[Bug 662577] New: nm-applet's openvpn key-selection file-dialog fails to display any files -- just blank
https://bugzilla.novell.com/show_bug.cgi?id=662577 https://bugzilla.novell.com/show_bug.cgi?id=662577#c0 Summary: nm-applet's openvpn key-selection file-dialog fails to display any files -- just blank Classification: openSUSE Product: openSUSE 11.3 Version: Final Platform: x86-64 OS/Version: openSUSE 11.3 Status: NEW Severity: Major Priority: P5 - None Component: GNOME AssignedTo: bnc-team-gnome@forge.provo.novell.com ReportedBy: pgngw+dev001+novell.com@f-m.fm QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.13) Gecko/20101203 SUSE/3.6.13-3.1 Firefox/3.6.13 i have NetworkManager-gnome (nm-applet) installed on openSUSE 11.3+KDE (kr45). creating & using connections to Wired & Wireless work ok. now, trying to set up an openvpn connection. when i nav to the *.key-containing folder in the nm-applet openvpn key-selection dialog, it simply is empty. no files are displayed or selectable. (screenshot -> http://bit.ly/hdhay9) checking, the files *are* there, ~/Documents/security/openvpn > ls -al total 32 drwxr-xr-x 2 dev001 users 4096 2011-01-05 07:29 ./ drwxr-xr-x 3 dev001 users 4096 2011-01-05 09:00 ../ -rw-r--r-- 1 dev001 users 1923 2011-01-05 07:29 ca.crt -rw-r--r-- 1 dev001 users 424 2011-01-05 07:29 dh2048.pem -rw-r--r-- 1 dev001 users 5792 2011-01-05 07:29 dev001.client.openvpn.crt -rw------- 1 dev001 users 1704 2011-01-05 07:29 dev001.client.openvpn.key i have been, so far, unable to figure out how to add the key @ the nm-applet to create a connection. permissions issue? or a bug? fyi, lsb_release -a LSB Version: n/a Distributor ID: SUSE LINUX Description: openSUSE 11.3 (x86_64) Release: 11.3 Codename: n/a uname -a Linux dev001.desk 2.6.34.7-0.7-desktop #1 SMP PREEMPT 2010-12-13 11:13:53 +0100 x86_64 x86_64 x86_64 GNU/Linux rpm -qa | grep -i NetworkManager NetworkManager-doc-0.8-8.2.1.x86_64 NetworkManager-openvpn-0.8-3.1.x86_64 NetworkManager-0.8-8.2.1.x86_64 NetworkManager-pptp-0.8-3.1.x86_64 NetworkManager-vpnc-gnome-0.8-3.1.x86_64 NetworkManager-vpnc-0.8-3.1.x86_64 NetworkManager-glib-0.8-8.2.1.x86_64 NetworkManager-openvpn-gnome-0.8-3.1.x86_64 NetworkManager-gnome-0.8-5.1.x86_64 NetworkManager-pptp-gnome-0.8-3.1.x86_64 NetworkManager-devel-0.8-8.2.1.x86_64 and, rpm -qa | grep -i kdebase4-4 kdebase4-4.5.4-2.8.x86_64 from kr45 (d.o.o/repositories/KDE:/Release:/45/openSUSE_11.3). Reproducible: Always Steps to Reproduce: 1. 2. 3. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=662577 https://bugzilla.novell.com/show_bug.cgi?id=662577#c1 --- Comment #1 from dev001x _ <pgngw+dev001+novell.com@f-m.fm> 2011-01-06 16:28:36 UTC --- in chat w/ 'DimStar' @ #opensuse-gnome, checked on, openSUSE Factory GNOME NetworkManager-0.8.2-90.2.x86_64 -- created a Test.key and a Test.pem in ~ -- browsed with the (nm-applet openvpn) file dialog there result: "and indeed: it shows only folders, no files ... it does see *.p12 files though" also verified that the file-type selector in the dialog says: PEM or PKCS#12 (*.pem, *.crt, *.key, *.cer, *.p12) again, "a .p12 is seen" -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=662577 https://bugzilla.novell.com/show_bug.cgi?id=662577#c2 dev001x _ <pgngw+dev001+novell.com@f-m.fm> changed: What |Removed |Added ---------------------------------------------------------------------------- Component|GNOME |GNOME Version|Final |Factory Product|openSUSE 11.3 |openSUSE 11.4 Target Milestone|--- |Factory --- Comment #2 from dev001x _ <pgngw+dev001+novell.com@f-m.fm> 2011-01-06 16:45:31 UTC --- given this chat, [08:31] <dev001> if we've reported a bug @ version 11.3, then verified it appears for Factory too, what's the general advice @bug -- _leave_ at 11.3, or switch to 11.4? apparently, can't have "all/multiple versions" ... [08:32] <cb400f> I'd say move to 11.4 [08:32] <cb400f> only major buggers will be fixed for 11.3 after release.. and after release of 11.4 it has to be realllllyy major to get fixed in 11.3 [08:33] <dev001> cb400f: fair point. i admit i usually have a different view of "major" -- namely, if it's getting in the way of getting production work done. and that's usually on the production/release verison -- 11.3. moving to Product=11.4, and requesting that any fix be backported to 11.3 (for us, this is a 'production' system issue. i.e., @ 11.3) thx. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=662577 https://bugzilla.novell.com/show_bug.cgi?id=662577#c3 --- Comment #3 from dev001x _ <pgngw+dev001+novell.com@f-m.fm> 2011-01-06 16:57:08 UTC --- noting on 11.3, as above, in the openvpn static key dialog, the drop-down file type selector has _only_one_ option: "OpenVPN Static Keys (*.key)" so, even creating a .p12 doesn't help -- it's not viewable. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=662577 https://bugzilla.novell.com/show_bug.cgi?id=662577#c4 --- Comment #4 from dev001x _ <pgngw+dev001+novell.com@f-m.fm> 2011-01-06 17:41:53 UTC --- and ... updating to NetworkManager-0.8.2-90.2.x86_64 on 11.3, from, http://download.opensuse.org/repositories/GNOME:/Factory/openSUSE_11.3 doesn't improve/change the situation. still no file see, and only *.key available as a selector option. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=662577 https://bugzilla.novell.com/show_bug.cgi?id=662577#c5 dev001x _ <pgngw+dev001+novell.com@f-m.fm> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |wstephenson@novell.com --- Comment #5 from dev001x _ <pgngw+dev001+novell.com@f-m.fm> 2011-01-08 00:56:40 UTC --- it was suggested that i triage myself -- so, giving that a shot, tho, not at all sure which is the right person. that said -- Bille, could you pls fwd if not appropriate for you? thx. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=662577 https://bugzilla.novell.com/show_bug.cgi?id=662577#c6 Will Stephenson <wstephenson@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW CC| |wstephenson@novell.com InfoProvider|wstephenson@novell.com | --- Comment #6 from Will Stephenson <wstephenson@novell.com> 2011-01-10 16:49:39 UTC --- Least I can do :). I suggest asking (patiently) in #nm on freenode. There are a number of informed NM devs there. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=662577 https://bugzilla.novell.com/show_bug.cgi?id=662577#c dev001x _ <pgngw+dev001+novell.com@f-m.fm> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugzilla.gnome.org/ | |show_bug.cgi?id=639191 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=662577 https://bugzilla.novell.com/show_bug.cgi?id=662577#c7 Jiří Klimeš <jklimes@redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jklimes@redhat.com --- Comment #7 from Jiří Klimeš <jklimes@redhat.com> 2011-01-11 08:22:21 UTC --- dev001x_, how did you create the static key file? Looking into the code of network-manager-openvpn reveals that there are some checks performed to ensure that displayed files are really Static Keys. The checks are: - .key extension - file size is >=400 and < 1024 - it contains "-----BEGIN OpenVPN Static key V1-----" If those conditions are not met, files are not displayed. Running 'openvpn --genkey --secret static.key' creates valid file and it is displayed: # # 2048 bit OpenVPN static key # -----BEGIN OpenVPN Static key V1----- 37ffa0eec37d39edf8a79097a86bffa3 dc975e7a93a3d5837bb8dbfecdfe1d6b 9d95dfdd1f198e13669f9a38619da4fc 7458edab0a32eb7d1fd561a1cb828523 aaed099985ce0f3ffe3adee181540770 8033b76c0cf63e3dd08b68f117245d62 600fa631d56486fe24eac33c8a34fceb fbce5dfd884ae4f76bb39597239ff0f6 12db47b8edcb7d404b1e41ff4a5d4f46 9d46cc67fad1084257ace8c4be255d15 fa0dae926eeac0714bc5d9f4ec5a8423 42231635174ab37f2cc35c6ca9c5711a 9b6a57b1a53501f97d00c9e5764484b8 318822fa692dd2915a9a11d7d4659103 1d6a702d06296bc2ef048a5aa8e1d018 4e97db861e3f022a669c3f95e130bb82 -----END OpenVPN Static key V1----- -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=662577 https://bugzilla.novell.com/show_bug.cgi?id=662577#c8 --- Comment #8 from dev001x _ <pgngw+dev001+novell.com@f-m.fm> 2011-01-11 14:33:39 UTC --- hi Jiří, (In reply to comment #7)
dev001x_, how did you create the static key file? .. Running 'openvpn --genkey --secret static.key' creates valid file and it is displayed:
to generate keys, i followed directions at (any of ...): openvpn.net/easyrsa.html http://openvpn.net/index.php/open-source/documentation/miscellaneous/77-rsa-... http://blogs.techrepublic.com.com/opensource/?p=1873 e.g., cd /usr/local/openvpn/easy-rsa/2.0 sh build-key-server test where, cat build-key-server ... export EASY_RSA="${EASY_RSA:-.}" "$EASY_RSA/pkitool" --interact --server $* then, per your suggestion, openvpn --genkey --secret static.key so that, cd keys/ ls -al total 48 drwxr-xr-x 2 root root 4096 2011-01-11 06:08 ./ drwxr-xr-x 162 root root 16384 2011-01-10 17:54 ../ -rw-r--r-- 1 root root 1923 2011-01-04 22:27 ca.crt -rw-r--r-- 1 root root 312 2010-12-13 08:39 client.conf -rw-r--r-- 1 root root 5792 2011-01-05 07:31 test.crt -rw------- 1 root root 1704 2011-01-05 07:31 test.key -rw-r--r-- 1 root root 424 2011-01-05 07:05 dh2048.pem -rw------- 1 root root 636 2011-01-11 06:08 static.key and, cat static.key # # 2048 bit OpenVPN static key # -----BEGIN OpenVPN Static key V1----- BKgwggSkAgEAAoIBAQC6WfJrzmZuymcD ... 46c2d64c6d0ef9f44d9ea6a840c31207 -----END OpenVPN Static key V1----- cat test.key -----BEGIN PRIVATE KEY----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASC9c03dbdc1f5ea0aece379fc17e1a40e6 .. 8/xx2QD0PLa87i2nfshOmfn2 -----END PRIVATE KEY----- now, in the NetworkManager OpenVPN dialog, case (1): Type: Certificates (TLS) Display: Choose your personal certificate ... Selector: PEM certificates (*.pem, *.crt, *.key, *.cer) ca.crt test.crt case (2): Type: Certificates (TLS) Display: Choose a Certificate Authority Certificate ... Selector: PEM certificates (*.pem, *.crt, *.key, *.cer) ca.crt test.crt case (3): Type: Certificates (TLS) Display: Choose your private key ... Selector: PEM certificates (*.pem, *.crt, *.key, *.cer) ca.crt test.crt case (4): Type: Static Key Display: Choose an OpenVPN Static Key ... Selector: OpenVPN Static Keys (*.key) (empty) i.e., i'm still not seeing the *key in any case ... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=662577 https://bugzilla.novell.com/show_bug.cgi?id=662577#c9 dev001x _ <pgngw+dev001+novell.com@f-m.fm> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|bnc-team-gnome@forge.provo. |vuntz@novell.com |novell.com | --- Comment #9 from dev001x _ <pgngw+dev001+novell.com@f-m.fm> 2011-01-11 18:42:17 UTC --- seems the problem is with checks for key encryption and headers ... after a lengthy/helpful chat with <dcbw> in #nm, a fix was pushed to nm upstream: https://bugzilla.gnome.org/show_bug.cgi?id=639191#c1 "most if it's already there with 0.8.1, but we also need this patch to show unencrypted keys in the file chooser: 46d13ca03e5d48eecc333a5c23fc16eddee70615 (master) 6dd966d8a2e97cf2314eb5cd052055526135024c (0.8.x)" if we can now get that 0.8.x fix applied to openSUSE's nm packages, and made available in either openSUSE:11.3/standard &/or GNOME:Factory/openSUSE_11.3, that'd be great. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=662577 https://bugzilla.novell.com/show_bug.cgi?id=662577#c10 --- Comment #10 from dev001x _ <pgngw+dev001+novell.com@f-m.fm> 2011-01-12 01:20:31 UTC --- atm, prior to the 'fix', there's a compromise/workaround ... encrypt the easy-rsa-generated, unencrypted openvpn keys to a form that *does* pass the current code's key-validity checks -- i.e., so that the key's enctyped, and its headers start: " -----BEGIN RSA PRIVATE KEY----- " to do that, rather than following the current advice @ http://www.openssl.org/docs/apps/rsa.html, " ... newer apps should use the more secure PKCS#8 format using pkcs8 util .." i.e., openssl pkcs8 -in unencrypted.key -out encrypted.key -topk8 -v1 PBE-SHA1-3DES instead, encrypt the unencrypted key to RSA (e.g.), openssl rsa -in unencrypted.key -out encrypted.key -aes256 with this done, the _current_ nm-applet's nm-openvpn file-chooser can "see" the ca.crt, the client.crt AND the _encrypted_ key. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=662577 https://bugzilla.novell.com/show_bug.cgi?id=662577#c11 Vincent Untz <vuntz@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|nm-applet's openvpn |JJ: nm-applet's openvpn |key-selection file-dialog |key-selection file-dialog |fails to display any files |fails to display any files |-- just blank |-- just blank --- Comment #11 from Vincent Untz <vuntz@novell.com> 2011-01-12 14:00:15 UTC --- There's a patch, so it should be rather easy to get the fix in G:F. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=662577 https://bugzilla.novell.com/show_bug.cgi?id=662577#c12 --- Comment #12 from Vincent Untz <vuntz@novell.com> 2011-01-12 15:16:37 UTC --- Link to the patch: http://git.gnome.org/browse/network-manager-openvpn/commit/?h=NM_0_8&id=6dd966d8a2e97cf2314eb5cd052055526135024c -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=662577 https://bugzilla.novell.com/show_bug.cgi?id=662577#c13 Li Bin <bili@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED CC| |bili@novell.com Resolution| |FIXED --- Comment #13 from Li Bin <bili@novell.com> 2011-02-15 11:22:36 UTC --- Done. I made a patch from upstream. nm-openvpn-show-unencrypted-private-keys-files.patch 61235 State:new By:BinLi When:2011-02-15T12:21:47 submit: home:BinLi:branches:GNOME:Factory/NetworkManager-openvpn -> GNOME:Factory Descr: show unencrypted private key files in file chooser dialog(bnc#662577) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com