Opened 4 years ago

Closed 13 months ago

#460 closed Bug / Defect (notabug)

EC key exchange not working

Reported by: jopado1 Owned by: Antonio
Priority: major Milestone:
Component: OpenVPN Connect Version: 1.1.14
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

Trying to connect to VPN server using OpenVPN Connect Android app (v1.1.14) with Nexus 7. My CA certificate was generated using NSS tools (certutil/pk12util). It is using ECDSA with NIST secp256r1 When attempting to connect, I get this error:

OpenVPN core error: PolarSSL: error parsing ca certificate : PK-Key algorithm is unsupported (only RSA and EC are supported)

Change History (6)

comment:1 Changed 4 years ago by novaflash

There are some possibilities here - we haven't actually tested for EC keys much as far as I know, and if you're using Access Server with PolarSSL on the server side you might want to try with OpenSSL (after you revoke the client certificate in the Access Server).

Anyways, this is something that we'll probably want to get fixed.

Last edited 4 years ago by novaflash (previous) (diff)

comment:2 Changed 4 years ago by jopado1

The reported bug was seen while running OpenSSL on the server side:

# openvpn --version
OpenVPN 2.3_git [git:HEAD/cab6305be749930e+] arm-poky-linux-gnueabi [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH] [IPv6] built on Oct 7 2014
library versions: OpenSSL 1.0.1g 7 Apr 2014, LZO 2.06

comment:3 Changed 4 years ago by Samuli Seppänen

Owner: set to jamesyonan
Status: newassigned

comment:4 Changed 4 years ago by chrismurf2900

I am also getting this same error on OpenVPN Connect iOS App (v 1.0.5 build 177 - iOS 64-bit). Using ECDSA with NIST secp384r1
CORE_ERROR PolarSSL: error parsing ca certificate : PK - Key algorithm is unsupported (only RSA and EC are supported)

OpenSSL is also running on server side. OpenVPN (server-side) version: 2.3.6

comment:5 Changed 13 months ago by Antonio

Owner: changed from jamesyonan to Antonio

At the moment ECDSA is not supported by OpenVPN Connect for iOS and Android. Only ECDHE can be used.

This means that EC certificates can't be used at the moment. However, it's in the pipe.

comment:6 Changed 13 months ago by Antonio

Resolution: notabug
Status: assignedclosed
Note: See TracTickets for help on using tickets.