Opened 5 years ago

Closed 15 months ago

#1177 closed Bug / Defect (notabug)

OpenVPN 2.4.7 with OpenSSL 1.0.1e-fips does not work with brainpoolP256r1 elliptic curve

Reported by: dom1515 Owned by:
Priority: minor Milestone: release 2.4.9
Component: Certificates Version: OpenVPN 2.4.7 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: elliptic curve; brainpoolP256r1
Cc:

Description

I compiled openvpn 2.4.7 against openssl 1.1.1b on centos.

./config --prefix=/usr/local/ssl-1.1.1b --openssldir=/usr/local/ssl-1.1.1b shared zlib
make
make test
make install



CFLAGS="-I/usr/local/ssl-1.1.1b/include  -Wl,-rpath=/usr/local/ssl-1.1.1b/lib -L/usr/local/ssl-1.1.1b/lib" ./configure --prefix=/usr/local/openvpn-2.4.7_ssl-1.1.1b
make
make install


The output of openvpn --show-curves:

Available Elliptic curves:
secp112r1
secp112r2
secp128r1
secp128r2
secp160k1
secp160r1
secp160r2
secp192k1
secp224k1
secp224r1
secp256k1
secp384r1
secp521r1
prime192v1
prime192v2
prime192v3
prime239v1
prime239v2
prime239v3
prime256v1
sect113r1
sect113r2
sect131r1
sect131r2
sect163k1
sect163r1
sect163r2
sect193r1
sect193r2
sect233k1
sect233r1
sect239k1
sect283k1
sect283r1
sect409k1
sect409r1
sect571k1
sect571r1
c2pnb163v1
c2pnb163v2
c2pnb163v3
c2pnb176v1
c2tnb191v1
c2tnb191v2
c2tnb191v3
c2pnb208w1
c2tnb239v1
c2tnb239v2
c2tnb239v3
c2pnb272w1
c2pnb304w1
c2tnb359v1
c2pnb368w1
c2tnb431r1
wap-wsg-idm-ecid-wtls1
wap-wsg-idm-ecid-wtls3
wap-wsg-idm-ecid-wtls4
wap-wsg-idm-ecid-wtls5
wap-wsg-idm-ecid-wtls6
wap-wsg-idm-ecid-wtls7
wap-wsg-idm-ecid-wtls8
wap-wsg-idm-ecid-wtls9
wap-wsg-idm-ecid-wtls10
wap-wsg-idm-ecid-wtls11
wap-wsg-idm-ecid-wtls12
Oakley-EC2N-3
Oakley-EC2N-4
brainpoolP160r1
brainpoolP160t1
brainpoolP192r1
brainpoolP192t1
brainpoolP224r1
brainpoolP224t1
brainpoolP256r1
brainpoolP256t1
brainpoolP320r1
brainpoolP320t1
brainpoolP384r1
brainpoolP384t1
brainpoolP512r1
brainpoolP512t1
SM2

If I try to connect to a server (running on debian) with brainpoolP256r1-based certificates , no connection is established and the server reports:

TLS error: The server has no TLS ciphersuites in common with the client. Your --tls-cipher setting might be too restrictive.

Looking at the client hello, it appears that the brainpoolP256r1 curve is not offered as valid curve:

Frame 15: 363 bytes on wire (2904 bits), 363 bytes captured (2904 bits) on interface 0
Linux cooked capture
Internet Protocol Version 4, Src: 10.22.34.251, Dst: 85.214.151.228
User Datagram Protocol, Src Port: 39698, Dst Port: 1195
OpenVPN Protocol
    Type: 0x20 [opcode/key_id]
    Session ID: 2308148950700197312
    HMAC: 9cb07c249c950a4be0bc55b6dbe8eeadf11d2115
    Packet-ID: 3
    Net Time: Apr  5, 2019 11:34:18.000000000 CEST
    Message Packet-ID Array Length: 0
    Message Packet-ID: 1
Secure Sockets Layer
    TLSv1 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 272
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 268
            Version: TLS 1.2 (0x0303)
            Random: 203486018ca6df89afd735e86e3e540797da8b737373f73b...
            Session ID Length: 32
            Session ID: 2165bba4bf1a54e8461d28abab61593c216587d6afc33a45...
            Cipher Suites Length: 50
            Cipher Suites (25 suites)
                Cipher Suite: TLS_AES_256_GCM_SHA384 (0x1302)
                Cipher Suite: TLS_CHACHA20_POLY1305_SHA256 (0x1303)
                Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)
                Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
                Cipher Suite: TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xccaa)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
                Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
            Compression Methods Length: 1
            Compression Methods (1 method)
                Compression Method: null (0)
            Extensions Length: 145
            Extension: ec_point_formats (len=4)
                Type: ec_point_formats (11)
                Length: 4
                EC point formats Length: 3
                Elliptic curves point formats (3)
                    EC point format: uncompressed (0)
                    EC point format: ansiX962_compressed_prime (1)
                    EC point format: ansiX962_compressed_char2 (2)
            Extension: supported_groups (len=12)
                Type: supported_groups (10)
                Length: 12
                Supported Groups List Length: 10
                Supported Groups (5 groups)
                    Supported Group: x25519 (0x001d)
                    Supported Group: secp256r1 (0x0017)
                    Supported Group: x448 (0x001e)
                    Supported Group: secp521r1 (0x0019)
                    Supported Group: secp384r1 (0x0018)
            Extension: encrypt_then_mac (len=0)
                Type: encrypt_then_mac (22)
                Length: 0
            Extension: extended_master_secret (len=0)
                Type: extended_master_secret (23)
                Length: 0
            Extension: signature_algorithms (len=48)
                Type: signature_algorithms (13)
                Length: 48
                Signature Hash Algorithms Length: 46
                Signature Hash Algorithms (23 algorithms)
                    Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
                    Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)
                    Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603)
                    Signature Algorithm: ed25519 (0x0807)
                    Signature Algorithm: ed448 (0x0808)
                    Signature Algorithm: rsa_pss_pss_sha256 (0x0809)
                    Signature Algorithm: rsa_pss_pss_sha384 (0x080a)
                    Signature Algorithm: rsa_pss_pss_sha512 (0x080b)
                    Signature Algorithm: rsa_pss_rsae_sha256 (0x0804)
                    Signature Algorithm: rsa_pss_rsae_sha384 (0x0805)
                    Signature Algorithm: rsa_pss_rsae_sha512 (0x0806)
                    Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
                    Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
                    Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
                    Signature Algorithm: SHA224 ECDSA (0x0303)
                    Signature Algorithm: ecdsa_sha1 (0x0203)
                    Signature Algorithm: SHA224 RSA (0x0301)
                    Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
                    Signature Algorithm: SHA224 DSA (0x0302)
                    Signature Algorithm: SHA1 DSA (0x0202)
                    Signature Algorithm: SHA256 DSA (0x0402)
                    Signature Algorithm: SHA384 DSA (0x0502)
                    Signature Algorithm: SHA512 DSA (0x0602)
            Extension: supported_versions (len=9)
                Type: supported_versions (43)
                Length: 9
                Supported Versions length: 8
                Supported Version: TLS 1.3 (0x0304)
                Supported Version: TLS 1.2 (0x0303)
                Supported Version: TLS 1.1 (0x0302)
                Supported Version: TLS 1.0 (0x0301)
            Extension: psk_key_exchange_modes (len=2)
                Type: psk_key_exchange_modes (45)
                Length: 2
                PSK Key Exchange Modes Length: 1
                PSK Key Exchange Mode: PSK with (EC)DHE key establishment (psk_dhe_ke) (1)
            Extension: key_share (len=38)
                Type: key_share (51)
                Length: 38
                Key Share extension
                    Client Key Share Length: 36
                    Key Share Entry: Group: x25519, Key Exchange length: 32
                        Group: x25519 (29)
                        Key Exchange Length: 32
                        Key Exchange: 124262e4a4b5f7b4f246036c7ae598f7d8bad27b2cb1f2f3...

If I use the same certificates and openvpn configuration on a debian client (openvpn from the standard .deb) there is a successful connection established.

The clientHello from debian offers the brainpool curve:

Frame 705: 259 bytes on wire (2072 bits), 259 bytes captured (2072 bits) on interface 0
Linux cooked capture
Internet Protocol Version 4, Src: 192.168.6.98, Dst: 85.214.151.228
User Datagram Protocol, Src Port: 34738, Dst Port: 1195
OpenVPN Protocol
    Type: 0x20 [opcode/key_id]
    Session ID: 14706474520384368533
    HMAC: 0b512424d819d4af7226e2a34ce3dc13a2cc52ba
    Packet-ID: 3
    Net Time: Apr  5, 2019 11:42:18.000000000 CEST
    Message Packet-ID Array Length: 0
    Message Packet-ID: 1
Secure Sockets Layer
    TLSv1.2 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 168
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 164
            Version: TLS 1.2 (0x0303)
            Random: d73e15ad7f9e70417b5c1b9d672bfdb0091c830c52687ab1...
            Session ID Length: 0
            Cipher Suites Length: 42
            Cipher Suites (21 suites)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
                Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
                Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045)
                Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
            Compression Methods Length: 1
            Compression Methods (1 method)
                Compression Method: null (0)
            Extensions Length: 81
            Extension: ec_point_formats (len=4)
                Type: ec_point_formats (11)
                Length: 4
                EC point formats Length: 3
                Elliptic curves point formats (3)
                    EC point format: uncompressed (0)
                    EC point format: ansiX962_compressed_prime (1)
                    EC point format: ansiX962_compressed_char2 (2)
            Extension: supported_groups (len=28)
                Type: supported_groups (10)
                Length: 28
                Supported Groups List Length: 26
                Supported Groups (13 groups)
                    Supported Group: secp256r1 (0x0017)
                    Supported Group: secp521r1 (0x0019)
                    Supported Group: brainpoolP512r1 (0x001c)
                    Supported Group: brainpoolP384r1 (0x001b)
                    Supported Group: secp384r1 (0x0018)
                    Supported Group: brainpoolP256r1 (0x001a)
                    Supported Group: secp256k1 (0x0016)
                    Supported Group: sect571r1 (0x000e)
                    Supported Group: sect571k1 (0x000d)
                    Supported Group: sect409k1 (0x000b)
                    Supported Group: sect409r1 (0x000c)
                    Supported Group: sect283k1 (0x0009)
                    Supported Group: sect283r1 (0x000a)
            Extension: signature_algorithms (len=32)
                Type: signature_algorithms (13)
                Length: 32
                Signature Hash Algorithms Length: 30
                Signature Hash Algorithms (15 algorithms)
                    Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
                    Signature Algorithm: SHA512 DSA (0x0602)
                    Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603)
                    Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
                    Signature Algorithm: SHA384 DSA (0x0502)
                    Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)
                    Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
                    Signature Algorithm: SHA256 DSA (0x0402)
                    Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
                    Signature Algorithm: SHA224 RSA (0x0301)
                    Signature Algorithm: SHA224 DSA (0x0302)
                    Signature Algorithm: SHA224 ECDSA (0x0303)
                    Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
                    Signature Algorithm: SHA1 DSA (0x0202)
                    Signature Algorithm: ecdsa_sha1 (0x0203)
            Extension: heartbeat (len=1)
                Type: heartbeat (15)
                Length: 1
                Mode: Peer allowed to send requests (1)

I did not find the relevant documentation on how this can be configured during compilation or in the config file.

Please offer the brainpool-curves as a standard if it is available.

Change History (5)

comment:1 Changed 5 years ago by dom1515

sorry, the openssl-Version in the title is wrong it should be

OpenVPN 2.4.7 with OpenSSL 1.1.1b does not work with brainpoolP256r1 elliptic curve

comment:2 Changed 5 years ago by tct

cc'ing .. apologies for the noise.

comment:3 Changed 4 years ago by Gert Döring

Milestone: release 2.4.9

I see a commit in release/2.4 that looks like it addressed that issue:

commit 5ee76a8fab0411c7529c8da9f40ad386433d9a0c
Author: Arne Schwabe <arne@…>
Date: Sat Mar 28 05:08:58 2020 +0100

Fix OpenSSL 1.1.1 not using auto elliptic curve selection


Commit 8a01147ff attempted to avoid calling the deprecated/noop
operation SSL_CTX_set_ecdh_auto by surrounding it with #ifdef.
Unfortunately, that change also made the return; that would exit
the function no longer being compiled when using OpenSSL 1.1.0+.
As consequence OpenVPN with OpenSSL 1.1.0+ would always set
secp384r1 as ecdh curve unless otherwise specified by ecdh

this is part of 2.4.9 release.

Can you please re-test?

comment:4 Changed 3 years ago by Gert Döring

I would like to either close this, or proceed to fix in "later releases", but for that I'd need a test report...

comment:5 Changed 15 months ago by Gert Döring

Resolution: notabug
Status: newclosed

Since we never heard back, I just assume that it works with recent versions of OpenVPN and OpenSSL, and will now proceed to close the ticket.

Note: See TracTickets for help on using tickets.