Re: [Openvpn-users] Clients can't connect after server reboot

Tue, 08 Aug 2017 13:28:28 -0700 

Mio Vlahović schreef op 08-08-2017 22:02:

On 08.08.2017 21:47, David Sommerseth wrote:

On 08/08/17 21:28, Mio Vlahović wrote:

On 08.08.2017 21:13, David Sommerseth wrote:

On 08/08/17 20:34, Leonardo Rodrigues wrote:



      You very likely created your certificated with MD5 hashing, 
which

was disabled on newer OpenSSL versions of CentOS.

      Try:

export NSS_HASH_ALG_SUPPORT=+MD5
export OPENSSL_ENABLE_MD5_VERIFY=1


      before starting your OpenVPN daemon and watch if that make 
clients

connect again ...

DON'T DO THAT.


MD5 based certificates are broken.  If you still use them, upgrade 
them

NOW.  And this knowledge about the brokenness dates back to 2005.

<http://eprint.iacr.org/2005/067.pdf>
<http://eprint.iacr.org/2005/102.pdf>


Anyone using MD5 and re-enables them in the SSL libraries will put 
their

VPN's security at risk.



No worries, I don't use MD5, but disabling crl_verify as suggested 
did
the trick. Now I still have the issue with generating new 
certificates.


I will quote myself again

"One update... I can no longer generate new certificates. It seemse 
that

whichopensslcnf scripts can't find openssl.cnf (which is there in the
same directory...)

[root@vpn 2.0]# pwd
/etc/openvpn/easy-rsa/2.0
[root@vpn 2.0]# ls -la
drwx------. 3 nobody nobody  4096 Aug  8 20:25 .
drwx------. 3 nobody nobody    33 Feb  6  2016 ..
-rwx------. 1 nobody nobody   119 Feb  6  2016 build-ca
-rwx------. 1 nobody nobody   352 Feb  6  2016 build-dh
-rwx------. 1 nobody nobody   188 Feb  6  2016 build-inter
-rwx------. 1 nobody nobody   163 Feb  6  2016 build-key
-rwx------. 1 nobody nobody   157 Feb  6  2016 build-key-pass
-rwx------. 1 nobody nobody   249 Feb  6  2016 build-key-pkcs12
-rwx------. 1 nobody nobody   268 Feb  6  2016 build-key-server
-rwx------. 1 nobody nobody   213 Feb  6  2016 build-req
-rwx------. 1 nobody nobody   158 Feb  6  2016 build-req-pass
-rwx------. 1 nobody nobody   449 Feb  6  2016 clean-all
-rwx------. 1 nobody nobody   424 Feb  6  2016 dh2048.pem
-rwx------. 1 nobody nobody  1471 Feb  6  2016 inherit-inter
drwx------  2 nobody nobody 36864 Jul 26 15:07 keys
-rwx------. 1 nobody nobody   302 Feb  6  2016 list-crl
-rwx------. 1 nobody nobody  7791 Feb  6  2016 openssl-0.9.6.cnf
-rwx------. 1 nobody nobody  8348 Feb  6  2016 openssl-0.9.8.cnf
-rwx------  1 nobody nobody  8247 Aug  8 18:37 openssl-1.0.0.cnf
-rwx------  1 nobody nobody  8247 Aug  8 19:14 openssl.cnf
-rwx------. 1 nobody nobody 12966 Feb  6  2016 pkitool
-rwx------. 1 nobody nobody   928 Feb  6  2016 revoke-full
-rwx------. 1 nobody nobody   178 Feb  6  2016 sign-req
-rwx------  1 nobody nobody  2138 Aug  8 20:25 vars
-rwx------. 1 nobody nobody   740 Feb  6  2016 whichopensslcnf

root@vpn 2.0]# ./build-key xxx

grep: /etc/openvpn/easy-rsa/2.0/openssl.cnf 
/etc/openvpn/easy-rsa/2.0:

No such file or directory

pkitool: KEY_CONFIG (set by the ./vars script) is pointing to the 
wrong

version of openssl.cnf: /etc/openvpn/easy-rsa/2.0/openssl.cnf
/etc/openvpn/easy-rsa/2.0

The correct version should have a comment that says: easy-rsa version 
2.x"


Did you remember to source the ./vars file first?

$ . ./vars

(yes, a single dot and then ./vars)




Yes I did, same result... any other hints?


Add the comment it says it needs to have.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users























					Reply via email to