subject:"Libressl issue verifying self\-signed certs with tls\-auth and Openvpn"

Re: Libressl issue verifying self-signed certs with tls-auth and Openvpn

2017-07-07 Thread Andy Lemin

Hi Stuart and Joel,

Just to confirm for others reading, you are very correct.

And patch 014_libcrypto has fixed this :) So just run syspatch (or openup) and 
you'll be working again.

Thanks for the commits ;)

PS; good to hear from you again Stuart! Long time.. I'm on this email now 
rather than andy@brandwatch, it's been a while since I've been around the 
lists. I knew I could rely on you amazing peeps.

Take care, happy summer. Andy


Sent from a teeny tiny keyboard, so please excuse typos

> On 3 Jul 2017, at 16:51, Joel Sing  wrote:
> 
>> On Tuesday 20 June 2017 23:26:10 Andrew Lemin wrote:
>> Hi,
>> 
>> Sadly in my testing it seems that CVE-2017-8301 (
>> http://seclists.org/oss-sec/2017/q2/145) is still broken with the
>> latest LibreSSL
>> (2.5.4) and OpenVPN 2.4.2.
>> 
>> Here is someone else reporting the same issue;
>> https://discourse.trueos.org/t/libre-openssl-tls-error-when-using-openvpn/13
>> 58/4
>> 
>> Of course I may have gotten this wrong somewhere, but for now it seems not
>> possible to use OpenVPN as a client with TLS static certificate based
>> server on OpenBSD.
>> 
>> Hope this helps clarify for anyone else finding the same issue until some
>> clever person does a fix.
>> 
>> 
>> Error same with latest;
>> 
>> Tue Jun 20 22:51:15 2017 OpenVPN 2.4.2 x86_64-unknown-openbsd6.1 [SSL
>> (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jun 20 2017
>> 
>> Tue Jun 20 22:51:15 2017 library versions: LibreSSL 2.5.4, LZO 2.10
>> 
>> Tue Jun 20 22:52:08 2017 VERIFY ERROR: depth=0, error=self signed
>> certificate: < Cert Info >
>> 
>> Tue Jun 20 22:52:08 2017 OpenSSL: error:14007086:SSL
>> routines:CONNECT_CR_CERT:certificate verify failed
>> 
>> Tue Jun 20 22:52:08 2017 TLS_ERROR: BIO read tls_read_plaintext error
>> 
>> Tue Jun 20 22:52:08 2017 TLS Error: TLS object -> incoming plaintext read
>> error
>> 
>> Tue Jun 20 22:52:08 2017 TLS Error: TLS handshake failed
>> 
>> Tue Jun 20 22:52:08 2017 SIGUSR1[soft,tls-error] received, process
>> restarting
> 
> This should be fixed on -current (via r1.30 of libcrypto/x509v3/v3_purp.c) - 
> you should also be able to workaround the issue by using different CNs for 
> the 
> CA and server certificates (they're likely identical in this case).

Re: Libressl issue verifying self-signed certs with tls-auth and Openvpn

2017-07-03 Thread Joel Sing

On Tuesday 20 June 2017 23:26:10 Andrew Lemin wrote:
> Hi,
> 
> Sadly in my testing it seems that CVE-2017-8301 (
> http://seclists.org/oss-sec/2017/q2/145) is still broken with the
> latest LibreSSL
> (2.5.4) and OpenVPN 2.4.2.
> 
> Here is someone else reporting the same issue;
> https://discourse.trueos.org/t/libre-openssl-tls-error-when-using-openvpn/13
> 58/4
> 
> Of course I may have gotten this wrong somewhere, but for now it seems not
> possible to use OpenVPN as a client with TLS static certificate based
> server on OpenBSD.
> 
> Hope this helps clarify for anyone else finding the same issue until some
> clever person does a fix.
> 
> 
> Error same with latest;
> 
> Tue Jun 20 22:51:15 2017 OpenVPN 2.4.2 x86_64-unknown-openbsd6.1 [SSL
> (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jun 20 2017
> 
> Tue Jun 20 22:51:15 2017 library versions: LibreSSL 2.5.4, LZO 2.10
> 
> Tue Jun 20 22:52:08 2017 VERIFY ERROR: depth=0, error=self signed
> certificate: < Cert Info >
> 
> Tue Jun 20 22:52:08 2017 OpenSSL: error:14007086:SSL
> routines:CONNECT_CR_CERT:certificate verify failed
> 
> Tue Jun 20 22:52:08 2017 TLS_ERROR: BIO read tls_read_plaintext error
> 
> Tue Jun 20 22:52:08 2017 TLS Error: TLS object -> incoming plaintext read
> error
> 
> Tue Jun 20 22:52:08 2017 TLS Error: TLS handshake failed
> 
> Tue Jun 20 22:52:08 2017 SIGUSR1[soft,tls-error] received, process
> restarting

This should be fixed on -current (via r1.30 of libcrypto/x509v3/v3_purp.c) - 
you should also be able to workaround the issue by using different CNs for the 
CA and server certificates (they're likely identical in this case).

Re: Libressl issue verifying self-signed certs with tls-auth and Openvpn

2017-06-22 Thread Stuart Henderson

On 2017-06-22, Stuart Henderson  wrote:
> On 2017-06-20, Andrew Lemin  wrote:
>> Has anyone else come across any issues recently with Openvpn, Libressl and
>> TLS on OpenBSD 6.1?
>
> Yes there have been problems reported like this: (This is from the
> "Investigating self-signed cert behavior change" posts on the libressl
> mailing list).
>
> Mon May  1 22:14:27 2017 UDP link remote: [AF_INET]75.102.1.76:1194
> Mon May  1 22:14:27 2017 VERIFY ERROR: depth=0, error=self signed 
> certificate: C=XX, ST=XX, L=XX, O=XX, CN=xxx.xxx.com, 
> emailAddress=x...@xxx.com
> Mon May  1 22:14:27 2017 OpenSSL: error:14007086:SSL 
> routines:CONNECT_CR_CERT:certificate verify failed
> Mon May  1 22:14:27 2017 TLS_ERROR: BIO read tls_read_plaintext error
> Mon May  1 22:14:27 2017 TLS Error: TLS object -> incoming plaintext read 
> error
> Mon May  1 22:14:27 2017 TLS Error: TLS handshake failed
>
> I have had OpenVPN working on a 6.1 machine, pretty sure it's cert-
> dependent rather than a more general problem.
>
> beck@ and guenther@ asked for certificates (not keys) showing the problem,
> but neither the reporter nor the person who said they also saw the problem
> replied with certs.

PS: server and CA certs.

Re: Libressl issue verifying self-signed certs with tls-auth and Openvpn

2017-06-22 Thread Stuart Henderson

On 2017-06-20, Andrew Lemin  wrote:
> Has anyone else come across any issues recently with Openvpn, Libressl and
> TLS on OpenBSD 6.1?

Yes there have been problems reported like this: (This is from the
"Investigating self-signed cert behavior change" posts on the libressl
mailing list).

Mon May  1 22:14:27 2017 UDP link remote: [AF_INET]75.102.1.76:1194
Mon May  1 22:14:27 2017 VERIFY ERROR: depth=0, error=self signed certificate: 
C=XX, ST=XX, L=XX, O=XX, CN=xxx.xxx.com, emailAddress=x...@xxx.com
Mon May  1 22:14:27 2017 OpenSSL: error:14007086:SSL 
routines:CONNECT_CR_CERT:certificate verify failed
Mon May  1 22:14:27 2017 TLS_ERROR: BIO read tls_read_plaintext error
Mon May  1 22:14:27 2017 TLS Error: TLS object -> incoming plaintext read error
Mon May  1 22:14:27 2017 TLS Error: TLS handshake failed

I have had OpenVPN working on a 6.1 machine, pretty sure it's cert-
dependent rather than a more general problem.

beck@ and guenther@ asked for certificates (not keys) showing the problem,
but neither the reporter nor the person who said they also saw the problem
replied with certs.

> I have since found CVE-2017-8301 which I believe is related. And confirmed
> that OpenBSD 6.1 seems to be running LibreSSL version 2.5.2
>
> The CVE shows issue known between 2.5.1 and 2.5.3, and looking at the
> OpenBSD trees I can see 2.5.4 was cut around 1st of May..
>
> I used MTier to grab all major patches etc, but LibreSSL not in patch list
> yet. openvpn did have a minor.
..
> It would be great if someone would be kind enough to confirm if this CVE is
> indeed the same issue, and if 2.5.4 includes the relevant fixes for it?

That's not the problem you see here. openvpn's verify callback function
doesn't trigger this problem. Even if it did, that bug would cause false
acceptance of a cert, not false rejection.

The relevant fix for OpenBSD 6.1 is 003_libressl, you can check with
syspatch -l to see if it's listed. (Current versions of mtier's openup
tool run syspatch for you automatically to get base OS updates).

> So downloaded Libressl 2.5.4 source, compiled and installed as per INSTALL
> etc.. However notice that openvpn is still linking to 2.5.2.
..
> And if yes, a gentle nudge as to how to get openvpn to link to the 2.5.4
> install?

I would avoid fiddling with the libressl version on a release/stable
installation. If you want something newer than that, just use -current
snapshots.

Re: Libressl issue verifying self-signed certs with tls-auth and Openvpn

2017-06-20 Thread Andrew Lemin

Hi,

Sadly in my testing it seems that CVE-2017-8301 (
http://seclists.org/oss-sec/2017/q2/145) is still broken with the
latest LibreSSL
(2.5.4) and OpenVPN 2.4.2.

Here is someone else reporting the same issue;
https://discourse.trueos.org/t/libre-openssl-tls-error-when-using-openvpn/1358/4

Of course I may have gotten this wrong somewhere, but for now it seems not
possible to use OpenVPN as a client with TLS static certificate based
server on OpenBSD.

Hope this helps clarify for anyone else finding the same issue until some
clever person does a fix.


Error same with latest;

Tue Jun 20 22:51:15 2017 OpenVPN 2.4.2 x86_64-unknown-openbsd6.1 [SSL
(OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jun 20 2017

Tue Jun 20 22:51:15 2017 library versions: LibreSSL 2.5.4, LZO 2.10

.

.

Tue Jun 20 22:52:08 2017 VERIFY ERROR: depth=0, error=self signed
certificate: < Cert Info >

Tue Jun 20 22:52:08 2017 OpenSSL: error:14007086:SSL
routines:CONNECT_CR_CERT:certificate verify failed

Tue Jun 20 22:52:08 2017 TLS_ERROR: BIO read tls_read_plaintext error

Tue Jun 20 22:52:08 2017 TLS Error: TLS object -> incoming plaintext read
error

Tue Jun 20 22:52:08 2017 TLS Error: TLS handshake failed

Tue Jun 20 22:52:08 2017 SIGUSR1[soft,tls-error] received, process
restarting

On Tue, Jun 20, 2017 at 8:49 PM, Andy Lemin  wrote:

> I've just found this hint on GitHub for the Openvpn compile options for
> Libressl;
> https://gist.github.com/gsora/2b3e9eb31c15a356c7662b0f960e2995
>
> So will try a build later tonight and share back here if that CVE is fixed.
>
> Would prefer to rebuild with the same options as the packaged binary, and
> it occurred to me that I don't know how to find that on OpenBSD?
>
> Thanks again :)
>
>
> Sent from a teeny tiny keyboard, so please excuse typos
>
> On 20 Jun 2017, at 20:23, Andrew Lemin  wrote:
>
> Hi Misc,
>
> Has anyone else come across any issues recently with Openvpn, Libressl and
> TLS on OpenBSD 6.1?
>
> I am using an .ovpn file with TLS auth static key and cert inline within
> the file, to connect to VPN service. Running openvpn binary from command
> line without any special params, just .ovpn file.
>
> I have tested this is working fine on a Linux server with same config
> (using Openssl), so the server side, CA and cert are fine etc.
>
> I noticed on the Linux server the line; "Control Channel Authentication:
> tls-auth using INLINE static key file", but I do not see this debug on the
> OpenBSD version. Wondered if Libressl is not negotiating tls properly.
>
>
> I have since found CVE-2017-8301 which I believe is related. And confirmed
> that OpenBSD 6.1 seems to be running LibreSSL version 2.5.2
>
> The CVE shows issue known between 2.5.1 and 2.5.3, and looking at the
> OpenBSD trees I can see 2.5.4 was cut around 1st of May..
>
> I used MTier to grab all major patches etc, but LibreSSL not in patch list
> yet. openvpn did have a minor.
>
> So downloaded Libressl 2.5.4 source, compiled and installed as per INSTALL
> etc.. However notice that openvpn is still linking to 2.5.2.
>
> It would be great if someone would be kind enough to confirm if this CVE
> is indeed the same issue, and if 2.5.4 includes the relevant fixes for it?
>
> And if yes, a gentle nudge as to how to get openvpn to link to the 2.5.4
> install?
>
> Thanks for your time.
> Kind regards, Andy Lemin
>
>
>
> Sent from a teeny tiny keyboard, so please excuse typos
>
>

Re: Libressl issue verifying self-signed certs with tls-auth and Openvpn

2017-06-20 Thread Andy Lemin

I've just found this hint on GitHub for the Openvpn compile options for 
Libressl;
https://gist.github.com/gsora/2b3e9eb31c15a356c7662b0f960e2995

So will try a build later tonight and share back here if that CVE is fixed.

Would prefer to rebuild with the same options as the packaged binary, and it 
occurred to me that I don't know how to find that on OpenBSD?

Thanks again :)


Sent from a teeny tiny keyboard, so please excuse typos

> On 20 Jun 2017, at 20:23, Andrew Lemin  wrote:
> 
> Hi Misc,
> 
> Has anyone else come across any issues recently with Openvpn, Libressl and 
> TLS on OpenBSD 6.1?
> 
> I am using an .ovpn file with TLS auth static key and cert inline within the 
> file, to connect to VPN service. Running openvpn binary from command line 
> without any special params, just .ovpn file.
> 
> I have tested this is working fine on a Linux server with same config (using 
> Openssl), so the server side, CA and cert are fine etc.
> 
> I noticed on the Linux server the line; "Control Channel Authentication: 
> tls-auth using INLINE static key file", but I do not see this debug on the 
> OpenBSD version. Wondered if Libressl is not negotiating tls properly.
> 
> 
> I have since found CVE-2017-8301 which I believe is related. And confirmed 
> that OpenBSD 6.1 seems to be running LibreSSL version 2.5.2
> 
> The CVE shows issue known between 2.5.1 and 2.5.3, and looking at the OpenBSD 
> trees I can see 2.5.4 was cut around 1st of May..
> 
> I used MTier to grab all major patches etc, but LibreSSL not in patch list 
> yet. openvpn did have a minor.
> 
> So downloaded Libressl 2.5.4 source, compiled and installed as per INSTALL 
> etc.. However notice that openvpn is still linking to 2.5.2.
> 
> It would be great if someone would be kind enough to confirm if this CVE is 
> indeed the same issue, and if 2.5.4 includes the relevant fixes for it?
> 
> And if yes, a gentle nudge as to how to get openvpn to link to the 2.5.4 
> install?
> 
> Thanks for your time.
> Kind regards, Andy Lemin
> 
> 
> 
> Sent from a teeny tiny keyboard, so please excuse typos

Libressl issue verifying self-signed certs with tls-auth and Openvpn

2017-06-20 Thread Andrew Lemin

Hi Misc,

Has anyone else come across any issues recently with Openvpn, Libressl and
TLS on OpenBSD 6.1?

I am using an .ovpn file with TLS auth static key and cert inline within
the file, to connect to VPN service. Running openvpn binary from command
line without any special params, just .ovpn file.

I have tested this is working fine on a Linux server with same config
(using Openssl), so the server side, CA and cert are fine etc.

I noticed on the Linux server the line; "Control Channel Authentication:
tls-auth using INLINE static key file", but I do not see this debug on the
OpenBSD version. Wondered if Libressl is not negotiating tls properly.


I have since found CVE-2017-8301 which I believe is related. And confirmed
that OpenBSD 6.1 seems to be running LibreSSL version 2.5.2

The CVE shows issue known between 2.5.1 and 2.5.3, and looking at the
OpenBSD trees I can see 2.5.4 was cut around 1st of May..

I used MTier to grab all major patches etc, but LibreSSL not in patch list
yet. openvpn did have a minor.

So downloaded Libressl 2.5.4 source, compiled and installed as per INSTALL
etc.. However notice that openvpn is still linking to 2.5.2.

It would be great if someone would be kind enough to confirm if this CVE is
indeed the same issue, and if 2.5.4 includes the relevant fixes for it?

And if yes, a gentle nudge as to how to get openvpn to link to the 2.5.4
install?

Thanks for your time.
Kind regards, Andy Lemin



Sent from a teeny tiny keyboard, so please excuse typos

Re: Libressl issue verifying self-signed certs with tls-auth and Openvpn

Re: Libressl issue verifying self-signed certs with tls-auth and Openvpn

Re: Libressl issue verifying self-signed certs with tls-auth and Openvpn

Re: Libressl issue verifying self-signed certs with tls-auth and Openvpn

Re: Libressl issue verifying self-signed certs with tls-auth and Openvpn

Re: Libressl issue verifying self-signed certs with tls-auth and Openvpn

Libressl issue verifying self-signed certs with tls-auth and Openvpn

7 matches

Site Navigation

Mail list logo

Footer information