Re: [Openvpn-devel] Pushing multiple certificates from server

2016-03-05 Thread ValdikSS 
On 03/05/2016 06:27 PM, Gert Doering wrote:
> Hi,
>
> On Sat, Mar 05, 2016 at 12:58:06AM +0300, ValdikSS wrote:
> If Connect works, and OpenVPN for Android does not, this hints at
> "PolarSSL vs. OpenSSL".
>
> Or at "we call the crypto library differently"...

Yes, PolarSSL build of OpenVPN 2.3 works also fine. Trying to find bug in an 
OpenSSL backend validation code…

>
> gert
>




signature.asc
Description: OpenPGP digital signature

Re: [Openvpn-devel] Pushing multiple certificates from server

2016-03-05 Thread Gert Doering 
Hi,

On Sat, Mar 05, 2016 at 12:58:06AM +0300, ValdikSS wrote:
> Bad news:
> 
>   * OpenVPN 2.3 and master can't connect to this server, with both OpenSSL 
> and PolarSSL backends. Maybe if I supply certificates in correct order, 
> client would

If Connect works, and OpenVPN for Android does not, this hints at
"PolarSSL vs. OpenSSL".

Or at "we call the crypto library differently"...

gert

-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature

Re: [Openvpn-devel] Pushing multiple certificates from server

2016-03-05 Thread ValdikSS 
On 03/05/2016 12:58 AM, ValdikSS wrote:
> I have good news and bad news:
>
> Good news:
>
>   * OpenVPN sends all certificates from the server supplied for --server 
> directive (although with a small bug that a certificate which you have 
> private key
> for must be supplied on the top)
>   * OpenVPN Connect for Android can successfully connect to my server with a 
> chain
>
>
> Bad news:
>
>   * OpenVPN 2.3 and master can't connect to this server, with both OpenSSL 
> and PolarSSL backends. Maybe if I supply certificates in correct order, client
> would work.
>

Sorry for misinformation, OpenVPN 2.3 and master with PolarSSL backend actually 
work. The problem is in OpenSSL backend.

>
>
> On 03/04/2016 12:04 AM, ValdikSS wrote:
>



signature.asc
Description: OpenPGP digital signature

Re: [Openvpn-devel] Pushing multiple certificates from server

2016-03-05 Thread ValdikSS 
On 03/05/2016 08:24 AM, ValdikSS wrote:
>
>
> On 03/05/2016 04:36 AM, Jan Just Keijser wrote:
>
> I've signed my new CA's private key (4096 bit) with old CA (1024 bit) and it 
> became intermediate to my old CA (what you call extending trust), but also 
> issued
> self-signed new CA. I issue server certificates with new CA.
>
> Current users trust only old CA, so to make them connect to the servers with 
> server certificates issued by new CA, we should either add cross-signed
> (intermediate) certificate on the client side, or push it from server. The 
> latest I'm trying to achieve.
>
> New clients will get configuration files with new CA inside, and they would 
> be able to successfully connect, since intermediate certificate, pushed from
> server, would be just ignored. Old clients would eventually update 
> configuration files too. After some time, we'll move all users to new CA and 
> remove
> intermediate certificate from server.
>
>
Just to clarify, both self-signed new CA and cross-signed new CA share the same 
private key.


signature.asc
Description: OpenPGP digital signature

Re: [Openvpn-devel] Pushing multiple certificates from server

2016-03-05 Thread ValdikSS 


On 03/05/2016 04:36 AM, Jan Just Keijser wrote:
> Hi,
>
> On 04/03/16 22:58, ValdikSS wrote:
> how did you generate the cross-signed CA certs? I've looked around but all 
> cross-signing either requires you to use the same private key (i.e. bit size) 
> or
> that you extend the trust of one CA with that of another. The first is of no 
> help as the key size needs to be different. The second (extending trust) does 
> not
> work as you'd need to install this cross-trust CA at the client side.  I 
> found this interesting example on how to generate cross-signed certs here:
>   https://chromium.googlesource.com/chromium/src/net/+/master/data/ssl

I've signed my new CA's private key (4096 bit) with old CA (1024 bit) and it 
became intermediate to my old CA (what you call extending trust), but also 
issued
self-signed new CA. I issue server certificates with new CA.

Current users trust only old CA, so to make them connect to the servers with 
server certificates issued by new CA, we should either add cross-signed
(intermediate) certificate on the client side, or push it from server. The 
latest I'm trying to achieve.

New clients will get configuration files with new CA inside, and they would be 
able to successfully connect, since intermediate certificate, pushed from 
server,
would be just ignored. Old clients would eventually update configuration files 
too. After some time, we'll move all users to new CA and remove intermediate
certificate from server.

>
>
> JJK
>
>



signature.asc
Description: OpenPGP digital signature

Re: [Openvpn-devel] Pushing multiple certificates from server

2016-03-05 Thread Jan Just Keijser 

Hi,

On 04/03/16 22:58, ValdikSS wrote:

I have good news and bad news:

Good news:

  * OpenVPN sends all certificates from the server supplied for
--server directive (although with a small bug that a certificate
which you have private key for must be supplied on the top)
  * OpenVPN Connect for Android can successfully connect to my server
with a chain


Bad news:

  * OpenVPN 2.3 and master can't connect to this server, with both
OpenSSL and PolarSSL backends. Maybe if I supply certificates in
correct order, client would work.



how did you generate the cross-signed CA certs? I've looked around but 
all cross-signing either requires you to use the same private key (i.e. 
bit size) or that you extend the trust of one CA with that of another. 
The first is of no help as the key size needs to be different. The 
second (extending trust) does not work as you'd need to install this 
cross-trust CA at the client side.  I found this interesting example on 
how to generate cross-signed certs here:

https://chromium.googlesource.com/chromium/src/net/+/master/data/ssl


JJK


On 03/04/2016 12:04 AM, ValdikSS wrote:

Hello everyone,

I'm trying to leisurely move from an old existing 1024 bit CA to a new 4096 bit 
one without a hassle for a clients.
 From a X.509 perspective it shouldn't be a problem, and I already have new CA 
self-signed and cross-signed with old CA, it should work just fine.

While there's no problem authenticating clients from both old and new CA using 
single instance (multiple certificates in --ca are supported, this information 
is
documented), I need to send two certificates from OpenVPN server: server 
certificate, which is signed by new CA, and cross-signed new CA with old CA. 
This way
it should work for clients either with old or new CA in configuration files.

I can't manage server to send more than one certificate to the client. It seems 
that multiple certificates in --cert directive are supported only on client
side. Am I missing something, is there a way to push multiple certificates from 
server? If there isn't a way currently, are there any protocol limitations which
allows only one certificate to be sent?






--


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Pushing multiple certificates from server

2016-03-04 Thread ValdikSS 
I have good news and bad news:

Good news:

  * OpenVPN sends all certificates from the server supplied for --server 
directive (although with a small bug that a certificate which you have private 
key for
must be supplied on the top)
  * OpenVPN Connect for Android can successfully connect to my server with a 
chain


Bad news:

  * OpenVPN 2.3 and master can't connect to this server, with both OpenSSL and 
PolarSSL backends. Maybe if I supply certificates in correct order, client would
work.



On 03/04/2016 12:04 AM, ValdikSS wrote:
> Hello everyone,
>
> I'm trying to leisurely move from an old existing 1024 bit CA to a new 4096 
> bit one without a hassle for a clients.
> From a X.509 perspective it shouldn't be a problem, and I already have new CA 
> self-signed and cross-signed with old CA, it should work just fine.
>
> While there's no problem authenticating clients from both old and new CA 
> using single instance (multiple certificates in --ca are supported, this 
> information is
> documented), I need to send two certificates from OpenVPN server: server 
> certificate, which is signed by new CA, and cross-signed new CA with old CA. 
> This way
> it should work for clients either with old or new CA in configuration files.
>
> I can't manage server to send more than one certificate to the client. It 
> seems that multiple certificates in --cert directive are supported only on 
> client
> side. Am I missing something, is there a way to push multiple certificates 
> from server? If there isn't a way currently, are there any protocol 
> limitations which
> allows only one certificate to be sent?
>
>



signature.asc
Description: OpenPGP digital signature

Re: [Openvpn-devel] Pushing multiple certificates from server

2016-03-04 Thread ValdikSS 
On 03/04/2016 11:08 PM, Jan Just Keijser wrote:
> Hi,
>
> On 04/03/16 14:24, Arne Schwabe wrote:
> the more I think about it, the more I think that what you are trying to 
> achieve ought not to work:
>
> your current situation is this:
> - clients are equipped with a 1024bit CA cert; the server certificate (chain) 
> must be signed using this end-entity CA cert for the client to trust the 
> server
> - the server supplies this 1024bit CA cert, as well as a cross-signed 4096bit 
> CA cert and a server cert.
> - The client will never "accept" the 4K CA cert as the new end-entity, as 
> that is not configured in the config file.

This is correct, except that server doesn't send CA.

>
> *but*
> anything signed using a 1K cert should be considered insecure, as it's 
> feasible nowadays to brute-force generate a key that will match that 
> certificate. That
> means that an attacker can grab your 1K CA cert, generate a new CA key for 
> it, then generate new server cert (or even a 4K cross-signed CA cert) and 
> lure an
> unsuspecting client to the server - your shiny new cross-signed CA cert will 
> not prevent this.

This is also correct.

>
> The only way to prevent this from happening is by getting the clients to stop 
> trusting/using the 1K CA cert - thus, you must alter the client-side
> configuration for this, painstaking as it is...

This is only to easily move to a new CA. New clients will get configuration 
files with new 4096 bit CA, old clients would update their configuration files 
in 2
months. I'd like both old and new clients to be able to connect to the server 
without any hassle. Then, in 2 months, when all clients use 4096 bit CA, I'll
remove old chain from server.

>
>
> JJK
>




signature.asc
Description: OpenPGP digital signature

Re: [Openvpn-devel] Pushing multiple certificates from server

2016-03-04 Thread Jan Just Keijser 

Hi,

On 04/03/16 14:24, Arne Schwabe wrote:


Am 04.03.16 um 14:18 schrieb ValdikSS:

On 03/04/2016 04:12 PM, Arne Schwabe wrote:

Am 03.03.16 um 22:04 schrieb ValdikSS:
Shouldn't sending the new CA chain only be enough? Since it is
(cross)signed by the old CA, the client will accept it. For the old
clients the new CA will look like an intermediate certificate.

Please clarify what do you mean. I'm trying to send new CA (signed by old CA) 
and a server certificate.


Exactly what David Woodhouse replied just 10 minutes before my email.


the more I think about it, the more I think that what you are trying to 
achieve ought not to work:


your current situation is this:
- clients are equipped with a 1024bit CA cert; the server certificate 
(chain) must be signed using this end-entity CA cert for the client to 
trust the server
- the server supplies this 1024bit CA cert, as well as a cross-signed 
4096bit CA cert and a server cert.
- The client will never "accept" the 4K CA cert as the new end-entity, 
as that is not configured in the config file.


*but*
anything signed using a 1K cert should be considered insecure, as it's 
feasible nowadays to brute-force generate a key that will match that 
certificate. That means that an attacker can grab your 1K CA cert, 
generate a new CA key for it, then generate new server cert (or even a 
4K cross-signed CA cert) and lure an unsuspecting client to the server - 
your shiny new cross-signed CA cert will not prevent this.


The only way to prevent this from happening is by getting the clients to 
stop trusting/using the 1K CA cert - thus, you must alter the 
client-side configuration for this, painstaking as it is...



JJK

Re: [Openvpn-devel] Pushing multiple certificates from server

2016-03-04 Thread ValdikSS 
On 03/04/2016 03:26 PM, Jan Just Keijser wrote:
> Hi,
>
> On 03/03/16 22:04, ValdikSS wrote:
> it's possible to send a stacked CA certificate (i.e. server certificate 
> and intermediate CA cert) from server to the client. We use this in 
> production, and it is done by simply stacking (cat'ing) the server cert 
> and intermediary CA cert file into a single pem file. The intermediary 
> CA is verified using the client-side ca.crt file and the server cert is 
> signed by the intermediary CA.
> I'm not sure what would happen if you stick two CA certs into the file, 
> however.
> If this does not work: when looking thru the openssl s_server code I see 
> a -dcert option which does something similar - looks like it would be 
> trivial to add to OpenVPN.

This option is for supplying additional server certificate with a key file 
(i.e. if you want to use RSA and ECDSA keys), not for chains. Actually, 
openssl's
s_server doesn't support pushing chains also.

>
> JM2CW,
>
> JJK
>
>
> --
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=272487151=/4140




signature.asc
Description: OpenPGP digital signature

Re: [Openvpn-devel] Pushing multiple certificates from server

2016-03-04 Thread Arne Schwabe 


Am 04.03.16 um 14:18 schrieb ValdikSS:
> On 03/04/2016 04:12 PM, Arne Schwabe wrote:
>> Am 03.03.16 um 22:04 schrieb ValdikSS:
>> Shouldn't sending the new CA chain only be enough? Since it is
>> (cross)signed by the old CA, the client will accept it. For the old
>> clients the new CA will look like an intermediate certificate.
> Please clarify what do you mean. I'm trying to send new CA (signed by old CA) 
> and a server certificate.
>
Exactly what David Woodhouse replied just 10 minutes before my email.

Arne

Re: [Openvpn-devel] Pushing multiple certificates from server

2016-03-04 Thread ValdikSS 
On 03/04/2016 04:12 PM, Arne Schwabe wrote:
>
> Am 03.03.16 um 22:04 schrieb ValdikSS:
> Shouldn't sending the new CA chain only be enough? Since it is
> (cross)signed by the old CA, the client will accept it. For the old
> clients the new CA will look like an intermediate certificate.

Please clarify what do you mean. I'm trying to send new CA (signed by old CA) 
and a server certificate.

>
> Arne




signature.asc
Description: OpenPGP digital signature

Re: [Openvpn-devel] Pushing multiple certificates from server

2016-03-04 Thread ValdikSS 
On 03/04/2016 03:57 PM, David Woodhouse wrote:
> On Fri, 2016-03-04 at 15:37 +0300, ValdikSS wrote:
> What you described *was* chained certificates, wasn't it?
>
> From the point of view of a client which only trusts the old CA, the
> server is presenting a chain — its own cert, followed by the
> "intermediate" new CA which is in turn signed by the trusted 'old CA'.
>
> And from the point of view of a client which trusts the new CA, the
> server is presenting its own certificate, followed by something which
> can (and should) be ignored.
>
> Major CAs have done this, haven't they, resulting in a few crypto
> libraries having to be modified to back up the chain and look for
> *alternative* reasons to trust a cert from further back.
>

Yes, I'm trying to do exactly the same, and it doesn't work. It seems that 
OpenVPN don't want to load multiple certificates on the server side for me.
I'll investigate it further.



signature.asc
Description: OpenPGP digital signature

Re: [Openvpn-devel] Pushing multiple certificates from server

2016-03-04 Thread Arne Schwabe 


Am 03.03.16 um 22:04 schrieb ValdikSS:
> Hello everyone,
>
> I'm trying to leisurely move from an old existing 1024 bit CA to a new 4096 
> bit one without a hassle for a clients.
> From a X.509 perspective it shouldn't be a problem, and I already have new CA 
> self-signed and cross-signed with old CA, it should work just fine.
>
> While there's no problem authenticating clients from both old and new CA 
> using single instance (multiple certificates in --ca are supported, this 
> information is
> documented), I need to send two certificates from OpenVPN server: server 
> certificate, which is signed by new CA, and cross-signed new CA with old CA. 
> This way
> it should work for clients either with old or new CA in configuration files.
>
>
Shouldn't sending the new CA chain only be enough? Since it is
(cross)signed by the old CA, the client will accept it. For the old
clients the new CA will look like an intermediate certificate.

Arne

Re: [Openvpn-devel] Pushing multiple certificates from server

2016-03-04 Thread ValdikSS 
Thanks for the information. It definitely doesn't work for any certificate, 
probably only for chained certificates.
That's a good news that there's no protocol limitation for this. I'll check the 
code to see what's going on.

On 03/04/2016 03:26 PM, Jan Just Keijser wrote:
> Hi,
>
> On 03/03/16 22:04, ValdikSS wrote:
>
> it's possible to send a stacked CA certificate (i.e. server certificate and 
> intermediate CA cert) from server to the client. We use this in production, 
> and it
> is done by simply stacking (cat'ing) the server cert and intermediary CA cert 
> file into a single pem file. The intermediary CA is verified using the
> client-side ca.crt file and the server cert is signed by the intermediary CA.
> I'm not sure what would happen if you stick two CA certs into the file, 
> however.
> If this does not work: when looking thru the openssl s_server code I see a 
> -dcert option which does something similar - looks like it would be trivial 
> to add
> to OpenVPN.
>
> JM2CW,
>
> JJK
>




signature.asc
Description: OpenPGP digital signature

Re: [Openvpn-devel] Pushing multiple certificates from server

2016-03-04 Thread Jan Just Keijser 

Hi,

On 03/03/16 22:04, ValdikSS wrote:

Hello everyone,

I'm trying to leisurely move from an old existing 1024 bit CA to a new 4096 bit 
one without a hassle for a clients.
 From a X.509 perspective it shouldn't be a problem, and I already have new CA 
self-signed and cross-signed with old CA, it should work just fine.

While there's no problem authenticating clients from both old and new CA using 
single instance (multiple certificates in --ca are supported, this information 
is
documented), I need to send two certificates from OpenVPN server: server 
certificate, which is signed by new CA, and cross-signed new CA with old CA. 
This way
it should work for clients either with old or new CA in configuration files.

I can't manage server to send more than one certificate to the client. It seems 
that multiple certificates in --cert directive are supported only on client
side. Am I missing something, is there a way to push multiple certificates from 
server? If there isn't a way currently, are there any protocol limitations 
which allows only one certificate to be sent?



it's possible to send a stacked CA certificate (i.e. server certificate 
and intermediate CA cert) from server to the client. We use this in 
production, and it is done by simply stacking (cat'ing) the server cert 
and intermediary CA cert file into a single pem file. The intermediary 
CA is verified using the client-side ca.crt file and the server cert is 
signed by the intermediary CA.
I'm not sure what would happen if you stick two CA certs into the file, 
however.
If this does not work: when looking thru the openssl s_server code I see 
a -dcert option which does something similar - looks like it would be 
trivial to add to OpenVPN.


JM2CW,

JJK

Re: [Openvpn-devel] Pushing multiple certificates from server

2016-03-04 Thread ValdikSS 
Currently I did the same, but it would be much easier to just push 2 
certificates from server.

On 03/04/2016 06:40 AM, Илья Шипицин wrote:
> we are running openvpn for ~ 1000 users, in similar case we deployed new ca 
> on separate udp port and re-deployed installer to our users (we put installer 
> and
> config on enterprise website). after some time we were able to shut down the 
> old ca.
>
> 2016-03-04 2:04 GMT+05:00 ValdikSS  >:
>



signature.asc
Description: OpenPGP digital signature