Re: Libressl issue verifying self-signed certs with tls-auth and Openvpn
Hi Stuart and Joel, Just to confirm for others reading, you are very correct. And patch 014_libcrypto has fixed this :) So just run syspatch (or openup) and you'll be working again. Thanks for the commits ;) PS; good to hear from you again Stuart! Long time.. I'm on this email now rather than andy@brandwatch, it's been a while since I've been around the lists. I knew I could rely on you amazing peeps. Take care, happy summer. Andy Sent from a teeny tiny keyboard, so please excuse typos > On 3 Jul 2017, at 16:51, Joel Sing wrote: > >> On Tuesday 20 June 2017 23:26:10 Andrew Lemin wrote: >> Hi, >> >> Sadly in my testing it seems that CVE-2017-8301 ( >> http://seclists.org/oss-sec/2017/q2/145) is still broken with the >> latest LibreSSL >> (2.5.4) and OpenVPN 2.4.2. >> >> Here is someone else reporting the same issue; >> https://discourse.trueos.org/t/libre-openssl-tls-error-when-using-openvpn/13 >> 58/4 >> >> Of course I may have gotten this wrong somewhere, but for now it seems not >> possible to use OpenVPN as a client with TLS static certificate based >> server on OpenBSD. >> >> Hope this helps clarify for anyone else finding the same issue until some >> clever person does a fix. >> >> >> Error same with latest; >> >> Tue Jun 20 22:51:15 2017 OpenVPN 2.4.2 x86_64-unknown-openbsd6.1 [SSL >> (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jun 20 2017 >> >> Tue Jun 20 22:51:15 2017 library versions: LibreSSL 2.5.4, LZO 2.10 >> >> Tue Jun 20 22:52:08 2017 VERIFY ERROR: depth=0, error=self signed >> certificate: < Cert Info > >> >> Tue Jun 20 22:52:08 2017 OpenSSL: error:14007086:SSL >> routines:CONNECT_CR_CERT:certificate verify failed >> >> Tue Jun 20 22:52:08 2017 TLS_ERROR: BIO read tls_read_plaintext error >> >> Tue Jun 20 22:52:08 2017 TLS Error: TLS object -> incoming plaintext read >> error >> >> Tue Jun 20 22:52:08 2017 TLS Error: TLS handshake failed >> >> Tue Jun 20 22:52:08 2017 SIGUSR1[soft,tls-error] received, process >> restarting > > This should be fixed on -current (via r1.30 of libcrypto/x509v3/v3_purp.c) - > you should also be able to workaround the issue by using different CNs for > the > CA and server certificates (they're likely identical in this case).
Re: Libressl issue verifying self-signed certs with tls-auth and Openvpn
On Tuesday 20 June 2017 23:26:10 Andrew Lemin wrote: > Hi, > > Sadly in my testing it seems that CVE-2017-8301 ( > http://seclists.org/oss-sec/2017/q2/145) is still broken with the > latest LibreSSL > (2.5.4) and OpenVPN 2.4.2. > > Here is someone else reporting the same issue; > https://discourse.trueos.org/t/libre-openssl-tls-error-when-using-openvpn/13 > 58/4 > > Of course I may have gotten this wrong somewhere, but for now it seems not > possible to use OpenVPN as a client with TLS static certificate based > server on OpenBSD. > > Hope this helps clarify for anyone else finding the same issue until some > clever person does a fix. > > > Error same with latest; > > Tue Jun 20 22:51:15 2017 OpenVPN 2.4.2 x86_64-unknown-openbsd6.1 [SSL > (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jun 20 2017 > > Tue Jun 20 22:51:15 2017 library versions: LibreSSL 2.5.4, LZO 2.10 > > Tue Jun 20 22:52:08 2017 VERIFY ERROR: depth=0, error=self signed > certificate: < Cert Info > > > Tue Jun 20 22:52:08 2017 OpenSSL: error:14007086:SSL > routines:CONNECT_CR_CERT:certificate verify failed > > Tue Jun 20 22:52:08 2017 TLS_ERROR: BIO read tls_read_plaintext error > > Tue Jun 20 22:52:08 2017 TLS Error: TLS object -> incoming plaintext read > error > > Tue Jun 20 22:52:08 2017 TLS Error: TLS handshake failed > > Tue Jun 20 22:52:08 2017 SIGUSR1[soft,tls-error] received, process > restarting This should be fixed on -current (via r1.30 of libcrypto/x509v3/v3_purp.c) - you should also be able to workaround the issue by using different CNs for the CA and server certificates (they're likely identical in this case).
Re: Libressl issue verifying self-signed certs with tls-auth and Openvpn
On 2017-06-22, Stuart Henderson wrote: > On 2017-06-20, Andrew Lemin wrote: >> Has anyone else come across any issues recently with Openvpn, Libressl and >> TLS on OpenBSD 6.1? > > Yes there have been problems reported like this: (This is from the > "Investigating self-signed cert behavior change" posts on the libressl > mailing list). > > Mon May 1 22:14:27 2017 UDP link remote: [AF_INET]75.102.1.76:1194 > Mon May 1 22:14:27 2017 VERIFY ERROR: depth=0, error=self signed > certificate: C=XX, ST=XX, L=XX, O=XX, CN=xxx.xxx.com, > emailAddress=x...@xxx.com > Mon May 1 22:14:27 2017 OpenSSL: error:14007086:SSL > routines:CONNECT_CR_CERT:certificate verify failed > Mon May 1 22:14:27 2017 TLS_ERROR: BIO read tls_read_plaintext error > Mon May 1 22:14:27 2017 TLS Error: TLS object -> incoming plaintext read > error > Mon May 1 22:14:27 2017 TLS Error: TLS handshake failed > > I have had OpenVPN working on a 6.1 machine, pretty sure it's cert- > dependent rather than a more general problem. > > beck@ and guenther@ asked for certificates (not keys) showing the problem, > but neither the reporter nor the person who said they also saw the problem > replied with certs. PS: server and CA certs.
Re: Libressl issue verifying self-signed certs with tls-auth and Openvpn
On 2017-06-20, Andrew Lemin wrote: > Has anyone else come across any issues recently with Openvpn, Libressl and > TLS on OpenBSD 6.1? Yes there have been problems reported like this: (This is from the "Investigating self-signed cert behavior change" posts on the libressl mailing list). Mon May 1 22:14:27 2017 UDP link remote: [AF_INET]75.102.1.76:1194 Mon May 1 22:14:27 2017 VERIFY ERROR: depth=0, error=self signed certificate: C=XX, ST=XX, L=XX, O=XX, CN=xxx.xxx.com, emailAddress=x...@xxx.com Mon May 1 22:14:27 2017 OpenSSL: error:14007086:SSL routines:CONNECT_CR_CERT:certificate verify failed Mon May 1 22:14:27 2017 TLS_ERROR: BIO read tls_read_plaintext error Mon May 1 22:14:27 2017 TLS Error: TLS object -> incoming plaintext read error Mon May 1 22:14:27 2017 TLS Error: TLS handshake failed I have had OpenVPN working on a 6.1 machine, pretty sure it's cert- dependent rather than a more general problem. beck@ and guenther@ asked for certificates (not keys) showing the problem, but neither the reporter nor the person who said they also saw the problem replied with certs. > I have since found CVE-2017-8301 which I believe is related. And confirmed > that OpenBSD 6.1 seems to be running LibreSSL version 2.5.2 > > The CVE shows issue known between 2.5.1 and 2.5.3, and looking at the > OpenBSD trees I can see 2.5.4 was cut around 1st of May.. > > I used MTier to grab all major patches etc, but LibreSSL not in patch list > yet. openvpn did have a minor. .. > It would be great if someone would be kind enough to confirm if this CVE is > indeed the same issue, and if 2.5.4 includes the relevant fixes for it? That's not the problem you see here. openvpn's verify callback function doesn't trigger this problem. Even if it did, that bug would cause false acceptance of a cert, not false rejection. The relevant fix for OpenBSD 6.1 is 003_libressl, you can check with syspatch -l to see if it's listed. (Current versions of mtier's openup tool run syspatch for you automatically to get base OS updates). > So downloaded Libressl 2.5.4 source, compiled and installed as per INSTALL > etc.. However notice that openvpn is still linking to 2.5.2. .. > And if yes, a gentle nudge as to how to get openvpn to link to the 2.5.4 > install? I would avoid fiddling with the libressl version on a release/stable installation. If you want something newer than that, just use -current snapshots.
Re: Libressl issue verifying self-signed certs with tls-auth and Openvpn
Hi, Sadly in my testing it seems that CVE-2017-8301 ( http://seclists.org/oss-sec/2017/q2/145) is still broken with the latest LibreSSL (2.5.4) and OpenVPN 2.4.2. Here is someone else reporting the same issue; https://discourse.trueos.org/t/libre-openssl-tls-error-when-using-openvpn/1358/4 Of course I may have gotten this wrong somewhere, but for now it seems not possible to use OpenVPN as a client with TLS static certificate based server on OpenBSD. Hope this helps clarify for anyone else finding the same issue until some clever person does a fix. Error same with latest; Tue Jun 20 22:51:15 2017 OpenVPN 2.4.2 x86_64-unknown-openbsd6.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jun 20 2017 Tue Jun 20 22:51:15 2017 library versions: LibreSSL 2.5.4, LZO 2.10 . . Tue Jun 20 22:52:08 2017 VERIFY ERROR: depth=0, error=self signed certificate: < Cert Info > Tue Jun 20 22:52:08 2017 OpenSSL: error:14007086:SSL routines:CONNECT_CR_CERT:certificate verify failed Tue Jun 20 22:52:08 2017 TLS_ERROR: BIO read tls_read_plaintext error Tue Jun 20 22:52:08 2017 TLS Error: TLS object -> incoming plaintext read error Tue Jun 20 22:52:08 2017 TLS Error: TLS handshake failed Tue Jun 20 22:52:08 2017 SIGUSR1[soft,tls-error] received, process restarting On Tue, Jun 20, 2017 at 8:49 PM, Andy Lemin wrote: > I've just found this hint on GitHub for the Openvpn compile options for > Libressl; > https://gist.github.com/gsora/2b3e9eb31c15a356c7662b0f960e2995 > > So will try a build later tonight and share back here if that CVE is fixed. > > Would prefer to rebuild with the same options as the packaged binary, and > it occurred to me that I don't know how to find that on OpenBSD? > > Thanks again :) > > > Sent from a teeny tiny keyboard, so please excuse typos > > On 20 Jun 2017, at 20:23, Andrew Lemin wrote: > > Hi Misc, > > Has anyone else come across any issues recently with Openvpn, Libressl and > TLS on OpenBSD 6.1? > > I am using an .ovpn file with TLS auth static key and cert inline within > the file, to connect to VPN service. Running openvpn binary from command > line without any special params, just .ovpn file. > > I have tested this is working fine on a Linux server with same config > (using Openssl), so the server side, CA and cert are fine etc. > > I noticed on the Linux server the line; "Control Channel Authentication: > tls-auth using INLINE static key file", but I do not see this debug on the > OpenBSD version. Wondered if Libressl is not negotiating tls properly. > > > I have since found CVE-2017-8301 which I believe is related. And confirmed > that OpenBSD 6.1 seems to be running LibreSSL version 2.5.2 > > The CVE shows issue known between 2.5.1 and 2.5.3, and looking at the > OpenBSD trees I can see 2.5.4 was cut around 1st of May.. > > I used MTier to grab all major patches etc, but LibreSSL not in patch list > yet. openvpn did have a minor. > > So downloaded Libressl 2.5.4 source, compiled and installed as per INSTALL > etc.. However notice that openvpn is still linking to 2.5.2. > > It would be great if someone would be kind enough to confirm if this CVE > is indeed the same issue, and if 2.5.4 includes the relevant fixes for it? > > And if yes, a gentle nudge as to how to get openvpn to link to the 2.5.4 > install? > > Thanks for your time. > Kind regards, Andy Lemin > > > > Sent from a teeny tiny keyboard, so please excuse typos > >
Re: Libressl issue verifying self-signed certs with tls-auth and Openvpn
I've just found this hint on GitHub for the Openvpn compile options for Libressl; https://gist.github.com/gsora/2b3e9eb31c15a356c7662b0f960e2995 So will try a build later tonight and share back here if that CVE is fixed. Would prefer to rebuild with the same options as the packaged binary, and it occurred to me that I don't know how to find that on OpenBSD? Thanks again :) Sent from a teeny tiny keyboard, so please excuse typos > On 20 Jun 2017, at 20:23, Andrew Lemin wrote: > > Hi Misc, > > Has anyone else come across any issues recently with Openvpn, Libressl and > TLS on OpenBSD 6.1? > > I am using an .ovpn file with TLS auth static key and cert inline within the > file, to connect to VPN service. Running openvpn binary from command line > without any special params, just .ovpn file. > > I have tested this is working fine on a Linux server with same config (using > Openssl), so the server side, CA and cert are fine etc. > > I noticed on the Linux server the line; "Control Channel Authentication: > tls-auth using INLINE static key file", but I do not see this debug on the > OpenBSD version. Wondered if Libressl is not negotiating tls properly. > > > I have since found CVE-2017-8301 which I believe is related. And confirmed > that OpenBSD 6.1 seems to be running LibreSSL version 2.5.2 > > The CVE shows issue known between 2.5.1 and 2.5.3, and looking at the OpenBSD > trees I can see 2.5.4 was cut around 1st of May.. > > I used MTier to grab all major patches etc, but LibreSSL not in patch list > yet. openvpn did have a minor. > > So downloaded Libressl 2.5.4 source, compiled and installed as per INSTALL > etc.. However notice that openvpn is still linking to 2.5.2. > > It would be great if someone would be kind enough to confirm if this CVE is > indeed the same issue, and if 2.5.4 includes the relevant fixes for it? > > And if yes, a gentle nudge as to how to get openvpn to link to the 2.5.4 > install? > > Thanks for your time. > Kind regards, Andy Lemin > > > > Sent from a teeny tiny keyboard, so please excuse typos
Libressl issue verifying self-signed certs with tls-auth and Openvpn
Hi Misc, Has anyone else come across any issues recently with Openvpn, Libressl and TLS on OpenBSD 6.1? I am using an .ovpn file with TLS auth static key and cert inline within the file, to connect to VPN service. Running openvpn binary from command line without any special params, just .ovpn file. I have tested this is working fine on a Linux server with same config (using Openssl), so the server side, CA and cert are fine etc. I noticed on the Linux server the line; "Control Channel Authentication: tls-auth using INLINE static key file", but I do not see this debug on the OpenBSD version. Wondered if Libressl is not negotiating tls properly. I have since found CVE-2017-8301 which I believe is related. And confirmed that OpenBSD 6.1 seems to be running LibreSSL version 2.5.2 The CVE shows issue known between 2.5.1 and 2.5.3, and looking at the OpenBSD trees I can see 2.5.4 was cut around 1st of May.. I used MTier to grab all major patches etc, but LibreSSL not in patch list yet. openvpn did have a minor. So downloaded Libressl 2.5.4 source, compiled and installed as per INSTALL etc.. However notice that openvpn is still linking to 2.5.2. It would be great if someone would be kind enough to confirm if this CVE is indeed the same issue, and if 2.5.4 includes the relevant fixes for it? And if yes, a gentle nudge as to how to get openvpn to link to the 2.5.4 install? Thanks for your time. Kind regards, Andy Lemin Sent from a teeny tiny keyboard, so please excuse typos