Public bug reported:
Binary package hint: openssl-blacklist
When this package is installed along with the openvpn updates it breaks
existing openvpn tunnels and, where openvpn is configured as a server
with multiple clients, makes it impossible to fix the keys and
certificates. There needs to be an explicit option to over-ride the
refusal to use a key.
I was caught out by this where I allowed the local (client) PC to update
openvpn and openssl *before re-generating keys* but then openvpn refused
to use the existing client certificate since it was possibly
compromised. The problem was, the openvpn tunnel was needed in order to
transfer an updated client certificate to the server (and server
certificate to clients), since the server is configured to only allow
remote management through the tunnel - there is no public SSH access
which would allow use of sshfs, etc.
Because removing openssl-blacklist would cause openvpn and many other
packages (including ubuntu-desktop) to be removed, I deleted the
binaries manually:
$ sudo mv /usr/sbin/openssl-vulnkey /usr/sbin/openssl-vulnkey.bak
$ sudo mv /usr/sbin/openvpn-vulnkey /usr/sbin/openvpn-vulnkey.bak
And replaced openssl-vulnkey with a symbolic link to 'true' so openvpn
thinks the client certificate was checked and is okay:
$ sudo ln -s /bin/true /usr/sbin/openssl-vulnkey
After that the openvpn tunnel could be re-established so that a proper
managed key and package update can be performed.
There needs to be clear warnings *before* the security update is applied
that openssl should be updated and keys and certificates should be
regenerated *manually* if a potential server lock-out is to be avoided.
** Affects: openssl-blacklist (Ubuntu)
Importance: Undecided
Status: New
** Affects: openvpn (Ubuntu)
Importance: Undecided
Status: New
** Also affects: openvpn (Ubuntu)
Importance: Undecided
Status: New
--
Knocks out openvpn tunnels before both ends have keys regenerated
https://bugs.launchpad.net/bugs/232493
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs