https://bugzilla.suse.com/show_bug.cgi?id=1175219 Bug ID: 1175219 Summary: OpenVPN fails with certificates on smart cards on Leap 15.2 and TW Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: bjoernv@arcor.de QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- After upgrading from Leap 15.1 to Leap 15.2 working OpenVPN setups with PKCS11 certificates on Yubikeys are failing. The same applies to openSUSE Tumbleweed. Also other smart card devices may be affected. OpenVPN does not show many details, even with highest logging level. # openvpn --cd /etc/openvpn --config openvpn-yubikey-test.ovpn [...] Thu Aug 13 10:21:21 2020 VERIFY OK: depth=1, CN=Test CA Thu Aug 13 10:21:21 2020 VERIFY KU OK Thu Aug 13 10:21:21 2020 Validating certificate extended key usage Thu Aug 13 10:21:21 2020 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Thu Aug 13 10:21:21 2020 VERIFY EKU OK Thu Aug 13 10:21:21 2020 VERIFY OK: depth=0, CN=host1.example.com Thu Aug 13 10:21:21 2020 OpenSSL: error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib Thu Aug 13 10:21:21 2020 TLS_ERROR: BIO read tls_read_plaintext error Thu Aug 13 10:21:21 2020 TLS Error: TLS object -> incoming plaintext read error Thu Aug 13 10:21:21 2020 TLS Error: TLS handshake failed Thu Aug 13 10:21:21 2020 Fatal TLS error (check_tls_errors_co), restarting Thu Aug 13 10:21:21 2020 SIGUSR1[soft,tls-error] received, process restarting Thu Aug 13 10:21:21 2020 Restart pause, 5 second(s) The bug can be resolved by upgrading the pkcs11-helper packages from pkcs11-helper-1.25.1 to pkcs11-helper-devel-1.26.0. # openvpn --cd /etc/openvpn --config openvpn-yubikey-test.ovpn [...] Thu Aug 13 10:32:36 2020 VERIFY OK: depth=1, CN=Test CA Thu Aug 13 10:32:36 2020 VERIFY KU OK Thu Aug 13 10:32:36 2020 Validating certificate extended key usage Thu Aug 13 10:32:36 2020 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Thu Aug 13 10:32:36 2020 VERIFY EKU OK Thu Aug 13 10:32:36 2020 VERIFY OK: depth=0, CN=host1.example.com Enter user1 token Password: (press TAB for no echo) There is a problem with inconsistent padding between OpenSSL 1.1.1 and pkcs11-helper-1.25.1. The details are described here: http://openssl.6102.n7.nabble.com/Issue-with-smartcard-authentication-for-op... The pkcs11-helper-devel-1.26.0 Changelog contains this line: - openssl: support RSA_NO_PADDING padding, thanks to Selva Nair -- You are receiving this mail because: You are on the CC list for the bug.