Friday, July 07, 2017

Re: Libressl issue verifying self-signed certs with tls-auth and Openvpn

Hi Stuart and Joel,

Just to confirm for others reading, you are very correct.

And patch 014_libcrypto has fixed this :) So just run syspatch (or openup) and you'll be working again.

Thanks for the commits ;)

PS; good to hear from you again Stuart! Long time.. I'm on this email now rather than andy@brandwatch, it's been a while since I've been around the lists. I knew I could rely on you amazing peeps.

Take care, happy summer. Andy


Sent from a teeny tiny keyboard, so please excuse typos

> On 3 Jul 2017, at 16:51, Joel Sing <joel@sing.id.au> wrote:
>
>> On Tuesday 20 June 2017 23:26:10 Andrew Lemin wrote:
>> Hi,
>>
>> Sadly in my testing it seems that CVE-2017-8301 (
>> http://seclists.org/oss-sec/2017/q2/145) is still broken with the
>> latest LibreSSL
>> (2.5.4) and OpenVPN 2.4.2.
>>
>> Here is someone else reporting the same issue;
>> https://discourse.trueos.org/t/libre-openssl-tls-error-when-using-openvpn/13
>> 58/4
>>
>> Of course I may have gotten this wrong somewhere, but for now it seems not
>> possible to use OpenVPN as a client with TLS static certificate based
>> server on OpenBSD.
>>
>> Hope this helps clarify for anyone else finding the same issue until some
>> clever person does a fix.
>>
>>
>> Error same with latest;
>>
>> Tue Jun 20 22:51:15 2017 OpenVPN 2.4.2 x86_64-unknown-openbsd6.1 [SSL
>> (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jun 20 2017
>>
>> Tue Jun 20 22:51:15 2017 library versions: LibreSSL 2.5.4, LZO 2.10
>>
>> Tue Jun 20 22:52:08 2017 VERIFY ERROR: depth=0, error=self signed
>> certificate: < Cert Info >
>>
>> Tue Jun 20 22:52:08 2017 OpenSSL: error:14007086:SSL
>> routines:CONNECT_CR_CERT:certificate verify failed
>>
>> Tue Jun 20 22:52:08 2017 TLS_ERROR: BIO read tls_read_plaintext error
>>
>> Tue Jun 20 22:52:08 2017 TLS Error: TLS object -> incoming plaintext read
>> error
>>
>> Tue Jun 20 22:52:08 2017 TLS Error: TLS handshake failed
>>
>> Tue Jun 20 22:52:08 2017 SIGUSR1[soft,tls-error] received, process
>> restarting
>
> This should be fixed on -current (via r1.30 of libcrypto/x509v3/v3_purp.c) -
> you should also be able to workaround the issue by using different CNs for the
> CA and server certificates (they're likely identical in this case).

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)