id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc 1024,iOS: ECDSA doesn't work when imported as PKCS#12 (.ovpn12 file),GainfulShrimp,OpenVPN Inc.,"I was excited to see in the App Store release notes for OpenVPN Connect 1.2.8 that ECDSA was now supported, but it's not working for me. An error is flagged up immediately when I try to connect. This line in the log seems especially relevant, as - to me anyway - it seems to suggest that RSA is being used, when it shouldn't be: {{{ 2018-02-20 07:35:20 Client exception in transport_recv_excode: mbed TLS: SSL read error : RSA - Bad input parameters to function }}} Here is the log from OpenVPN Connect: {{{ 2018-02-20 07:35:20 ----- OpenVPN Start ----- OpenVPN core 3.1.2 ios arm64 64-bit built on Feb 7 2018 17:16:12 2018-02-20 07:35:20 Keychain Cert Extraction: 1 certificate(s) found 2018-02-20 07:35:20 Frame=512/2048/512 mssfix-ctrl=1250 2018-02-20 07:35:20 UNUSED OPTIONS 3 [fast-io] 5 [nobind] 6 [persist-key] 7 [persist-tun] 9 [mute-replay-warnings] 13 [verb] [1] 14 [mute] [20] 2018-02-20 07:35:20 EVENT: RESOLVE 2018-02-20 07:35:20 Contacting [xxx.xxx.xxx.xxx]:3232/UDP via UDP 2018-02-20 07:35:20 EVENT: WAIT 2018-02-20 07:35:20 Connecting to [myFQDN]:3232 (xxx.xxx.xxx.xxx) via UDPv4 2018-02-20 07:35:20 EVENT: CONNECTING 2018-02-20 07:35:20 Tunnel Options:V4,dev-type tun,link-mtu 1521,tun-mtu 1500,proto UDPv4,cipher AES-128-GCM,auth SHA1,keysize 128,key-method 2,tls-client 2018-02-20 07:35:20 Creds: UsernameEmpty/PasswordEmpty 2018-02-20 07:35:20 Peer Info: IV_GUI_VER=net.openvpn.connect.ios 1.2.8-1 IV_VER=3.1.2 IV_PLAT=ios IV_NCP=2 IV_TCPNL=1 IV_PROTO=2 IV_IPv6=0 IV_AUTO_SESS=1 2018-02-20 07:35:20 VERIFY OK : depth=1 cert. version : 3 serial number : D1:C4:F4:07:45:E9:73:B1 issuer name : CN=CAECC subject name : CN=CAECC issued on : 2018-01-30 13:21:21 expires on : 2028-01-28 13:21:21 signed using : ECDSA with SHA256 EC key size : 256 bits basic constraints : CA=true key usage : Key Cert Sign, CRL Sign 2018-02-20 07:35:20 VERIFY OK : depth=0 cert. version : 3 serial number : CB:E0:CD:5B:F2:DD:0F:A2:3E:61:92:26:99:6A:FA:14 issuer name : CN=CAECC subject name : CN=server-ecc issued on : 2018-01-30 13:22:09 expires on : 2028-01-28 13:22:09 signed using : ECDSA with SHA256 EC key size : 256 bits basic constraints : CA=false subject alt name : server-ecc key usage : Digital Signature, Key Encipherment ext key usage : TLS Web Server Authentication 2018-02-20 07:35:20 EVENT: EPKI_ERROR 69646e74000000000000002a : external_pki_error: cannot sign data, status=-50 [ERR] 2018-02-20 07:35:20 Raw stats on disconnect: BYTES_IN : 1426 BYTES_OUT : 378 PACKETS_IN : 4 PACKETS_OUT : 3 2018-02-20 07:35:20 Performance stats on disconnect: CPU usage (microseconds): 125213 Network bytes per CPU second: 14407 Tunnel bytes per CPU second: 0 2018-02-20 07:35:20 MbedTLSContext::epki_sign: ssl_external_pki: MbedTLS: could not obtain signature 2018-02-20 07:35:20 Client exception in transport_recv_excode: mbed TLS: SSL read error : RSA - Bad input parameters to function 2018-02-20 07:35:20 EVENT: DISCONNECTED 2018-02-20 07:35:20 Raw stats on disconnect: BYTES_IN : 1426 BYTES_OUT : 378 PACKETS_IN : 4 PACKETS_OUT : 3 SSL_ERROR : 1 EPKI_SIGN_ERROR : 1 2018-02-20 07:35:20 Performance stats on disconnect: CPU usage (microseconds): 126728 Network bytes per CPU second: 14235 Tunnel bytes per CPU second: 0 }}} Server, running on Raspbian Stretch Lite (on a Pi3) is version: {{{ OpenVPN 2.4.4 armv7l-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jan 15 2018 library versions: OpenSSL 1.1.0g 2 Nov 2017, LZO 2.09 Originally developed by James Yonan Copyright (C) 2002-2017 OpenVPN Technologies, Inc. Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=no with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no }}} Server config: {{{ dev tun1 proto udp port 3232 sndbuf 393216 rcvbuf 393216 push ""sndbuf 393216"" push ""rcvbuf 393216"" fast-io ca /etc/openvpn/ecckeys/ca.crt cert /etc/openvpn/ecckeys/server-ecc.crt key /etc/openvpn/ecckeys/server-ecc.key dh none topology subnet server 10.188.0.0 255.255.255.0 push ""route 10.188.0.0 255.255.255.0"" push ""route 192.168.2.0 255.255.255.0"" push ""dhcp-option DNS 192.168.2.1"" push ""redirect-gateway def1"" client-to-client keepalive 10 60 tls-crypt /etc/openvpn/ecckeys/tc.key cipher AES-128-GCM ncp-ciphers AES-128-GCM tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256 tls-version-min 1.2 }}} Client (iPhone X) config: {{{ client dev tun proto udp fast-io remote myFQDN 3232 nobind persist-key persist-tun reneg-sec 0 mute-replay-warnings remote-cert-tls server cipher AES-128-GCM tls-version-min 1.2 verb 1 mute 20 [blah blah] [blah blah] }}} Client cert and key are in a PKCS#12 file, with extension .ovpn12. Importing both profile/config and cert file seemed to go smoothly. Using a similar client config (the same, but with inlined cert/key) and the exact same server, I can connect fine from a Linux client and a Macbook/Viscosity.",Bug / Defect,closed,major,,OpenVPN Connect,OpenVPN Connect for iOS v1.2.8,"Not set (select this one, unless your'e a OpenVPN developer)",wontfix,,