OpenVPN problems since update to CentOS 7

Issues related to configuring your network
dominik
Posts: 2
Joined: 2014/07/14 14:18:37

OpenVPN problems since update to CentOS 7

Postby dominik » 2014/07/14 15:03:57

Hello,

I've just updated to Cent OS 7. Unfortunately, this broke my VPN access. OpenVPN complains

Code: Select all

VERIFY ERROR: depth=0, error=certificate signature failure
SSL alert (write): fatal: decrypt error

Snippet of the log file:
Mon Jul 14 16:24:18 2014 us=54800 ciphername_defined = ENABLED
Mon Jul 14 16:24:18 2014 us=54805 ciphername = 'BF-CBC'
Mon Jul 14 16:24:18 2014 us=54810 authname_defined = ENABLED
Mon Jul 14 16:24:18 2014 us=54815 authname = 'SHA1'
Mon Jul 14 16:24:18 2014 us=54820 prng_hash = 'SHA1'
------- SNIP -------

Code: Select all

Mon Jul 14 16:24:18 2014 us=55541 OpenVPN 2.2.2 x86_64-unknown-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] built on Jul 14 2014
------- SNIP -------
Mon Jul 14 16:24:23 2014 us=212915 TLS: tls_multi_process: i=0 state=S_SENT_KEY, mysid=959d12ad 3fd6358b, stored-sid=21b1e50a 63e80c5c, stored-ip=193.175.73.100:1194
Mon Jul 14 16:24:23 2014 us=212920 TLS: tls_process: chg=0 ks=S_SENT_KEY lame=S_UNXXF to_link->len=0 wakeup=604800
Mon Jul 14 16:24:23 2014 us=212925 ACK reliable_can_send active=0 current=0 : [3]
Mon Jul 14 16:24:23 2014 us=212931 BIO write tls_write_ciphertext 100 bytes
Mon Jul 14 16:24:23 2014 us=212935 Incoming Ciphertext -> TLS
Mon Jul 14 16:24:23 2014 us=213196 VERIFY OK: depth=1, /C=XX/ST=MYTOWN/L=MYTOWN/O=OpenVPN-Myprovider/CN=OpenVPN-Myprovider-CA/emailAddress=admin@myprovider.xx
Mon Jul 14 16:24:23 2014 us=213223 VERIFY ERROR: depth=0, error=certificate signature failure: /C=XX/ST=MYTOWN/O=OpenVPN-Myprovider/CN=server/emailAddress=admin@myprovider.xx
Mon Jul 14 16:24:23 2014 us=213238 SSL alert (write): fatal: decrypt error
Mon Jul 14 16:24:23 2014 us=213271 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Mon Jul 14 16:24:23 2014 us=213277 TLS Error: TLS object -> incoming plaintext read error
Mon Jul 14 16:24:23 2014 us=213282 TLS Error: TLS handshake failed

The config file is

Code: Select all

client
dev tun
proto udp
remote xxx.myprovider.xx 1194
remote XXX.YYY.XX.YYY 1194
resolv-retry infinite
nobind
persist-key
persist-tun
pkcs12 client.p12
comp-lzo
verb 12
reneg-sec 0
auth-user-pass
script-security 2
explicit-exit-notify
mute-replay-warnings
ns-cert-type server


The error occurs with the packaged versions of OpenVPN and openssl as well as with compiled OpenVPN 2.3.4/openssl-1.0.1h and OpenVPN-2.3.2/openssl-0.9.8y, either with a p12 file or ca/cert/key files. It used to work with the same files before and it still does work with Tunnelblick under Mac OS X. A fresh config.p12 (as well as fresh ca/cert/key files) did not help.
SElinux is disabled. The certificates are encrypted with MD5 and SHA1 (usercert: Signature Algorithm: sha1WithRSAEncryption; CA: Signature Algorithm: md5WithRSAEncryption).

Our server admin can see my connection attempts but also does not know the cause - apparently, all other users can connect without problems. So I suspect some change in Cent OS 7 to cause the problem. What else could I try?

Thanks in advance,
Dominik

User avatar
TrevorH
Forum Moderator
Posts: 18610
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: OpenVPN problems since update to CentOS 7

Postby TrevorH » 2014/07/14 15:29:36

md5 support has been removed as it's no longer regarded as secure (even by Microsoft!)
CentOS 5 dies in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

dominik
Posts: 2
Joined: 2014/07/14 14:18:37

Re: OpenVPN problems since update to CentOS 7

Postby dominik » 2014/07/17 06:44:25

md5 support has been removed as it's no longer regarded as secure (even by Microsoft!)

Update: I finally managed to get it running by setting these env variables:

Code: Select all

NSS_HASH_ALG_SUPPORT=+MD5
OPENSSL_ENABLE_MD5_VERIFY=1

I found the first one in discussions about NSS but this seems not to be enough to 'fool' CentOS. After setting the latter one in my /etc/profile, I could connect via openvpn from the shell.

However, apparently NetworkManager-openvpn GUI does not read the variables (it sill raises the VERIFY ERROR) - is there any way to tell it to do so?

Thanks,
Dominik

mmatyas
Posts: 1
Joined: 2014/07/25 08:40:12

Re: OpenVPN problems since update to CentOS 7

Postby mmatyas » 2014/07/25 08:59:33

It took me a while to figure out why OpenVPN trough NetworkManager was not working on CentOS 7 with old MD5 certificates but I found a solution.

in:
/usr/lib/systemd/system/NetworkManager.service

Code: Select all

 
[Service]
Environment="OPENSSL_ENABLE_MD5_VERIFY=1 NSS_HASH_ALG_SUPPORT=+MD5"


systemctl daemon-reload
systemctl restart NetworkManager.service

The relevant error messages were:

nm-openvpn TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed


and on openssl verify -CAfile ca.pem cert.pem
error 7 at 0 depth lookup:certificate signature failure
139819312576416:error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm:a_verify.c:179:

User avatar
TrevorH
Forum Moderator
Posts: 18610
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: OpenVPN problems since update to CentOS 7

Postby TrevorH » 2014/07/25 11:45:12

I think Redhat took the decision to disable MD5 certs because they are no longer seen as reliable. You should probably review which certs they are and get them reissued using a different mechanism.
CentOS 5 dies in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke


Return to “CentOS 7 - Networking Support”

Who is online

Users browsing this forum: No registered users and 1 guest