Bug ID 1175219
Summary OpenVPN fails with certificates on smart cards on Leap 15.2 and TW
Classification openSUSE
Product openSUSE Distribution
Version Leap 15.2
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Security
Assignee security-team@suse.de
Reporter bjoernv@arcor.de
QA Contact qa-bugs@suse.de
Found By ---
Blocker --- 

After upgrading from Leap 15.1 to Leap 15.2 working OpenVPN setups with PKCS11
certificates on Yubikeys are failing. The same applies to openSUSE Tumbleweed.
Also other smart card devices may be affected.

OpenVPN does not show many details, even with highest logging level.

# openvpn --cd /etc/openvpn --config openvpn-yubikey-test.ovpn
[...]
Thu Aug 13 10:21:21 2020 VERIFY OK: depth=1, CN=Test CA
Thu Aug 13 10:21:21 2020 VERIFY KU OK
Thu Aug 13 10:21:21 2020 Validating certificate extended key usage
Thu Aug 13 10:21:21 2020 ++ Certificate has EKU (str) TLS Web Server
Authentication, expects TLS Web Server Authentication
Thu Aug 13 10:21:21 2020 VERIFY EKU OK
Thu Aug 13 10:21:21 2020 VERIFY OK: depth=0, CN=host1.example.com
Thu Aug 13 10:21:21 2020 OpenSSL: error:141F0006:SSL
routines:tls_construct_cert_verify:EVP lib
Thu Aug 13 10:21:21 2020 TLS_ERROR: BIO read tls_read_plaintext error
Thu Aug 13 10:21:21 2020 TLS Error: TLS object -> incoming plaintext read error
Thu Aug 13 10:21:21 2020 TLS Error: TLS handshake failed
Thu Aug 13 10:21:21 2020 Fatal TLS error (check_tls_errors_co), restarting
Thu Aug 13 10:21:21 2020 SIGUSR1[soft,tls-error] received, process restarting
Thu Aug 13 10:21:21 2020 Restart pause, 5 second(s)

The bug can be resolved by upgrading the pkcs11-helper packages from
pkcs11-helper-1.25.1 to pkcs11-helper-devel-1.26.0.

# openvpn --cd /etc/openvpn --config openvpn-yubikey-test.ovpn
[...]
Thu Aug 13 10:32:36 2020 VERIFY OK: depth=1, CN=Test CA
Thu Aug 13 10:32:36 2020 VERIFY KU OK
Thu Aug 13 10:32:36 2020 Validating certificate extended key usage
Thu Aug 13 10:32:36 2020 ++ Certificate has EKU (str) TLS Web Server
Authentication, expects TLS Web Server Authentication
Thu Aug 13 10:32:36 2020 VERIFY EKU OK
Thu Aug 13 10:32:36 2020 VERIFY OK: depth=0, CN=host1.example.com
Enter user1 token Password: (press TAB for no echo)

There is a problem with inconsistent padding between OpenSSL 1.1.1 and
pkcs11-helper-1.25.1. The details are described here:
http://openssl.6102.n7.nabble.com/Issue-with-smartcard-authentication-for-openvpn-td76415.html

The pkcs11-helper-devel-1.26.0 Changelog contains this line:
- openssl: support RSA_NO_PADDING padding, thanks to Selva Nair

You are receiving this mail because: