OpenVPN problems since update to CentOS 7

Issues related to configuring your network
Post Reply
dominik
Posts: 2
Joined: 2014/07/14 14:18:37

OpenVPN problems since update to CentOS 7

Post by dominik » 2014/07/14 15:03:57

Hello,

I've just updated to Cent OS 7. Unfortunately, this broke my VPN access. OpenVPN complains

Code: Select all

VERIFY ERROR: depth=0, error=certificate signature failure
SSL alert (write): fatal: decrypt error
Snippet of the log file:
Mon Jul 14 16:24:18 2014 us=54800 ciphername_defined = ENABLED
Mon Jul 14 16:24:18 2014 us=54805 ciphername = 'BF-CBC'
Mon Jul 14 16:24:18 2014 us=54810 authname_defined = ENABLED
Mon Jul 14 16:24:18 2014 us=54815 authname = 'SHA1'
Mon Jul 14 16:24:18 2014 us=54820 prng_hash = 'SHA1'
------- SNIP -------

Code: Select all

Mon Jul 14 16:24:18 2014 us=55541 OpenVPN 2.2.2 x86_64-unknown-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] built on Jul 14 2014
------- SNIP -------
Mon Jul 14 16:24:23 2014 us=212915 TLS: tls_multi_process: i=0 state=S_SENT_KEY, mysid=959d12ad 3fd6358b, stored-sid=21b1e50a 63e80c5c, stored-ip=193.175.73.100:1194
Mon Jul 14 16:24:23 2014 us=212920 TLS: tls_process: chg=0 ks=S_SENT_KEY lame=S_UNXXF to_link->len=0 wakeup=604800
Mon Jul 14 16:24:23 2014 us=212925 ACK reliable_can_send active=0 current=0 : [3]
Mon Jul 14 16:24:23 2014 us=212931 BIO write tls_write_ciphertext 100 bytes
Mon Jul 14 16:24:23 2014 us=212935 Incoming Ciphertext -> TLS
Mon Jul 14 16:24:23 2014 us=213196 VERIFY OK: depth=1, /C=XX/ST=MYTOWN/L=MYTOWN/O=OpenVPN-Myprovider/CN=OpenVPN-Myprovider-CA/emailAddress=admin@myprovider.xx
Mon Jul 14 16:24:23 2014 us=213223 VERIFY ERROR: depth=0, error=certificate signature failure: /C=XX/ST=MYTOWN/O=OpenVPN-Myprovider/CN=server/emailAddress=admin@myprovider.xx
Mon Jul 14 16:24:23 2014 us=213238 SSL alert (write): fatal: decrypt error
Mon Jul 14 16:24:23 2014 us=213271 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Mon Jul 14 16:24:23 2014 us=213277 TLS Error: TLS object -> incoming plaintext read error
Mon Jul 14 16:24:23 2014 us=213282 TLS Error: TLS handshake failed
The config file is

Code: Select all

client
dev tun
proto udp
remote xxx.myprovider.xx 1194
remote XXX.YYY.XX.YYY 1194
resolv-retry infinite
nobind
persist-key
persist-tun
pkcs12 client.p12
comp-lzo
verb 12
reneg-sec 0
auth-user-pass
script-security 2
explicit-exit-notify
mute-replay-warnings
ns-cert-type server
The error occurs with the packaged versions of OpenVPN and openssl as well as with compiled OpenVPN 2.3.4/openssl-1.0.1h and OpenVPN-2.3.2/openssl-0.9.8y, either with a p12 file or ca/cert/key files. It used to work with the same files before and it still does work with Tunnelblick under Mac OS X. A fresh config.p12 (as well as fresh ca/cert/key files) did not help.
SElinux is disabled. The certificates are encrypted with MD5 and SHA1 (usercert: Signature Algorithm: sha1WithRSAEncryption; CA: Signature Algorithm: md5WithRSAEncryption).

Our server admin can see my connection attempts but also does not know the cause - apparently, all other users can connect without problems. So I suspect some change in Cent OS 7 to cause the problem. What else could I try?

Thanks in advance,
Dominik

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: OpenVPN problems since update to CentOS 7

Post by TrevorH » 2014/07/14 15:29:36

md5 support has been removed as it's no longer regarded as secure (even by Microsoft!)
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

dominik
Posts: 2
Joined: 2014/07/14 14:18:37

Re: OpenVPN problems since update to CentOS 7

Post by dominik » 2014/07/17 06:44:25

md5 support has been removed as it's no longer regarded as secure (even by Microsoft!)
Update: I finally managed to get it running by setting these env variables:

Code: Select all

NSS_HASH_ALG_SUPPORT=+MD5
OPENSSL_ENABLE_MD5_VERIFY=1
I found the first one in discussions about NSS but this seems not to be enough to 'fool' CentOS. After setting the latter one in my /etc/profile, I could connect via openvpn from the shell.

However, apparently NetworkManager-openvpn GUI does not read the variables (it sill raises the VERIFY ERROR) - is there any way to tell it to do so?

Thanks,
Dominik

mmatyas
Posts: 1
Joined: 2014/07/25 08:40:12

Re: OpenVPN problems since update to CentOS 7

Post by mmatyas » 2014/07/25 08:59:33

It took me a while to figure out why OpenVPN trough NetworkManager was not working on CentOS 7 with old MD5 certificates but I found a solution.

in:
/usr/lib/systemd/system/NetworkManager.service

Code: Select all

 
[Service]
Environment="OPENSSL_ENABLE_MD5_VERIFY=1 NSS_HASH_ALG_SUPPORT=+MD5"
systemctl daemon-reload
systemctl restart NetworkManager.service

The relevant error messages were:
nm-openvpn TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
and on openssl verify -CAfile ca.pem cert.pem
error 7 at 0 depth lookup:certificate signature failure
139819312576416:error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm:a_verify.c:179:

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: OpenVPN problems since update to CentOS 7

Post by TrevorH » 2014/07/25 11:45:12

I think Redhat took the decision to disable MD5 certs because they are no longer seen as reliable. You should probably review which certs they are and get them reissued using a different mechanism.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

nurray
Posts: 1
Joined: 2017/04/12 05:48:12

Re: OpenVPN problems since update to CentOS 7

Post by nurray » 2017/04/12 05:59:15

I too ran into this problem, but I was not running NetworkManager so I did it (very) slightly differently.

I edited /usr/lib/systemd/system/openvpn-client@.service and added the "Environment" line to the "[Service]" section.

This way, only OpenVPN has the extra environment variables set.

My thanks for working out how to do this and yes the OpenVPN setup is scheduled to be upgraded. Adding the CentOS 7 system is the first step in that process.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: OpenVPN problems since update to CentOS 7

Post by TrevorH » 2017/04/12 10:52:23

I edited /usr/lib/systemd/system/openvpn-client@.service and added the "Environment" line to the "[Service]" section.
That change will get backed out next time the openvpn package is updated as files in /usr/lib/systemd/system are not marked as config files so yum will overwrite them. You should probably copy the file to /etc/systemd/system and amend it there, or use systemctl edit openvpn-client@.service --full and let systemd copy it and edit it that way.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: OpenVPN problems since update to CentOS 7

Post by TrevorH » 2017/08/30 11:33:51

Neither OpenVPN4UCS nor OpenVPNAS2 are CentOS supplied packages so you should address the question to the provider of them.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply