Opened 5 years ago
Closed 15 months ago
#1177 closed Bug / Defect (notabug)
OpenVPN 2.4.7 with OpenSSL 1.0.1e-fips does not work with brainpoolP256r1 elliptic curve
Reported by: | dom1515 | Owned by: | |
---|---|---|---|
Priority: | minor | Milestone: | release 2.4.9 |
Component: | Certificates | Version: | OpenVPN 2.4.7 (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | elliptic curve; brainpoolP256r1 |
Cc: |
Description
I compiled openvpn 2.4.7 against openssl 1.1.1b on centos.
./config --prefix=/usr/local/ssl-1.1.1b --openssldir=/usr/local/ssl-1.1.1b shared zlib make make test make install CFLAGS="-I/usr/local/ssl-1.1.1b/include -Wl,-rpath=/usr/local/ssl-1.1.1b/lib -L/usr/local/ssl-1.1.1b/lib" ./configure --prefix=/usr/local/openvpn-2.4.7_ssl-1.1.1b make make install
The output of openvpn --show-curves:
Available Elliptic curves: secp112r1 secp112r2 secp128r1 secp128r2 secp160k1 secp160r1 secp160r2 secp192k1 secp224k1 secp224r1 secp256k1 secp384r1 secp521r1 prime192v1 prime192v2 prime192v3 prime239v1 prime239v2 prime239v3 prime256v1 sect113r1 sect113r2 sect131r1 sect131r2 sect163k1 sect163r1 sect163r2 sect193r1 sect193r2 sect233k1 sect233r1 sect239k1 sect283k1 sect283r1 sect409k1 sect409r1 sect571k1 sect571r1 c2pnb163v1 c2pnb163v2 c2pnb163v3 c2pnb176v1 c2tnb191v1 c2tnb191v2 c2tnb191v3 c2pnb208w1 c2tnb239v1 c2tnb239v2 c2tnb239v3 c2pnb272w1 c2pnb304w1 c2tnb359v1 c2pnb368w1 c2tnb431r1 wap-wsg-idm-ecid-wtls1 wap-wsg-idm-ecid-wtls3 wap-wsg-idm-ecid-wtls4 wap-wsg-idm-ecid-wtls5 wap-wsg-idm-ecid-wtls6 wap-wsg-idm-ecid-wtls7 wap-wsg-idm-ecid-wtls8 wap-wsg-idm-ecid-wtls9 wap-wsg-idm-ecid-wtls10 wap-wsg-idm-ecid-wtls11 wap-wsg-idm-ecid-wtls12 Oakley-EC2N-3 Oakley-EC2N-4 brainpoolP160r1 brainpoolP160t1 brainpoolP192r1 brainpoolP192t1 brainpoolP224r1 brainpoolP224t1 brainpoolP256r1 brainpoolP256t1 brainpoolP320r1 brainpoolP320t1 brainpoolP384r1 brainpoolP384t1 brainpoolP512r1 brainpoolP512t1 SM2
If I try to connect to a server (running on debian) with brainpoolP256r1-based certificates , no connection is established and the server reports:
TLS error: The server has no TLS ciphersuites in common with the client. Your --tls-cipher setting might be too restrictive.
Looking at the client hello, it appears that the brainpoolP256r1 curve is not offered as valid curve:
Frame 15: 363 bytes on wire (2904 bits), 363 bytes captured (2904 bits) on interface 0 Linux cooked capture Internet Protocol Version 4, Src: 10.22.34.251, Dst: 85.214.151.228 User Datagram Protocol, Src Port: 39698, Dst Port: 1195 OpenVPN Protocol Type: 0x20 [opcode/key_id] Session ID: 2308148950700197312 HMAC: 9cb07c249c950a4be0bc55b6dbe8eeadf11d2115 Packet-ID: 3 Net Time: Apr 5, 2019 11:34:18.000000000 CEST Message Packet-ID Array Length: 0 Message Packet-ID: 1 Secure Sockets Layer TLSv1 Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 272 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 268 Version: TLS 1.2 (0x0303) Random: 203486018ca6df89afd735e86e3e540797da8b737373f73b... Session ID Length: 32 Session ID: 2165bba4bf1a54e8461d28abab61593c216587d6afc33a45... Cipher Suites Length: 50 Cipher Suites (25 suites) Cipher Suite: TLS_AES_256_GCM_SHA384 (0x1302) Cipher Suite: TLS_CHACHA20_POLY1305_SHA256 (0x1303) Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f) Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9) Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8) Cipher Suite: TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xccaa) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff) Compression Methods Length: 1 Compression Methods (1 method) Compression Method: null (0) Extensions Length: 145 Extension: ec_point_formats (len=4) Type: ec_point_formats (11) Length: 4 EC point formats Length: 3 Elliptic curves point formats (3) EC point format: uncompressed (0) EC point format: ansiX962_compressed_prime (1) EC point format: ansiX962_compressed_char2 (2) Extension: supported_groups (len=12) Type: supported_groups (10) Length: 12 Supported Groups List Length: 10 Supported Groups (5 groups) Supported Group: x25519 (0x001d) Supported Group: secp256r1 (0x0017) Supported Group: x448 (0x001e) Supported Group: secp521r1 (0x0019) Supported Group: secp384r1 (0x0018) Extension: encrypt_then_mac (len=0) Type: encrypt_then_mac (22) Length: 0 Extension: extended_master_secret (len=0) Type: extended_master_secret (23) Length: 0 Extension: signature_algorithms (len=48) Type: signature_algorithms (13) Length: 48 Signature Hash Algorithms Length: 46 Signature Hash Algorithms (23 algorithms) Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403) Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503) Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603) Signature Algorithm: ed25519 (0x0807) Signature Algorithm: ed448 (0x0808) Signature Algorithm: rsa_pss_pss_sha256 (0x0809) Signature Algorithm: rsa_pss_pss_sha384 (0x080a) Signature Algorithm: rsa_pss_pss_sha512 (0x080b) Signature Algorithm: rsa_pss_rsae_sha256 (0x0804) Signature Algorithm: rsa_pss_rsae_sha384 (0x0805) Signature Algorithm: rsa_pss_rsae_sha512 (0x0806) Signature Algorithm: rsa_pkcs1_sha256 (0x0401) Signature Algorithm: rsa_pkcs1_sha384 (0x0501) Signature Algorithm: rsa_pkcs1_sha512 (0x0601) Signature Algorithm: SHA224 ECDSA (0x0303) Signature Algorithm: ecdsa_sha1 (0x0203) Signature Algorithm: SHA224 RSA (0x0301) Signature Algorithm: rsa_pkcs1_sha1 (0x0201) Signature Algorithm: SHA224 DSA (0x0302) Signature Algorithm: SHA1 DSA (0x0202) Signature Algorithm: SHA256 DSA (0x0402) Signature Algorithm: SHA384 DSA (0x0502) Signature Algorithm: SHA512 DSA (0x0602) Extension: supported_versions (len=9) Type: supported_versions (43) Length: 9 Supported Versions length: 8 Supported Version: TLS 1.3 (0x0304) Supported Version: TLS 1.2 (0x0303) Supported Version: TLS 1.1 (0x0302) Supported Version: TLS 1.0 (0x0301) Extension: psk_key_exchange_modes (len=2) Type: psk_key_exchange_modes (45) Length: 2 PSK Key Exchange Modes Length: 1 PSK Key Exchange Mode: PSK with (EC)DHE key establishment (psk_dhe_ke) (1) Extension: key_share (len=38) Type: key_share (51) Length: 38 Key Share extension Client Key Share Length: 36 Key Share Entry: Group: x25519, Key Exchange length: 32 Group: x25519 (29) Key Exchange Length: 32 Key Exchange: 124262e4a4b5f7b4f246036c7ae598f7d8bad27b2cb1f2f3...
If I use the same certificates and openvpn configuration on a debian client (openvpn from the standard .deb) there is a successful connection established.
The clientHello from debian offers the brainpool curve:
Frame 705: 259 bytes on wire (2072 bits), 259 bytes captured (2072 bits) on interface 0 Linux cooked capture Internet Protocol Version 4, Src: 192.168.6.98, Dst: 85.214.151.228 User Datagram Protocol, Src Port: 34738, Dst Port: 1195 OpenVPN Protocol Type: 0x20 [opcode/key_id] Session ID: 14706474520384368533 HMAC: 0b512424d819d4af7226e2a34ce3dc13a2cc52ba Packet-ID: 3 Net Time: Apr 5, 2019 11:42:18.000000000 CEST Message Packet-ID Array Length: 0 Message Packet-ID: 1 Secure Sockets Layer TLSv1.2 Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 168 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 164 Version: TLS 1.2 (0x0303) Random: d73e15ad7f9e70417b5c1b9d672bfdb0091c830c52687ab1... Session ID Length: 0 Cipher Suites Length: 42 Cipher Suites (21 suites) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045) Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff) Compression Methods Length: 1 Compression Methods (1 method) Compression Method: null (0) Extensions Length: 81 Extension: ec_point_formats (len=4) Type: ec_point_formats (11) Length: 4 EC point formats Length: 3 Elliptic curves point formats (3) EC point format: uncompressed (0) EC point format: ansiX962_compressed_prime (1) EC point format: ansiX962_compressed_char2 (2) Extension: supported_groups (len=28) Type: supported_groups (10) Length: 28 Supported Groups List Length: 26 Supported Groups (13 groups) Supported Group: secp256r1 (0x0017) Supported Group: secp521r1 (0x0019) Supported Group: brainpoolP512r1 (0x001c) Supported Group: brainpoolP384r1 (0x001b) Supported Group: secp384r1 (0x0018) Supported Group: brainpoolP256r1 (0x001a) Supported Group: secp256k1 (0x0016) Supported Group: sect571r1 (0x000e) Supported Group: sect571k1 (0x000d) Supported Group: sect409k1 (0x000b) Supported Group: sect409r1 (0x000c) Supported Group: sect283k1 (0x0009) Supported Group: sect283r1 (0x000a) Extension: signature_algorithms (len=32) Type: signature_algorithms (13) Length: 32 Signature Hash Algorithms Length: 30 Signature Hash Algorithms (15 algorithms) Signature Algorithm: rsa_pkcs1_sha512 (0x0601) Signature Algorithm: SHA512 DSA (0x0602) Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603) Signature Algorithm: rsa_pkcs1_sha384 (0x0501) Signature Algorithm: SHA384 DSA (0x0502) Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503) Signature Algorithm: rsa_pkcs1_sha256 (0x0401) Signature Algorithm: SHA256 DSA (0x0402) Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403) Signature Algorithm: SHA224 RSA (0x0301) Signature Algorithm: SHA224 DSA (0x0302) Signature Algorithm: SHA224 ECDSA (0x0303) Signature Algorithm: rsa_pkcs1_sha1 (0x0201) Signature Algorithm: SHA1 DSA (0x0202) Signature Algorithm: ecdsa_sha1 (0x0203) Extension: heartbeat (len=1) Type: heartbeat (15) Length: 1 Mode: Peer allowed to send requests (1)
I did not find the relevant documentation on how this can be configured during compilation or in the config file.
Please offer the brainpool-curves as a standard if it is available.
Change History (5)
comment:1 Changed 5 years ago by
comment:3 Changed 4 years ago by
Milestone: | → release 2.4.9 |
---|
I see a commit in release/2.4 that looks like it addressed that issue:
commit 5ee76a8fab0411c7529c8da9f40ad386433d9a0c
Author: Arne Schwabe <arne@…>
Date: Sat Mar 28 05:08:58 2020 +0100
Fix OpenSSL 1.1.1 not using auto elliptic curve selection
Commit 8a01147ff attempted to avoid calling the deprecated/noop
operation SSL_CTX_set_ecdh_auto by surrounding it with #ifdef.
Unfortunately, that change also made the return; that would exit
the function no longer being compiled when using OpenSSL 1.1.0+.
As consequence OpenVPN with OpenSSL 1.1.0+ would always set
secp384r1 as ecdh curve unless otherwise specified by ecdh
this is part of 2.4.9 release.
Can you please re-test?
comment:4 Changed 3 years ago by
I would like to either close this, or proceed to fix in "later releases", but for that I'd need a test report...
comment:5 Changed 15 months ago by
Resolution: | → notabug |
---|---|
Status: | new → closed |
Since we never heard back, I just assume that it works with recent versions of OpenVPN and OpenSSL, and will now proceed to close the ticket.
sorry, the openssl-Version in the title is wrong it should be
OpenVPN 2.4.7 with OpenSSL 1.1.1b does not work with brainpoolP256r1 elliptic curve