Re: OpenVPN, OpenSSL and Fedora 26+

[Rex Dieter]

David Sommerseth wrote:

> This is actually just a very late heads-up about challenges with OpenVPN
> in Fedora 26.
> 
> Fedora is moving towards OpenSSL v1.1, which is in my opinion a sane and
> good step forward.  Unfortunately, that gives OpenVPN a real challenge.

Fyi, now that compat-openssl10-pkcss-helper passed review,

https://bugzilla.redhat.com/show_bug.cgi?id=1445349

openvpn now has the option of using that, and essentially maintaining 
previous f25 behavior, if you wish.

-- Rex
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: OpenVPN, OpenSSL and Fedora 26+

[David Sommerseth]

On 27/04/17 23:15, Pete Travis wrote:
> 
> 
> On Apr 27, 2017 3:13 PM, "David Sommerseth"  > wrote:
> 
> On 27/04/17 01:20, Dominik 'Rathann' Mierzejewski wrote:
> > Thanks a lot for the write-up, David. Can you make sure this ends up
> > in the release notes?
> 
> Sure ... I've never done that before, any pointers to how I can make
> that happen?
> 
> 
> --
> kind regards,
> 
> David Sommerseth
> 
> 
> File a PR or issue at https://pagure.io/release-notes and I'll follow up
> on it.  An issue would be best at the moment, there's a bit of prep work
> to do for the F26 branch.

Thanks a lot, Pete!

An issue have been created: https://pagure.io/release-notes/issue/36


-- 
kind regards,

David Sommerseth



signature.asc
Description: OpenPGP digital signature
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: OpenVPN, OpenSSL and Fedora 26+

[Pete Travis]

On Apr 27, 2017 3:13 PM, "David Sommerseth"  wrote:

On 27/04/17 01:20, Dominik 'Rathann' Mierzejewski wrote:
> On Wednesday, 26 April 2017 at 21:18, David Sommerseth wrote:
>> On 26/04/17 17:08, Lee Howard wrote:
>>> On 04/25/2017 01:39 PM, David Sommerseth wrote:
 This is actually just a very late heads-up about challenges with
OpenVPN
 in Fedora 26.

 Fedora is moving towards OpenSSL v1.1, which is in my opinion a sane
and
 good step forward.  Unfortunately, that gives OpenVPN a real challenge.
 The OpenSSL v1.1 support is not completed.  Patches have been sent to
 the upstream devel mailing list for review, but only half of them have
 been processed and applied so far.

 So, to be able to provide OpenVPN in Fedora 26 it was decided to switch
 to mbed TLS instead of OpenSSL (which OpenVPN also supports).  That
have
 revealed several issues:
>
> Thanks a lot for the write-up, David. Can you make sure this ends up
> in the release notes?

Sure ... I've never done that before, any pointers to how I can make
that happen?


--
kind regards,

David Sommerseth


File a PR or issue at https://pagure.io/release-notes and I'll follow up on
it.  An issue would be best at the moment, there's a bit of prep work to do
for the F26 branch.

-- Pete
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: OpenVPN, OpenSSL and Fedora 26+

[David Sommerseth]

On 27/04/17 01:20, Dominik 'Rathann' Mierzejewski wrote:
> On Wednesday, 26 April 2017 at 21:18, David Sommerseth wrote:
>> On 26/04/17 17:08, Lee Howard wrote:
>>> On 04/25/2017 01:39 PM, David Sommerseth wrote:
 This is actually just a very late heads-up about challenges with OpenVPN
 in Fedora 26.

 Fedora is moving towards OpenSSL v1.1, which is in my opinion a sane and
 good step forward.  Unfortunately, that gives OpenVPN a real challenge.
 The OpenSSL v1.1 support is not completed.  Patches have been sent to
 the upstream devel mailing list for review, but only half of them have
 been processed and applied so far.

 So, to be able to provide OpenVPN in Fedora 26 it was decided to switch
 to mbed TLS instead of OpenSSL (which OpenVPN also supports).  That have
 revealed several issues:
> 
> Thanks a lot for the write-up, David. Can you make sure this ends up
> in the release notes?

Sure ... I've never done that before, any pointers to how I can make
that happen?


-- 
kind regards,

David Sommerseth



signature.asc
Description: OpenPGP digital signature
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: OpenVPN, OpenSSL and Fedora 26+

[Tom Hughes]

On 27/04/17 07:38, Tom Hughes wrote:

On 25/04/17 21:39, David Sommerseth wrote:


So, to be able to provide OpenVPN in Fedora 26 it was decided to switch
to mbed TLS instead of OpenSSL (which OpenVPN also supports).  That have
revealed several issues:


Why not just use the openssl 1.0.2 compat package until you're ready to 
move to the 1.1 package?


Scratch that - I see you explained further down.

Tom

--
Tom Hughes (t...@compton.nu)
http://compton.nu/
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: OpenVPN, OpenSSL and Fedora 26+

[Tom Hughes]

On 25/04/17 21:39, David Sommerseth wrote:


So, to be able to provide OpenVPN in Fedora 26 it was decided to switch
to mbed TLS instead of OpenSSL (which OpenVPN also supports).  That have
revealed several issues:


Why not just use the openssl 1.0.2 compat package until you're ready to 
move to the 1.1 package?


Tom

--
Tom Hughes (t...@compton.nu)
http://compton.nu/
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: OpenVPN, OpenSSL and Fedora 26+

[Subhendu Ghosh]

Software collections for a segregated sane dep chain

On Apr 26, 2017 19:22, "Dominik 'Rathann' Mierzejewski" <
domi...@greysector.net> wrote:

On Wednesday, 26 April 2017 at 21:18, David Sommerseth wrote:
> On 26/04/17 17:08, Lee Howard wrote:
> > On 04/25/2017 01:39 PM, David Sommerseth wrote:
> >> This is actually just a very late heads-up about challenges with
OpenVPN
> >> in Fedora 26.
> >>
> >> Fedora is moving towards OpenSSL v1.1, which is in my opinion a sane
and
> >> good step forward.  Unfortunately, that gives OpenVPN a real challenge.
> >> The OpenSSL v1.1 support is not completed.  Patches have been sent to
> >> the upstream devel mailing list for review, but only half of them have
> >> been processed and applied so far.
> >>
> >> So, to be able to provide OpenVPN in Fedora 26 it was decided to switch
> >> to mbed TLS instead of OpenSSL (which OpenVPN also supports).  That
have
> >> revealed several issues:

Thanks a lot for the write-up, David. Can you make sure this ends up
in the release notes?

Regards,
Dominik
--
Fedora http://fedoraproject.org/wiki/User:Rathann
RPMFusion http://rpmfusion.org
"Faith manages."
-- Delenn to Lennier in Babylon 5:"Confessions and Lamentations"
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: OpenVPN, OpenSSL and Fedora 26+

[Dominik 'Rathann' Mierzejewski]

On Wednesday, 26 April 2017 at 21:18, David Sommerseth wrote:
> On 26/04/17 17:08, Lee Howard wrote:
> > On 04/25/2017 01:39 PM, David Sommerseth wrote:
> >> This is actually just a very late heads-up about challenges with OpenVPN
> >> in Fedora 26.
> >>
> >> Fedora is moving towards OpenSSL v1.1, which is in my opinion a sane and
> >> good step forward.  Unfortunately, that gives OpenVPN a real challenge.
> >> The OpenSSL v1.1 support is not completed.  Patches have been sent to
> >> the upstream devel mailing list for review, but only half of them have
> >> been processed and applied so far.
> >>
> >> So, to be able to provide OpenVPN in Fedora 26 it was decided to switch
> >> to mbed TLS instead of OpenSSL (which OpenVPN also supports).  That have
> >> revealed several issues:

Thanks a lot for the write-up, David. Can you make sure this ends up
in the release notes?

Regards,
Dominik
-- 
Fedora http://fedoraproject.org/wiki/User:Rathann
RPMFusion http://rpmfusion.org
"Faith manages."
-- Delenn to Lennier in Babylon 5:"Confessions and Lamentations"
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: OpenVPN, OpenSSL and Fedora 26+

[David Sommerseth]

On 26/04/17 17:08, Lee Howard wrote:
> On 04/25/2017 01:39 PM, David Sommerseth wrote:
>> This is actually just a very late heads-up about challenges with OpenVPN
>> in Fedora 26.
>>
>> Fedora is moving towards OpenSSL v1.1, which is in my opinion a sane and
>> good step forward.  Unfortunately, that gives OpenVPN a real challenge.
>> The OpenSSL v1.1 support is not completed.  Patches have been sent to
>> the upstream devel mailing list for review, but only half of them have
>> been processed and applied so far.
>>
>> So, to be able to provide OpenVPN in Fedora 26 it was decided to switch
>> to mbed TLS instead of OpenSSL (which OpenVPN also supports).  That have
>> revealed several issues:
>>
>>- mbed TLS 2.3+ does by default not support certificates hashes
>>  "older" than  SHA1.  And RSA keys must be 2048 bits or more.
>>  This have been fixed by a couple of additional patches on top
>>  of the upstream OpenVPN code base.
> 
> Why is switching to mbed TLS and patching that preferred over just
> patching OpenVPN?

Basically, security - as VPNs are by default security sensitive.  The
patches on the OpenVPN mailing list which enables OpenSSL 1.1 support
need to be reviewed properly before we can fully trust them.  And
considering that the mbed TLS support have been in OpenVPN for several
years and have also been used by OpenVPN-NL [1] for a long time, I
consider that approach more secure.

In addition I don't want to maintain what would in effect be a fork of
OpenVPN (even though only for a while).   So I follow the common
Red Hat mantra of "upstream first".  One upstream have officially
blessed OpenVPN with OpenSSL 1.1, we will pull in the these patches
unless a new v2.4 release is coming.  This makes it easier to get
upstream bugs fixed; we don't need to consider if a potential bug is a
result of the un-reviewed OpenSSL patches or not.

Those two patches I have added are basically based upon other patches
under review [2] (I have been involved in that review too).  In addition
a similar approach have been implemented in the OpenVPN 3 core library
[2] (which is being used by the OpenVPN Connect product range) which
uses the same concept.  So I consider those patches less security sensitive.

[1] 
[2]

[3]



-- 
kind regards,

David Sommerseth



signature.asc
Description: OpenPGP digital signature
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

OpenVPN, OpenSSL and Fedora 26+

[David Sommerseth]

Hi,

This is actually just a very late heads-up about challenges with OpenVPN
in Fedora 26.

Fedora is moving towards OpenSSL v1.1, which is in my opinion a sane and
good step forward.  Unfortunately, that gives OpenVPN a real challenge.
The OpenSSL v1.1 support is not completed.  Patches have been sent to
the upstream devel mailing list for review, but only half of them have
been processed and applied so far.

So, to be able to provide OpenVPN in Fedora 26 it was decided to switch
to mbed TLS instead of OpenSSL (which OpenVPN also supports).  That have
revealed several issues:

  - mbed TLS 2.3+ does by default not support certificates hashes
"older" than  SHA1.  And RSA keys must be 2048 bits or more.
This have been fixed by a couple of additional patches on top
of the upstream OpenVPN code base.  It supports now RSA keys
of 1024 bits or more.  In addition for OpenSSL support of the
OPENSSL_ENABLE_MD5_VERIFY, a quirk have been added to also enable
MD5 support if that environment variable have been set.

  - mbed TLS build in Fedora lacked PKCS#11 support.  This have
been resolved.  But there are concerns how well this plays along
with another dependency OpenVPN have, pkcs11-helper.  This is being
investigated and tested.  Feel free to help out on bz #1432152 if
you depend on PKCS#11/Smart Card functionality.  Your feedback is
valuable!

  - mbed TLS completely lacks support for PKCS#12 files.

Now, there is kind of an alternative by using compat-openssl-10.  But
that does not play well with pkcs11-helper; which is compiled against
OpenSSL v1.1.

Currently the plan is to stay with mbed TLS support until PKCS#11
support is fully confirmed working or not working at all.  If not
working, we can at least move to compat-openssl10 without PKCS#11
support, which enables PKCS#12 support again.  If PKCS#11 support works
with mbed TLS, then we will stay on mbed TLS for now as I value that
support more important than PKCS#12.

Once OpenVPN have released a version with full OpenSSL v1.1 support (or
at least have all the needed patches reviewed and applied to their
upstream git repos), then I will switch back to the default openssl
package again.

This is far from ideal.  But I do consider this the best compromise than
not having an OpenVPN package in Fedora 26 at all.

For those of you having PKCS#12 files, there is a kind of workaround
where you can split up that file into CA, Certificate and Private Key
PEM files - which OpenVPN can use directly.

$ openssl pkcs12 -nokeys -cacerts -in $PKCS12FILE > ca-cert.pem
$ openssl pkcs12 -nokeys -clcerts -in $PKCS12FILE > cert.pem
$ openssl pkcs12 -nocerts -nodes -in $PKCS12FILE > private-key.pem

If switching from '-nodes' with for example '-aes256' on the last line,
the private key will be encrypted and password protected; similar to
what your PKCS#12 files may already use today.


I am sorry for not having sent this heads-up earlier.  I took over
package maintenance mid-March, and I've taken this package through a
very much needed overhaul to align the packaging with improvements in
the upstream packaging.  The previous maintainers have done a good job
keeping this package alive, but the gap against upstream began to be a
bit too big.  There are still a few things which needs to be ironed out.
 But once the mbed TLS/OpenSSL issue and a few other more minor issues
gets resolved, I'd say we're pretty much in a reasonable shape.

If you have questions, issues or comments ... feel free to reach out!


-- 
kind regards,

David Sommerseth



signature.asc
Description: OpenPGP digital signature
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

OpenVPN, OpenSSL and Fedora 26+

[David Sommerseth]

Hi,

This is actually just a very late heads-up about challenges with OpenVPN
in Fedora 26.

Fedora is moving towards OpenSSL v1.1, which is in my opinion a sane and
good step forward.  Unfortunately, that gives OpenVPN a real challenge.
The OpenSSL v1.1 support is not completed.  Patches have been sent to
the upstream devel mailing list for review, but only half of them have
been processed and applied so far.

So, to be able to provide OpenVPN in Fedora 26 it was decided to switch
to mbed TLS instead of OpenSSL (which OpenVPN also supports).  That have
revealed several issues:

  - mbed TLS 2.3+ does by default not support certificates hashes
"older" than  SHA1.  And RSA keys must be 2048 bits or more.
This have been fixed by a couple of additional patches on top
of the upstream OpenVPN code base.  It supports now RSA keys
of 1024 bits or more.  In addition for OpenSSL support of the
OPENSSL_ENABLE_MD5_VERIFY, a quirk have been added to also enable
MD5 support if that environment variable have been set.

  - mbed TLS build in Fedora lacked PKCS#11 support.  This have
been resolved.  But there are concerns how well this plays along
with another dependency OpenVPN have, pkcs11-helper.  This is being
investigated and tested.  Feel free to help out on bz #1432152 if
you depend on PKCS#11/Smart Card functionality.  Your feedback is
valuable!

  - mbed TLS completely lacks support for PKCS#12 files.

Now, there is kind of an alternative by using compat-openssl-10.  But
that does not play well with pkcs11-helper; which is compiled against
OpenSSL v1.1.

Currently the plan is to stay with mbed TLS support until PKCS#11
support is fully confirmed working or not working at all.  If not
working, we can at least move to compat-openssl10 without PKCS#11
support, which enables PKCS#12 support again.  If PKCS#11 support works
with mbed TLS, then we will stay on mbed TLS for now as I value that
support more important than PKCS#12.

Once OpenVPN have released a version with full OpenSSL v1.1 support (or
at least have all the needed patches reviewed and applied to their
upstream git repos), then I will switch back to the default openssl
package again.

This is far from ideal.  But I do consider this the best compromise than
not having an OpenVPN package in Fedora 26 at all.

For those of you having PKCS#12 files, there is a kind of workaround
where you can split up that file into CA, Certificate and Private Key
PEM files - which OpenVPN can use directly.

$ openssl pkcs12 -nokeys -cacerts -in $PKCS12FILE > ca-cert.pem
$ openssl pkcs12 -nokeys -clcerts -in $PKCS12FILE > cert.pem
$ openssl pkcs12 -nocerts -nodes -in $PKCS12FILE > private-key.pem

If switching from '-nodes' with for example '-aes256' on the last line,
the private key will be encrypted and password protected; similar to
what your PKCS#12 files may already use today.


I am sorry for not having sent this heads-up earlier.  I took over
package maintenance mid-March, and I've taken this package through a
very much needed overhaul to align the packaging with improvements in
the upstream packaging.  The previous maintainers have done a good job
keeping this package alive, but the gap against upstream began to be a
bit too big.  There are still a few things which needs to be ironed out.
 But once the mbed TLS/OpenSSL issue and a few other more minor issues
gets resolved, I'd say we're pretty much in a reasonable shape.

If you have questions, issues or comments ... feel free to reach out!


-- 
kind regards,

David Sommerseth



signature.asc
Description: OpenPGP digital signature
___
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-le...@lists.fedoraproject.org