Re: [Openvpn-devel] pkcs11 config changes from 2.5.4 to 2.6.6 ?
Hi Mike I misunderstood Arne's comment. We default to security level 1 but that forbids SHA1 signatures in OpenSSL 3.0+. Could you test with "tls-cert-profile Insecure" in the config file? It's not recommended but useful to check. Thanks, Selva On Thu, Sep 28, 2023 at 7:08 PM mike tancsa wrote: > Hi Selva, > > Thank you for looking! > > My guess is that something in the certificate or private key is not to > OpenSSL 3.1's liking and it rejects it. Is there any way for you to check > the > contents of the token independently using a tool linked against OpenSSL > 3.1 ? > > What am I looking for in that case ? Taking a look at the cert just with > openssl 3.0 on FreeBSD releng14 it seems ok with it. Same with the Windows > version 3.1.x that comes with OpenVPN. Is it possible it doesnt like the > sha1RSA sig ? > > # openssl version > OpenSSL 3.0.10 1 Aug 2023 (Library: OpenSSL 3.0.10 1 Aug 2023) > # > > Certificate: > Data: > Version: 3 (0x2) > Serial Number: 7109 (0x1bc5) > Signature Algorithm: sha1WithRSAEncryption > Issuer: C = CA, ST = ON, L = Cambridge, O = Sentex CA, CN = Sentex > private1test CA CA, emailAddress = m...@sentex.ca > Validity > Not Before: Sep 27 19:43:01 2023 GMT > Not After : Nov 13 19:43:01 2033 GMT > Subject: C = CA, ST = ON, L = Cambridge, O = Sentex CA, OU = > win10, CN = test123456mdt, emailAddress = m...@sentex.ca > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > Public-Key: (2048 bit) > Modulus: > 00:f5:e0:27:b5:28:0a:f8:a9:ce:13:33:a2:ca:27: > > ... > > ac:a8:b6:55:bb:a3:a4:43:e5:74:05:aa:c8:69:3d: > ed:ef > Exponent: 65537 (0x10001) > X509v3 extensions: > X509v3 Basic Constraints: > CA:FALSE > Netscape Comment: > Easy-RSA Generated Certificate > X509v3 Subject Key Identifier: > 74:72:3A:87:0D:34:7B:1E:11:C6:18:D2:41:99:C6:5E:D1:8A:81:95 > X509v3 Authority Key Identifier: > > keyid:4F:A0:B0:94:92:6F:24:A7:D4:C6:93:A6:AA:25:63:6C:ED:1E:E3:8C > DirName:/C=CA/ST=ON/L=Cambridge/O=Sentex Parklands > CA/CN=Sentex Parklands CA CA/emailAddress=ppsupp...@sentex.ca > serial:F5:3E:37:76:69:AC:EF:EC > X509v3 Extended Key Usage: > TLS Web Client Authentication > X509v3 Key Usage: > Digital Signature > Signature Algorithm: sha1WithRSAEncryption > Signature Value: > 10:72:36:db:5c:f3:f5:fb:52:82:c7:4c:72:8f:31:ae: > ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] pkcs11 config changes from 2.5.4 to 2.6.6 ?
Am 29.09.2023 um 01:08 schrieb mike tancsa: Hi Selva, Thank you for looking! My guess is that something in the certificate or private key is not to OpenSSL 3.1's liking and it rejects it. Is there any way for you to check the contents of the token independently using a tool linked against OpenSSL 3.1 ? What am I looking for in that case ? Taking a look at the cert just with openssl 3.0 on FreeBSD releng14 it seems ok with it. Same with the Windows version 3.1.x that comes with OpenVPN. Is it possible it doesnt like the sha1RSA sig ? OpenSSL 3.0 has security 1 by default (OpenSSL 3.1 has 2 by default) and that does not allow SHA1 signatures anymore. See https://www.openssl.org/docs/man3.1/man3/SSL_CTX_set_security_level.html Arne ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] pkcs11 config changes from 2.5.4 to 2.6.6 ?
On Thu, Sep 28, 2023 at 8:55 PM Arne Schwabe wrote: > > Am 29.09.2023 um 01:08 schrieb mike tancsa: > > Hi Selva, > > Thank you for looking! > > My guess is that something in the certificate or private key is not to > OpenSSL 3.1's liking and it rejects it. Is there any way for you to check > the > contents of the token independently using a tool linked against OpenSSL > 3.1 ? > > What am I looking for in that case ? Taking a look at the cert just with > openssl 3.0 on FreeBSD releng14 it seems ok with it. Same with the Windows > version 3.1.x that comes with OpenVPN. Is it possible it doesnt like the > sha1RSA sig ? > > OpenSSL 3.0 has security 1 by default (OpenSSL 3.1 has 2 by default) and > that does not allow SHA1 signatures anymore. See > https://www.openssl.org/docs/man3.1/man3/SSL_CTX_set_security_level.html > Good point. But, unless the config has "tls-cert-profile foo", we still default to legacy and call SSL_CTX_set_security_level(ctx, 1), isn't it? Wouldn't that allow SHA1 with 3.1.x ? Selva ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] pkcs11 config changes from 2.5.4 to 2.6.6 ?
Hi Selva, Thank you for looking! My guess is that something in the certificate or private key is not to OpenSSL 3.1's liking and it rejects it. Is there any way for you to check the contents of the token independently using a tool linked against OpenSSL 3.1 ? What am I looking for in that case ? Taking a look at the cert just with openssl 3.0 on FreeBSD releng14 it seems ok with it. Same with the Windows version 3.1.x that comes with OpenVPN. Is it possible it doesnt like the sha1RSA sig ? # openssl version OpenSSL 3.0.10 1 Aug 2023 (Library: OpenSSL 3.0.10 1 Aug 2023) # Certificate: Data: Version: 3 (0x2) Serial Number: 7109 (0x1bc5) Signature Algorithm: sha1WithRSAEncryption Issuer: C = CA, ST = ON, L = Cambridge, O = Sentex CA, CN = Sentex private1test CA CA, emailAddress = m...@sentex.ca Validity Not Before: Sep 27 19:43:01 2023 GMT Not After : Nov 13 19:43:01 2033 GMT Subject: C = CA, ST = ON, L = Cambridge, O = Sentex CA, OU = win10, CN = test123456mdt, emailAddress = m...@sentex.ca Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:f5:e0:27:b5:28:0a:f8:a9:ce:13:33:a2:ca:27: ... ac:a8:b6:55:bb:a3:a4:43:e5:74:05:aa:c8:69:3d: ed:ef Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: Easy-RSA Generated Certificate X509v3 Subject Key Identifier: 74:72:3A:87:0D:34:7B:1E:11:C6:18:D2:41:99:C6:5E:D1:8A:81:95 X509v3 Authority Key Identifier: keyid:4F:A0:B0:94:92:6F:24:A7:D4:C6:93:A6:AA:25:63:6C:ED:1E:E3:8C DirName:/C=CA/ST=ON/L=Cambridge/O=Sentex Parklands CA/CN=Sentex Parklands CA CA/emailAddress=ppsupp...@sentex.ca serial:F5:3E:37:76:69:AC:EF:EC X509v3 Extended Key Usage: TLS Web Client Authentication X509v3 Key Usage: Digital Signature Signature Algorithm: sha1WithRSAEncryption Signature Value: 10:72:36:db:5c:f3:f5:fb:52:82:c7:4c:72:8f:31:ae: ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] pkcs11 config changes from 2.5.4 to 2.6.6 ?
Hi Mike, On Thu, Sep 28, 2023 at 5:28 PM mike tancsa wrote: > I am starting to test out 2.6.6 with a config that worked in 2.5.4 but > am getting a failure con connect. I did have a look through the > Changes.rst file but didnt see anything different ? The only pkcs11 bits > I have in the config are > > pkcs11-providers eTpkcs11.dll > pkcs11-id 'pkcs11:model=eToken;token=' > > and the same config works with the older version. Are there new > directives I need to add ? This is an Gemalto/Thales etoken. Again, it > works fine in this environment with the only change being the version of > OpenVPN. > The main change is upgrade to OpenSSL 3.x which seems not to like the certificate or key. Normally it should just work with no changes to the config. > > 2023-09-28 17:05:12 us=578000 PKCS#11: Failed to set cert and private > key for OpenSSL > This implies the call to OpenSSL's "SSL_CTX_set_cert_and_key()" failed. The certificate and private key handle from the token are acquired before this and set in xkey-provider --- both of those tasks have completed without errors. Very unusual and rare to error out at this point. Unfortunately we do not log the reason for this failure. Instead we clear OpenSSL's error queue and print a generic error saying private key password verification failed. A retry is triggered if "auth-retry" is set to "interact", else we exit as happened in your case. > 2023-09-28 17:05:12 us=578000 Error: private key password verification > failed > Not a very useful error message. My guess is that something in the certificate or private key is not to OpenSSL 3.1's liking and it rejects it. Is there any way for you to check the contents of the token independently using a tool linked against OpenSSL 3.1 ? Selva ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] pkcs11 config changes from 2.5.4 to 2.6.6 ?
I am starting to test out 2.6.6 with a config that worked in 2.5.4 but am getting a failure con connect. I did have a look through the Changes.rst file but didnt see anything different ? The only pkcs11 bits I have in the config are pkcs11-providers eTpkcs11.dll pkcs11-id 'pkcs11:model=eToken;token=' and the same config works with the older version. Are there new directives I need to add ? This is an Gemalto/Thales etoken. Again, it works fine in this environment with the only change being the version of OpenVPN. 2023-09-28 17:05:12 us=484000 OpenVPN 2.6.6 [git:v2.6.6/c9540130121bfc21] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Aug 15 2023 2023-09-28 17:05:12 us=484000 Windows version 10.0 (Windows 10 or greater), amd64 executable 2023-09-28 17:05:12 us=484000 library versions: OpenSSL 3.1.2 1 Aug 2023, LZO 2.10 2023-09-28 17:05:12 us=484000 DCO version: v0 2023-09-28 17:05:12 us=484000 PKCS#11: pkcs11h_setProperty return rv=0-'CKR_OK' 2023-09-28 17:05:12 us=484000 PKCS#11: pkcs11h_setProperty entry property='1', value=007116AFD5A0, value_size=4 2023-09-28 17:05:12 us=484000 PKCS#11: pkcs11h_setProperty return rv=84-'CKR_FUNCTION_NOT_SUPPORTED' 2023-09-28 17:05:12 us=484000 PKCS#11: pkcs11h_setProperty entry property='7', value=007116AFD5A8, value_size=8 2023-09-28 17:05:12 us=484000 PKCS#11: Setting property 7=*size* 2023-09-28 17:05:12 us=484000 PKCS#11: pkcs11h_setProperty return rv=0-'CKR_OK' 2023-09-28 17:05:12 us=484000 NOTE: --mute triggered... 2023-09-28 17:05:12 us=484000 15 variation(s) on previous 20 message(s) suppressed by --mute 2023-09-28 17:05:12 us=484000 PKCS#11: Adding PKCS#11 provider 'eTpkcs11.dll' 2023-09-28 17:05:12 us=484000 PKCS#11: pkcs11h_registerProvider entry version='1.29.0', reference='eTpkcs11.dll' 2023-09-28 17:05:12 us=484000 PKCS#11: Register provider 'eTpkcs11.dll' 2023-09-28 17:05:12 us=484000 PKCS#11: pkcs11h_registerProvider Provider 'eTpkcs11.dll' 2023-09-28 17:05:12 us=484000 PKCS#11: Provider 'eTpkcs11.dll' registered rv=0-'CKR_OK' 2023-09-28 17:05:12 us=484000 PKCS#11: pkcs11h_registerProvider return rv=0-'CKR_OK' 2023-09-28 17:05:12 us=484000 PKCS#11: pkcs11h_setProviderProperty entry reference='eTpkcs11.dll', property='0', value=018E5DBA6E88, value_size=13 2023-09-28 17:05:12 us=484000 NOTE: --mute triggered... 2023-09-28 17:05:12 us=578000 75 variation(s) on previous 20 message(s) suppressed by --mute 2023-09-28 17:05:12 us=578000 PKCS#11: Failed to set cert and private key for OpenSSL 2023-09-28 17:05:12 us=578000 PKCS#11: __pkcs11h_openssl_ex_data_free entered - parent=018E5F93D200, ptr=, ad=018E5F93D290, idx=1, argl=0, argp=7FFDBF4E3D38 2023-09-28 17:05:12 us=578000 PKCS#11: pkcs11h_certificate_freeCertificate entry certificate=018E5DC4BA20 2023-09-28 17:05:12 us=578000 PKCS#11: _pkcs11h_session_release entry session=018E5DC00AC0 2023-09-28 17:05:12 us=578000 PKCS#11: _pkcs11h_session_release return rv=0-'CKR_OK' 2023-09-28 17:05:12 us=578000 PKCS#11: pkcs11h_certificate_freeCertificateId entry certificate_id=018E5FAF18B0 2023-09-28 17:05:12 us=578000 PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=018E5FAF1CE0 2023-09-28 17:05:12 us=578000 NOTE: --mute triggered... 2023-09-28 17:05:12 us=578000 8 variation(s) on previous 20 message(s) suppressed by --mute 2023-09-28 17:05:12 us=578000 Cannot load certificate "pkcs11:model=eToken;token=ess123456mdt;manufacturer=SafeNet%2c%20Inc.;serial=02ca3753;id=%d2-%f7%94%98%8f%a2%60" using PKCS#11 interface 2023-09-28 17:05:12 us=578000 Error: private key password verification failed 2023-09-28 17:05:12 us=578000 Exiting due to fatal error Thanks, ---Mike ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel