Opened 7 weeks ago

Closed 5 weeks ago

#1431 closed Bug / Defect (fixed)

Cryptoapicert stops working after 2.5.3 -> 2.5.4 upgrade (Windows 10)

Reported by: vartik Owned by:
Priority: critical Milestone: release 2.5.4
Component: Certificates Version: OpenVPN 2.5.4 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc: vartik@…

Description

Hi,

Since we've upgraded our Windows 10 OpenVPN clients to 2.5.4, an essential auth mechanism stopped working.
It seems the 2.5.4 client can't load certificates from the MS certificate store.

Both options for cryptoapicert don't work now (SUBJ: nor THUMB:) with MS cert store.
I have a correct config file that works with both methods in OpenVPN GUI version 2.5.3, but neither work in 2.5.4 (on the same computer).

After initiating a connection, we get this error.

https://user-images.githubusercontent.com/4114876/137141220-d13f1556-1005-46a0-a954-13a6c2dcdf32.png

Rolling back to 2.5.3 "fixes" the issue and VPN connects:

This is how our config file looks like (generated by pfSense openvpn export plugin):

dev tun
persist-tun
persist-key
data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC
data-ciphers-fallback AES-256-CBC
auth SHA256
tls-client
client
resolv-retry infinite
remote vpn.example.com 1197 udp4
setenv opt block-outside-dns
lport 0
verify-x509-name "Example Server" name
auth-user-pass
ca vpn-UDP4-1197-username-ca.crt
### Using only 1 option at a time
#cryptoapicert "SUBJ:username, US, .... etc. "
cryptoapicert "THUMB:047*******"
tls-crypt vpn-UDP4-1197-username-tls.key
remote-cert-tls server
explicit-exit-notify
reneg-sec 36000

Change History (6)

comment:1 Changed 7 weeks ago by vartik

As I was not sure which bugtracker is more relevant to this issue, I opened a duplicate bug on https://github.com/OpenVPN/openvpn-gui/issues/456

comment:2 Changed 7 weeks ago by Selva Nair

Is msvc-config.h in OpenVPN repo used for the new release build? In commit 277844321 we have (among other things)

+#define OPENSSL_NO_EC 1

That will definitely break loading EC keys from windows store and management-external-key (and possibly other things like ECDSA signatures, ECDH(E) key exchange?). Even if OpenSSL is correctly built with EC support.

Why do we have these kind of defines hard-coded? Or is this an unused file?

Last edited 6 weeks ago by Selva Nair (previous) (diff)

comment:3 Changed 6 weeks ago by stipa

Those defines are used in openssl_compat.h and were copied from MinGW's config.h. I don't know why OPENSSL_NO_EC ended up there too. The patch is on the list which removes this define and adds a few missing ones (I compared with MinGW's config.h from 2.5.2).

In master branch we removed all those defines in commit https://github.com/OpenVPN/openvpn/commit/bc36d9d569eb3b22abe66c19325f6f04b3c9e225, so I've also sent a patch for master which adjusts config-msvc.h accordingly.

One could probably test GitHub? Actions' binary with the fix: https://github.com/lstipakov/openvpn/suites/4050548031/artifacts/102721918

comment:4 Changed 5 weeks ago by Gert Döring

2.5.4-I604 has been released. Please test, and report.

comment:5 Changed 5 weeks ago by vartik

Version 604 seems to have fixed the issues with cryptoapicert.

comment:6 Changed 5 weeks ago by Gert Döring

Resolution: fixed
Status: newclosed
Version: OpenVPN 2.5.4 (Community Ed)

Thanks for the confirmation, and thanks to @selva and @stipa for spotting and fixing the problem.

I'll proceed to close this ticket now :-)

Note: See TracTickets for help on using tickets.