Opened 4 years ago
Closed 3 years ago
#1304 closed Bug / Defect (fixed)
Make printing a key in the log verb 5 or 6 not verb 4
| Reported by: | tct | Owned by: | Antonio Quartulli |
|---|---|---|---|
| Priority: | critical | Milestone: | release 2.5 |
| Component: | Generic / unclassified | Version: | OpenVPN git master branch (Community Ed) |
| Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | log verb privacy |
| Cc: |
Description
Change History (7)
comment:2 Changed 4 years ago by
| Owner: | set to Antonio Quartulli |
|---|---|
| Status: | new → assigned |
This is fallout of the "inline" orgy
21:38 < wiscii> 2020-07-17 15:33:08 us=916310 priv_key_file = '-----BEGIN
PRIVATE KEY-----
while "referencing regular key files" is fine
2020-07-17 21:39:25 us=861830 priv_key_file = '/home/openvpn-keys/cron2-freebsd-tc-amd64.key'
comment:3 Changed 4 years ago by
| Milestone: | → release 2.5 |
|---|---|
| Priority: | major → critical |
| Type: | Feature Wish → Bug / Defect |
| Version: | → OpenVPN git master branch (Community Ed) |
comment:4 Changed 4 years ago by
patch is on the mailing list: "[PATCH] options: don't leak inline'd key material in logfile"
comment:5 Changed 4 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
commit 19fab1f6cf71715f84d09d6a8b49698b0ae42cd1 (HEAD -> master, stable/master, mattock/master, gitlab/master, github/master)
Author: Antonio Quartulli <a@…>
Date: Fri Jul 17 23:28:20 2020 +0200
options: don't leak inline'd key material in logfile
committed & pushed
thanks!
comment:6 Changed 3 years ago by
| Resolution: | fixed |
|---|---|
| Status: | closed → reopened |
FTR, 2.5 leaks DH parameters file as well.
2021-03-17 09:45:07 us=949434 dh_file = '-----BEGIN DH PARAMETERS----- MIIBCAKCAQEA4GT7HOiYPI9lawMU+LiXwp0bP5UEaEqOFue57fbBwCvEVu0vD+Va 7p7i+l36zNE1otjp9ZzZwxGi7WkBV6fNugkNKuUh0qL8BW9FJshsMeLa0YkVj+L6 sMpQN182sA+4uvk8PyGUnEsmGRIybEAWCMAs+rcE4lsCzfJqCaGItMkO+SnEbEf4 mLqqx2ckzW3FPzo0PKvnnm8eLrYzsOIiFR0YSgGto8tsD09ozQaI7j8q2E/qhhqu zy0WwYSkdTbifUzHy5LkAx3TF9PGsPmyb5YmfulGV9l7uNYkz9yxbv1Foe5Z2dol 9uPK9rxLPYsNkNZwfOjV4dF5GRmzaQIuewIBAg== -----END DH PARAMETERS----- ' 2021-03-17 09:45:07 us=949434 cert_file = '[INLINE]' <snip> 2021-03-17 09:45:07 us=949434 OpenVPN 2.5.1 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Feb 24 2021
I know this is not security critical but I expect it should be fixed.
Re-opening for your consideration.
comment:7 Changed 3 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | reopened → closed |
Note: See
TracTickets for help on using
tickets.
Openvpn
--verb 4is the recommended--verbsetting to dubug general user problems. Having openvpn output the entire contents of all user private keys while running at--verb 4is therefore a considerable threat to privacy, especially for an inexperienced user. Also, the Openvpn Forum is not ready for such a threat to user privacy.