OpenVPN problems since update to CentOS 7

Issues related to configuring your network
dominik
Posts: 2
Joined: 2014/07/14 14:18:37

OpenVPN problems since update to CentOS 7

Postby dominik » 2014/07/14 15:03:57

Hello,

I've just updated to Cent OS 7. Unfortunately, this broke my VPN access. OpenVPN complains

Code: Select all

VERIFY ERROR: depth=0, error=certificate signature failure
SSL alert (write): fatal: decrypt error

Snippet of the log file:
Mon Jul 14 16:24:18 2014 us=54800 ciphername_defined = ENABLED
Mon Jul 14 16:24:18 2014 us=54805 ciphername = 'BF-CBC'
Mon Jul 14 16:24:18 2014 us=54810 authname_defined = ENABLED
Mon Jul 14 16:24:18 2014 us=54815 authname = 'SHA1'
Mon Jul 14 16:24:18 2014 us=54820 prng_hash = 'SHA1'
------- SNIP -------

Code: Select all

Mon Jul 14 16:24:18 2014 us=55541 OpenVPN 2.2.2 x86_64-unknown-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] built on Jul 14 2014
------- SNIP -------
Mon Jul 14 16:24:23 2014 us=212915 TLS: tls_multi_process: i=0 state=S_SENT_KEY, mysid=959d12ad 3fd6358b, stored-sid=21b1e50a 63e80c5c, stored-ip=193.175.73.100:1194
Mon Jul 14 16:24:23 2014 us=212920 TLS: tls_process: chg=0 ks=S_SENT_KEY lame=S_UNXXF to_link->len=0 wakeup=604800
Mon Jul 14 16:24:23 2014 us=212925 ACK reliable_can_send active=0 current=0 : [3]
Mon Jul 14 16:24:23 2014 us=212931 BIO write tls_write_ciphertext 100 bytes
Mon Jul 14 16:24:23 2014 us=212935 Incoming Ciphertext -> TLS
Mon Jul 14 16:24:23 2014 us=213196 VERIFY OK: depth=1, /C=XX/ST=MYTOWN/L=MYTOWN/O=OpenVPN-Myprovider/CN=OpenVPN-Myprovider-CA/emailAddress=admin@myprovider.xx
Mon Jul 14 16:24:23 2014 us=213223 VERIFY ERROR: depth=0, error=certificate signature failure: /C=XX/ST=MYTOWN/O=OpenVPN-Myprovider/CN=server/emailAddress=admin@myprovider.xx
Mon Jul 14 16:24:23 2014 us=213238 SSL alert (write): fatal: decrypt error
Mon Jul 14 16:24:23 2014 us=213271 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Mon Jul 14 16:24:23 2014 us=213277 TLS Error: TLS object -> incoming plaintext read error
Mon Jul 14 16:24:23 2014 us=213282 TLS Error: TLS handshake failed

The config file is

Code: Select all

client
dev tun
proto udp
remote xxx.myprovider.xx 1194
remote XXX.YYY.XX.YYY 1194
resolv-retry infinite
nobind
persist-key
persist-tun
pkcs12 client.p12
comp-lzo
verb 12
reneg-sec 0
auth-user-pass
script-security 2
explicit-exit-notify
mute-replay-warnings
ns-cert-type server


The error occurs with the packaged versions of OpenVPN and openssl as well as with compiled OpenVPN 2.3.4/openssl-1.0.1h and OpenVPN-2.3.2/openssl-0.9.8y, either with a p12 file or ca/cert/key files. It used to work with the same files before and it still does work with Tunnelblick under Mac OS X. A fresh config.p12 (as well as fresh ca/cert/key files) did not help.
SElinux is disabled. The certificates are encrypted with MD5 and SHA1 (usercert: Signature Algorithm: sha1WithRSAEncryption; CA: Signature Algorithm: md5WithRSAEncryption).

Our server admin can see my connection attempts but also does not know the cause - apparently, all other users can connect without problems. So I suspect some change in Cent OS 7 to cause the problem. What else could I try?

Thanks in advance,
Dominik

User avatar
TrevorH
Forum Moderator
Posts: 19683
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: OpenVPN problems since update to CentOS 7

Postby TrevorH » 2014/07/14 15:29:36

md5 support has been removed as it's no longer regarded as secure (even by Microsoft!)
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

dominik
Posts: 2
Joined: 2014/07/14 14:18:37

Re: OpenVPN problems since update to CentOS 7

Postby dominik » 2014/07/17 06:44:25

md5 support has been removed as it's no longer regarded as secure (even by Microsoft!)

Update: I finally managed to get it running by setting these env variables:

Code: Select all

NSS_HASH_ALG_SUPPORT=+MD5
OPENSSL_ENABLE_MD5_VERIFY=1

I found the first one in discussions about NSS but this seems not to be enough to 'fool' CentOS. After setting the latter one in my /etc/profile, I could connect via openvpn from the shell.

However, apparently NetworkManager-openvpn GUI does not read the variables (it sill raises the VERIFY ERROR) - is there any way to tell it to do so?

Thanks,
Dominik

mmatyas
Posts: 1
Joined: 2014/07/25 08:40:12

Re: OpenVPN problems since update to CentOS 7

Postby mmatyas » 2014/07/25 08:59:33

It took me a while to figure out why OpenVPN trough NetworkManager was not working on CentOS 7 with old MD5 certificates but I found a solution.

in:
/usr/lib/systemd/system/NetworkManager.service

Code: Select all

 
[Service]
Environment="OPENSSL_ENABLE_MD5_VERIFY=1 NSS_HASH_ALG_SUPPORT=+MD5"


systemctl daemon-reload
systemctl restart NetworkManager.service

The relevant error messages were:

nm-openvpn TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed


and on openssl verify -CAfile ca.pem cert.pem
error 7 at 0 depth lookup:certificate signature failure
139819312576416:error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm:a_verify.c:179:

User avatar
TrevorH
Forum Moderator
Posts: 19683
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: OpenVPN problems since update to CentOS 7

Postby TrevorH » 2014/07/25 11:45:12

I think Redhat took the decision to disable MD5 certs because they are no longer seen as reliable. You should probably review which certs they are and get them reissued using a different mechanism.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

nurray
Posts: 1
Joined: 2017/04/12 05:48:12

Re: OpenVPN problems since update to CentOS 7

Postby nurray » 2017/04/12 05:59:15

I too ran into this problem, but I was not running NetworkManager so I did it (very) slightly differently.

I edited /usr/lib/systemd/system/openvpn-client@.service and added the "Environment" line to the "[Service]" section.

This way, only OpenVPN has the extra environment variables set.

My thanks for working out how to do this and yes the OpenVPN setup is scheduled to be upgraded. Adding the CentOS 7 system is the first step in that process.

User avatar
TrevorH
Forum Moderator
Posts: 19683
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: OpenVPN problems since update to CentOS 7

Postby TrevorH » 2017/04/12 10:52:23

I edited /usr/lib/systemd/system/openvpn-client@.service and added the "Environment" line to the "[Service]" section.


That change will get backed out next time the openvpn package is updated as files in /usr/lib/systemd/system are not marked as config files so yum will overwrite them. You should probably copy the file to /etc/systemd/system and amend it there, or use systemctl edit openvpn-client@.service --full and let systemd copy it and edit it that way.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke


Return to “CentOS 7 - Networking Support”

Who is online

Users browsing this forum: No registered users and 1 guest