Opened 3 years ago
Closed 3 years ago
#1431 closed Bug / Defect (fixed)
Cryptoapicert stops working after 2.5.3 -> 2.5.4 upgrade (Windows 10)
Reported by: | vartik | Owned by: | |
---|---|---|---|
Priority: | critical | Milestone: | release 2.5.4 |
Component: | Certificates | Version: | OpenVPN 2.5.4 (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
Cc: | vartik@… |
Description
Hi,
Since we've upgraded our Windows 10 OpenVPN clients to 2.5.4, an essential auth mechanism stopped working.
It seems the 2.5.4 client can't load certificates from the MS certificate store.
Both options for cryptoapicert
don't work now (SUBJ:
nor THUMB:
) with MS cert store.
I have a correct config file that works with both methods in OpenVPN GUI version 2.5.3, but neither work in 2.5.4 (on the same computer).
After initiating a connection, we get this error.
Rolling back to 2.5.3 "fixes" the issue and VPN connects:
This is how our config file looks like (generated by pfSense openvpn export plugin):
dev tun persist-tun persist-key data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC data-ciphers-fallback AES-256-CBC auth SHA256 tls-client client resolv-retry infinite remote vpn.example.com 1197 udp4 setenv opt block-outside-dns lport 0 verify-x509-name "Example Server" name auth-user-pass ca vpn-UDP4-1197-username-ca.crt ### Using only 1 option at a time #cryptoapicert "SUBJ:username, US, .... etc. " cryptoapicert "THUMB:047*******" tls-crypt vpn-UDP4-1197-username-tls.key remote-cert-tls server explicit-exit-notify reneg-sec 36000
Change History (6)
comment:1 Changed 3 years ago by
comment:2 Changed 3 years ago by
Is msvc-config.h in OpenVPN repo used for the new release build? In commit 277844321 we have (among other things)
+#define OPENSSL_NO_EC 1
That will definitely break EC keys, ECDSA signatures, ECDH(E) key exchange and more. Even if OpenSSL is correctly built with EC support.
Why do we have these kind of defines hard-coded? Or is this an unused file?
comment:3 Changed 3 years ago by
Those defines are used in openssl_compat.h and were copied from MinGW's config.h. I don't know why OPENSSL_NO_EC ended up there too. The patch is on the list which removes this define and adds a few missing ones (I compared with MinGW's config.h from 2.5.2).
In master branch we removed all those defines in commit https://github.com/OpenVPN/openvpn/commit/bc36d9d569eb3b22abe66c19325f6f04b3c9e225, so I've also sent a patch for master which adjusts config-msvc.h accordingly.
One could probably test GitHub? Actions' binary with the fix: https://github.com/lstipakov/openvpn/suites/4050548031/artifacts/102721918
comment:6 Changed 3 years ago by
Resolution: | → fixed |
---|---|
Status: | new → closed |
Version: | → OpenVPN 2.5.4 (Community Ed) |
Thanks for the confirmation, and thanks to @selva and @stipa for spotting and fixing the problem.
I'll proceed to close this ticket now :-)
As I was not sure which bugtracker is more relevant to this issue, I opened a duplicate bug on https://github.com/OpenVPN/openvpn-gui/issues/456