Notice for long time OpenVPN users

[dmorris]

I do updates by clean install and importing the backup. I am guessing that brings along the old certs. Does it?

Yes, the certificate for the server is in the backup (it has to be otherwise the clients would refuse to connect to restored servers!)

We switched from MD5 to SHA many years ago so unless your backup is really old you won't have an issue.

People with MD5 are just noticing because they're officially dropping MD5 support in many clients. This includes the official openvpn client for windows (2.4.6) that you would download from the directly from them as well as some others like tunnelblick.

You can check your cert with:
sudo openssl x509 -text -noout -in /usr/share/untangle/settings/openvpn/server.crt | grep "Signature Algo"

[donhwyo]

Thanks they have probably been drug forward from 10.

[dmorris]

Thanks they have probably been drug forward from 10.

In that case you probably want to regen the cert before too long. Our client (2.4.3) still accepts it, but if you use others they're getting more stringent. Also eventually we'll want to update the one included in Untangle and when we do that even it won't accept MD5 certs.

[donhwyo]

Done. Thanks

[johnsonx42]

You can check your cert with:
sudo openssl x509 -text -noout -in /usr/share/untangle/settings/openvpn/server.crt | grep "Signature Algo"

At the site I'm at now I get "md5WithRSAEncryption"

So this one is going to be a problem, yes?

[donhwyo]

The new one looks like this. Signature Algorithm: sha512WithRSAEncryption

[sky-knight]

You can check your cert with:
sudo openssl x509 -text -noout -in /usr/share/untangle/settings/openvpn/server.crt | grep "Signature Algo"

Thank you for this, I thought I had one more redeployment to do, but it turns out I don't! It's hard to remember when servers got setup!

[sky-knight]

I just had a device lose OpenVPN connectivity in a 2nd location, I confirmed sha512WithRSAEncryption, yet I'm getting TLS failures when clients connect. Fix is blowing up the module and redeploying.

This appears to be happening with the 14.1 upgrade, I suspect a bug. Sadly, I cannot leave it broken. So here we are.

Code:

Fri Dec 07 18:10:20 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]98.182.122.98:1194
Fri Dec 07 18:10:20 2018 UDP link local: (not bound)
Fri Dec 07 18:10:20 2018 UDP link remote: [AF_INET]x.x.x.x:1194
Fri Dec 07 18:10:20 2018 Certificate does not have key usage extension
Fri Dec 07 18:10:20 2018 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Fri Dec 07 18:10:20 2018 TLS_ERROR: BIO read tls_read_plaintext error
Fri Dec 07 18:10:20 2018 TLS Error: TLS object -> incoming plaintext read error
Fri Dec 07 18:10:20 2018 TLS Error: TLS handshake failed
Fri Dec 07 18:10:20 2018 SIGUSR1[soft,tls-error] received, process restarting
Fri Dec 07 18:10:25 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]98.182.122.98:1194
Fri Dec 07 18:10:25 2018 UDP link local: (not bound)
Fri Dec 07 18:10:25 2018 UDP link remote: [AF_INET]x.x.x.x:1194
Fri Dec 07 18:10:25 2018 Certificate does not have key usage extension
Fri Dec 07 18:10:25 2018 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Fri Dec 07 18:10:25 2018 TLS_ERROR: BIO read tls_read_plaintext error
Fri Dec 07 18:10:25 2018 TLS Error: TLS object -> incoming plaintext read error
Fri Dec 07 18:10:25 2018 TLS Error: TLS handshake failed
Fri Dec 07 18:10:25 2018 SIGUSR1[soft,tls-error] received, process restarting
Fri Dec 07 18:10:28 2018 SIGTERM[hard,init_instance] received, process exiting

This log from a "new" VPN client, older clients can connect but not route traffic properly. The logs on the station I cannot get exactly, but the user reported a warning about LZO compression.

Blowing away the module, reinstalling it, and redistributing clients has fixed it. But I'd like to know why it broke because again, I confirmed the server certificate on this unit was sha512WithRSAEncryption BEFORE I nuked the module. And I'm assuming that 14.1 isn't expected to break OpenVPN. Otherwise, and yet I've got a unit that seems to have had working OpenVPN on 14.0.1, and broken on 14.1.

I say seems... because I don't have a unit I can just push the magic button on and confirm.

[dmorris]

I say seems... because I don't have a unit I can just push the magic button on and confirm.

If you still have the issue, open a case and enable remote support and we'll take a look.
PM me the ticket number with the info and I'll look now.

If you've already nuked everything, then there isn't much to investigate.

[sky-knight]

If you still have the issue, open a case and enable remote support and we'll take a look.
PM me the ticket number with the info and I'll look now.

If you've already nuked everything, then there isn't much to investigate.

Yeah I know, my NFR hasn't gone to 14.1 yet, I'm hoping it does the same thing so I can leave it to dig into it. The first unit that did this was coinciding with a pile of RDP issues and I didn't realize the VPN was broken too until half way through. It wasn't until this second unit exhibited the same behavior on the VPN that I considered something might be up. (That unit could have had an old MD5 certificate too, most of these installs have been around for ages)

I'm going to dig around my other units that have and haven't upgraded to see if I cannot drum up another problem child.

I really wanted to leave the unit that died this evening, but the business owner is in the middle of an ugly audit and needed to work remotely this weekend.