[Bug 1208400] New: nm-openvpn fails to connect to an existing VPN after recent update
https://bugzilla.suse.com/show_bug.cgi?id=1208400 Bug ID: 1208400 Summary: nm-openvpn fails to connect to an existing VPN after recent update Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: x86-64 OS: openSUSE Tumbleweed Status: NEW Severity: Major Priority: P5 - None Component: Network Assignee: screening-team-bugs@suse.de Reporter: miguel@rozsas.eng.br QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Created attachment 864945 --> https://bugzilla.suse.com/attachment.cgi?id=864945&action=edit output of "/usr/libexec/nm-openvpn-service --debug" After updating opensuse TW to 20230214 an existing openVPN fails to connect where it was working before. The file attached was created by following the guideline here: https://wiki.gnome.org/Projects/NetworkManager/Debugging#Debugging_NetworkMa... Other VPN setups are working fine, just this one is failing. The affected VPN server is out of my control. It is a corporate VPN from the company where I work for. The Windows openVPN client in the last release it is still working fine with this particular VPN. The problem is my work is done on Linux, not windows. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1208400 https://bugzilla.suse.com/show_bug.cgi?id=1208400#c1 --- Comment #1 from Miguel Rozsas <miguel@rozsas.eng.br> --- I think it is related to openssl-3-3.0.7-3.1.x86_64 package that replaced the old package openssl-1_1-1.1.1t-1.1.x86_64. On a computer not updated, openssl-1_1-1.1.1t-1.1.x86_64: cat /path/to/certificate/file.p12 | openssl pkcs12 -info Enter Import Password: MAC: sha1, Iteration 2048 MAC length: 20, salt length: 8 PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048 ... On a computer updated, openssl-3-3.0.7-3.1.x86_64: cat /path/to/certificate/file.p12 | openssl pkcs12 -info Enter Import Password: MAC: sha1, Iteration 2048 MAC length: 20, salt length: 8 PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048 Error outputting keys and certificates 404794E1E17F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:373:Global default library context, Algorithm (RC2-40-CBC : 0), Properties () On a updated system, both packages co-exist, but the older one has the binary changed from /usr/bin/openssl to /usr/bin/openssl-1_1 (and the current /usr/bin/openssl belongs to openssl-3-3.0.7-3.1.x86_64) I don't know if this helps. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1208400 https://bugzilla.suse.com/show_bug.cgi?id=1208400#c2 --- Comment #2 from Miguel Rozsas <miguel@rozsas.eng.br> --- I've followed this gist https://gist.github.com/shaoran/1db4ed8bba8bc054cd31e2ea05a668d1 and added the line tls-cipher=DEFAULT:@SECLEVEL=0 to [vpn] section of /etc/NetworkManager/system-connections/FWUNSP-UDP4-1748-miguel-config-seclevel0.nmconnection file, but no luck, no vpn connection. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1208400 Chenzi Cao <chcao@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |vcizek@suse.com Assignee|screening-team-bugs@suse.de |songchuan.kang@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1208400 https://bugzilla.suse.com/show_bug.cgi?id=1208400#c3 Jonathan Kang <songchuan.kang@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|songchuan.kang@suse.com |pmonrealgonzalez@suse.com --- Comment #3 from Jonathan Kang <songchuan.kang@suse.com> --- Hi Pedro This seems to be an openssl issue. Can you take a look at this if you have some time? Thanks. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1208400 https://bugzilla.suse.com/show_bug.cgi?id=1208400#c4 Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |meissner@suse.com, | |pmonrealgonzalez@suse.com Assignee|pmonrealgonzalez@suse.com |otto.hollmann@suse.com --- Comment #4 from Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com> --- Hi, certificates signed using SHA1 are no longer allowed at security level 1 and above in openssl-3 so its failing as expected. You may want to re-create them and use the default SHA256 for signing. Note that, there is an ongoing issue open upstream to add a configure option to enable SHA1 but its not yet implemented in the 3.0 version series or in 3.1 which is planned to be released today, see: * https://github.com/openssl/openssl/issues/17662 There is also a downstream working patch in Fedora that adds this: * https://gitlab.com/redhat/centos-stream/rpms/openssl/-/blob/c9s/0049-Selecti... T think, we can explore this option. I'm assigning the bug to Otto and adding Marcus in CC. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1208400 https://bugzilla.suse.com/show_bug.cgi?id=1208400#c5 --- Comment #5 from Miguel Rozsas <miguel@rozsas.eng.br> --- Thank you for your time to clarify it is an issue with openssl-3 that makes sha1 obsolete/invalid/whatever. I was interested in what you suggested "You may want to re-create them and use the default SHA256 for signing." You mean, there is a way to convert the current "/path/to/certificate/file.p12", that was given to me by the company that I work for, in another file which is openssl-3 compatible file to use with nm-openvpn ? If so, please, can you help me on this ? I have zero knowledge on certificates, I just use them... -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1208400 https://bugzilla.suse.com/show_bug.cgi?id=1208400#c6 --- Comment #6 from Miguel Rozsas <miguel@rozsas.eng.br> --- I want just add to this how such change was inconvenient at same time I want to make clear that I understand it was a needed change as SHA1 is insecure nowadays. It is not a rant ! I don't have control over the generation of certificate, it was generated by the company that I work for and they can not change either, as they use a appliance that for now there is no updates in this regard. To be able to work for them I had to setup a Win11 VM on my linux box and on that virtual windows I run openvpn with the certificate that they provide. Than I may open ssh sessions to machines inside their network. It works, but far from ideal. There is a extra layer, as you can see. So a workaround, as mentioned, is needed to preserve backward compatibility. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com