rc7-4.diff.gz
 868a6bc7027c3e492039c6cead412dde 374808 net optional openvpn_2.1~rc7-4_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIVPFvxRSvjkukAcMRAjIhAJ0XB6MTRlVxR05uJyXfbDamDzydrACg87Ff
Tg3RvkJ4TkDqAAmFso1lMuc=
=i1et
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to