Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
OpenVPN and MD5.
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
mgnut57
Apprentice
Apprentice


Joined: 12 Jan 2008
Posts: 188

PostPosted: Mon May 29, 2017 5:35 am    Post subject: OpenVPN and MD5. Reply with quote

Is there any way to override the ban on MD5 certificates in OpenVPN?

Redhat/CentOS provide a couple of mechanisms for this. They don't seem to work under Gentoo.

I know that the real solution is to re-build the certificates, but while doing that, I would like to be able to update OpenVPN to the latest version.
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7048
Location: almost Mile High in the USA

PostPosted: Tue May 30, 2017 6:29 am    Post subject: Reply with quote

Usually, it's time to just do it and get rid of the md5...

Assuming you mean your openvpn server here too, if you're talking about client, it's a bit different. Anyway, I see that the CentOS/RHEL way is a hack to systemd files, so did you port them to openrc? Supposedly these are just environment variables that need to be set. I'm not sure if /etc/conf.d/* get exported, so probably safest to hack the init script:

(I haven't tested, this is only a test)

Edit your /etc/init.d/openvpn, search for:
Code:
        start-stop-daemon --start --exec /usr/sbin/openvpn --pidfile "${VPNPID}" \
                -- --config "${VPNCONF}" --writepid "${VPNPID}" --daemon \
                --setenv SVCNAME "${SVCNAME}" ${args}

Add this before start-stop-daemon:
Code:
export OPENSSL_ENABLE_MD5_VERIFY=1
export NSS_HASH_ALG_SUPPORT=+MD5

Theoretically you should be able to edit conf.d but not entirely sure if those get exported or not....

Again, I don't know if this actually works since I use regular certificates for my openvpn, perhaps this feature was dropped in our version of openssl...do the versions match?
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
mgnut57
Apprentice
Apprentice


Joined: 12 Jan 2008
Posts: 188

PostPosted: Wed May 31, 2017 4:47 am    Post subject: Reply with quote

eccerr0r wrote:

Code:
export OPENSSL_ENABLE_MD5_VERIFY=1
export NSS_HASH_ALG_SUPPORT=+MD5


I did try setting those. They don't seem to work: I think that they must be a RHEL/CentOS hack for backwards compatibility.
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7048
Location: almost Mile High in the USA

PostPosted: Wed May 31, 2017 10:36 am    Post subject: Reply with quote

What version of openssl are you using now with openvpn?
Seems that even a few versions of openssl prior to 1.1 has this disabled.

But yes it looks like RHEL probably took initiative and hacked this in before all the other distros fell into this upgrade trap... Oh well. Time to swipe their patches and add it in...

This is stolen from Fedora rawhide which I backported to 1.0.2k.
Try adding this to /etc/portage/patches/dev-libs/openssl/md5-hack.patch and remerge openssl-1.0.2k assuming this is what you're using (1.0.2k appears to be the stable version in portage right now):

Code:
diff -ur openssl-1.0.2k/crypto/asn1/a_verify.c openssl-1.0.2k-patch/crypto/asn1/a_verify.c
--- openssl-1.0.2k/crypto/asn1/a_verify.c   2017-01-26 06:22:03.000000000 -0700
+++ openssl-1.0.2k-patch/crypto/asn1/a_verify.c   2017-05-31 05:27:34.690556605 -0600
@@ -56,6 +56,9 @@
  * [including the GNU Public Licence.]
  */
 
+/* for secure_getenv */
+#define _GNU_SOURCE
+
 #include <stdio.h>
 #include <time.h>
 
@@ -174,6 +177,11 @@
         if (ret != 2)
             goto err;
         ret = -1;
+    } else if (mdnid == NID_md5
+               && secure_getenv("OPENSSL_ENABLE_MD5_VERIFY") == NULL) {
+        ASN1err(ASN1_F_ASN1_ITEM_VERIFY,
+                ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
+        goto err;
     } else {
         const EVP_MD *type;
         type = EVP_get_digestbynid(mdnid);



Note I did not test (sorry, I don't use md5 certificates) and you also need the environment variable like for RHEL/CentOS as this patch was from RH after all.
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
mgnut57
Apprentice
Apprentice


Joined: 12 Jan 2008
Posts: 188

PostPosted: Thu Jun 01, 2017 2:51 am    Post subject: Reply with quote

Quote:
What version of openssl are you using now with openvpn?

Code:
# equery list openssl
 * Searching for openssl ...
[IP-] [  ] dev-libs/openssl-0.9.8z_p8:0.9.8
[IP-] [  ] dev-libs/openssl-1.0.2k:0
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7048
Location: almost Mile High in the USA

PostPosted: Thu Jun 01, 2017 3:51 am    Post subject: Reply with quote

$ ldd /usr/sbin/openvpn
linux-gate.so.1 (0xb77af000)
liblzo2.so.2 => /lib/liblzo2.so.2 (0xb7769000)
libssl.so.1.0.0 => /usr/lib/libssl.so.1.0.0 (0xb76fd000)
libcrypto.so.1.0.0 => /usr/lib/libcrypto.so.1.0.0 (0xb7526000)
libdl.so.2 => /lib/libdl.so.2 (0xb7521000)
libc.so.6 => /lib/libc.so.6 (0xb737a000)
libz.so.1 => /lib/libz.so.1 (0xb7360000)
/lib/ld-linux.so.2 (0xb77b0000)

If it looks like this, try the patch.
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
mgnut57
Apprentice
Apprentice


Joined: 12 Jan 2008
Posts: 188

PostPosted: Thu Jun 01, 2017 3:58 am    Post subject: Reply with quote

Code:
# ldd /usr/sbin/openvpn
   linux-vdso.so.1 (0x00007ffd3cd8d000)
   liblzo2.so.2 => /lib64/liblzo2.so.2 (0x00007f0bab502000)
   libcrypto.so.1.0.0 => /usr/lib64/libcrypto.so.1.0.0 (0x00007f0bab0ce000)
   libssl.so.1.0.0 => /usr/lib64/libssl.so.1.0.0 (0x00007f0baae61000)
   libdl.so.2 => /lib64/libdl.so.2 (0x00007f0baac5e000)
   libc.so.6 => /lib64/libc.so.6 (0x00007f0baa8d0000)
   libz.so.1 => /lib64/libz.so.1 (0x00007f0baa6b9000)
   /lib64/ld-linux-x86-64.so.2 (0x00007f0bab724000)


eccerr0r wrote:


Code:
diff -ur openssl-1.0.2k/crypto/asn1/a_verify.c openssl-1.0.2k-patch/crypto/asn1/a_verify.c
--- openssl-1.0.2k/crypto/asn1/a_verify.c   2017-01-26 06:22:03.000000000 -0700
+++ openssl-1.0.2k-patch/crypto/asn1/a_verify.c   2017-05-31 05:27:34.690556605 -0600
@@ -56,6 +56,9 @@
  * [including the GNU Public Licence.]
  */
 
+/* for secure_getenv */
+#define _GNU_SOURCE
+
 #include <stdio.h>
 #include <time.h>
 
@@ -174,6 +177,11 @@
         if (ret != 2)
             goto err;
         ret = -1;
+    } else if (mdnid == NID_md5
+               && secure_getenv("OPENSSL_ENABLE_MD5_VERIFY") == NULL) {
+        ASN1err(ASN1_F_ASN1_ITEM_VERIFY,
+                ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
+        goto err;
     } else {
         const EVP_MD *type;
         type = EVP_get_digestbynid(mdnid);




I tried this. It did not work.
Code:
export OPENSSL_ENABLE_MD5_VERIFY=1
export NSS_HASH_ALG_SUPPORT=+MD5
/usr/sbin/openvpn --config /etc/openvpn/ukvps.conf
Wed May 31 20:52:23 2017 OpenVPN 2.4.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH/PKTINFO] [AEAD] built on May 28 2017
Wed May 31 20:52:23 2017 library versions: OpenSSL 1.0.2k  26 Jan 2017, LZO 2.09
Wed May 31 20:52:23 2017 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Wed May 31 20:52:23 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]X.X.X.X:1194
Wed May 31 20:52:23 2017 Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed May 31 20:52:23 2017 UDP link local: (not bound)
Wed May 31 20:52:23 2017 UDP link remote: [AF_INET]X.X.X.X:1194
Wed May 31 20:52:23 2017 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Wed May 31 20:52:29 2017 TLS: Initial packet from [AF_INET]X.X.X.X:1194, sid=1e4f6ec1 3bbb9dc3
Wed May 31 20:52:29 2017 VERIFY ERROR: depth=0, error=CRL has expired: C=US, ST=CA, L=SanFrancisco, O= , OU=matthews-family, CN=matthews-family.org.uk, emailAddress=simon
Wed May 31 20:52:29 2017 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Wed May 31 20:52:29 2017 TLS_ERROR: BIO read tls_read_plaintext error
Wed May 31 20:52:29 2017 TLS Error: TLS object -> incoming plaintext read error
Wed May 31 20:52:29 2017 TLS Error: TLS handshake failed
Wed May 31 20:52:29 2017 SIGUSR1[soft,tls-error] received, process restarting
Wed May 31 20:52:29 2017 Restart pause, 5 second(s)
Wed May 31 20:52:34 2017 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Wed May 31 20:52:34 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]X.X.X.X:1194
Wed May 31 20:52:34 2017 Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed May 31 20:52:34 2017 UDP link local: (not bound)
Wed May 31 20:52:34 2017 UDP link remote: [AF_INET]X.X.X.X:1194
^CWed May 31 20:52:34 2017 event_wait : Interrupted system call (code=4)
Wed May 31 20:52:34 2017 SIGINT[hard,] received, process exiting



Note: real IP address of remote server replaced by X.X.X.X

The error message associated with the MD5 issue is: "TLS Error: TLS object -> incoming plaintext read error" although I am wondering if the crl issue may also be causing problems.
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7048
Location: almost Mile High in the USA

PostPosted: Thu Jun 01, 2017 5:28 am    Post subject: Reply with quote

Weird, is the error same as before?

This supposedly is an MD5 signature error example taken from another site...

Code:
Sat Aug 30 10:52:03 2014 OpenVPN 2.3.2 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Feb 14 2014
Sat Aug 30 10:52:06 2014 VERIFY OK: depth=1, C=XX, ST=XX, L=MYTOWN, O=OpenVPN-Myprovider, CN=vpn.server.com, emailAddress=admin@vpn.server.com
Sat Aug 30 10:52:06 2014 VERIFY ERROR: depth=0, error=certificate signature failure: C=XX, ST=MYTOWN, O=OpenVPN-Myprovider, CN=vpn.server.com, emailAddress=admin@vpn.server.com
Sat Aug 30 10:52:06 2014 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Sat Aug 30 10:52:06 2014 TLS Error: TLS object -> incoming plaintext read error
Sat Aug 30 10:52:06 2014 TLS Error: TLS handshake failed


BTW, did the emerge log say the patch got taken cleanly?

In any case, the verify error now says it indeed your certificate revocation list expired, but you weren't using certificates?

Confusing indeed...
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
mgnut57
Apprentice
Apprentice


Joined: 12 Jan 2008
Posts: 188

PostPosted: Fri Jun 02, 2017 5:21 am    Post subject: Reply with quote

I think that the patch got taken cleanly: I didn't see anything on the screen as it did the patch.
Code:
# strings /usr/lib64/libcrypto.so.1.0.0 | grep OPENSSL_ENABLE_MD5_VERIFY
OPENSSL_ENABLE_MD5_VERIFY
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum