id summary reporter owner description type status priority milestone component version severity resolution keywords cc 764 --management-external-key sometimes requests signatures for too long data jarit Samuli Seppänen "According to https://openvpn.net/index.php/open-source/documentation/miscellaneous/79-management-interface.html, the "">RSA_SIGN"" notification should be responded with ""rsa-sig"" command where the signature should be a ""Base64 encoded output of RSA_sign(NID_md5_sha1,... "". The normal case is that OpenVPN requests signatures for 36 bytes of data, but with some clients we see a notification requesting a signature for 83 bytes: {{{ >RSA_SIGN:MFEwDQYJYIZIAWUDBAIDBQAEQGOZtLwchpQ0BVWxcSizpYpAEoVi/B8tGMYuj374VsmPQ1GUMiIbggdX7apKK7+x5FgVTqCCi+T/1EGZU1zIYn4= }}} OpenSSL RSA_sign with NID_md5_sha1 expects that the data is exactly 36 bytes and will refuse to sign this and gives an error about invalid message length: https://github.com/openssl/openssl/blob/608a026/crypto/rsa/rsa_sign.c#L88 Either the documentation is wrong and the signature should be generated in another way or the request for signing 83 bytes is a bug. This seems to happen only with certain clients/versions (Android) and is reproducible always with those. OpenSSL version is 1.0.2d and OpenVPN version: {{{ OpenVPN 2.3.12 arm-poky-linux-gnueabi [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Nov 9 2016 library versions: OpenSSL 1.0.2d 9 Jul 2015, LZO 2.09 Originally developed by James Yonan Copyright (C) 2002-2010 OpenVPN Technologies, Inc. Compile time defines: enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_http_proxy=yes enable_iproute2=no enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=no enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_socks=yes enable_ssl=yes enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no enable_win32_dll=yes enable_x509_alt_username=no with_crypto_library=openssl with_gnu_ld=yes with_lzo_headers=/include with_lzo_lib=/lib with_mem_check=no with_plugindir='$(libdir)/openvpn/plugins' with_ssl_headers=/include with_ssl_lib=/lib with_sysroot=no }}} " Bug / Defect closed major release 2.3.15 Generic / unclassified OpenVPN 2.3.12 (Community Ed) Not set (select this one, unless your'e a OpenVPN developer) fixed Steffan Karger