Opened 10 years ago

Closed 7 years ago

#460 closed Bug / Defect (notabug)

EC key exchange not working

Reported by: jopado1 Owned by: Antonio Quartulli
Priority: major Milestone:
Component: OpenVPN Connect Version: 1.1.14
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

Trying to connect to VPN server using OpenVPN Connect Android app (v1.1.14) with Nexus 7. My CA certificate was generated using NSS tools (certutil/pk12util). It is using ECDSA with NIST secp256r1 When attempting to connect, I get this error:

OpenVPN core error: PolarSSL: error parsing ca certificate : PK-Key algorithm is unsupported (only RSA and EC are supported)

Change History (6)

comment:1 Changed 10 years ago by novaflash

There are some possibilities here - we haven't actually tested for EC keys much as far as I know, and if you're using Access Server with PolarSSL on the server side you might want to try with OpenSSL (after you revoke certificate).

Anyways, this is something that we'll probably want to get fixed.

Version 0, edited 10 years ago by novaflash (next)

comment:2 Changed 10 years ago by jopado1

The reported bug was seen while running OpenSSL on the server side:

# openvpn --version
OpenVPN 2.3_git [git:HEAD/cab6305be749930e+] arm-poky-linux-gnueabi [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH] [IPv6] built on Oct 7 2014
library versions: OpenSSL 1.0.1g 7 Apr 2014, LZO 2.06

comment:3 Changed 10 years ago by Samuli Seppänen

Owner: set to jamesyonan
Status: newassigned

comment:4 Changed 10 years ago by chrismurf2900

I am also getting this same error on OpenVPN Connect iOS App (v 1.0.5 build 177 - iOS 64-bit). Using ECDSA with NIST secp384r1
CORE_ERROR PolarSSL: error parsing ca certificate : PK - Key algorithm is unsupported (only RSA and EC are supported)

OpenSSL is also running on server side. OpenVPN (server-side) version: 2.3.6

comment:5 Changed 7 years ago by Antonio Quartulli

Owner: changed from jamesyonan to Antonio Quartulli

At the moment ECDSA is not supported by OpenVPN Connect for iOS and Android. Only ECDHE can be used.

This means that EC certificates can't be used at the moment. However, it's in the pipe.

comment:6 Changed 7 years ago by Antonio Quartulli

Resolution: notabug
Status: assignedclosed
Note: See TracTickets for help on using tickets.