Page 2 of 8 FirstFirst 1234 ... LastLast
Results 11 to 20 of 77
  1. #11
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,747

    Default

    Quote Originally Posted by donhwyo View Post
    I do updates by clean install and importing the backup. I am guessing that brings along the old certs. Does it?
    Yes, the certificate for the server is in the backup (it has to be otherwise the clients would refuse to connect to restored servers!)

    We switched from MD5 to SHA many years ago so unless your backup is really old you won't have an issue.

    People with MD5 are just noticing because they're officially dropping MD5 support in many clients. This includes the official openvpn client for windows (2.4.6) that you would download from the directly from them as well as some others like tunnelblick.

    You can check your cert with:
    sudo openssl x509 -text -noout -in /usr/share/untangle/settings/openvpn/server.crt | grep "Signature Algo"
    Last edited by dmorris; 12-06-2018 at 04:02 PM.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  2. #12
    Untangle Ninja
    Join Date
    May 2008
    Posts
    1,036

    Default

    Thanks they have probably been drug forward from 10.

  3. #13
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,747

    Default

    Quote Originally Posted by donhwyo View Post
    Thanks they have probably been drug forward from 10.


    In that case you probably want to regen the cert before too long. Our client (2.4.3) still accepts it, but if you use others they're getting more stringent. Also eventually we'll want to update the one included in Untangle and when we do that even it won't accept MD5 certs.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  4. #14
    Untangle Ninja
    Join Date
    May 2008
    Posts
    1,036

    Default

    Done. Thanks

  5. #15
    Untangle Ninja
    Join Date
    Jan 2011
    Posts
    1,187

    Default

    Quote Originally Posted by dmorris View Post
    You can check your cert with:
    sudo openssl x509 -text -noout -in /usr/share/untangle/settings/openvpn/server.crt | grep "Signature Algo"
    At the site I'm at now I get "md5WithRSAEncryption"

    So this one is going to be a problem, yes?

  6. #16
    Untangle Ninja
    Join Date
    May 2008
    Posts
    1,036

    Default

    The new one looks like this. Signature Algorithm: sha512WithRSAEncryption

  7. #17
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,993

    Default

    Quote Originally Posted by dmorris View Post
    You can check your cert with:
    sudo openssl x509 -text -noout -in /usr/share/untangle/settings/openvpn/server.crt | grep "Signature Algo"
    Thank you for this, I thought I had one more redeployment to do, but it turns out I don't! It's hard to remember when servers got setup!
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  8. #18
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,993

    Default

    I just had a device lose OpenVPN connectivity in a 2nd location, I confirmed sha512WithRSAEncryption, yet I'm getting TLS failures when clients connect. Fix is blowing up the module and redeploying.

    This appears to be happening with the 14.1 upgrade, I suspect a bug. Sadly, I cannot leave it broken. So here we are.

    Code:
    Fri Dec 07 18:10:20 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]98.182.122.98:1194
    Fri Dec 07 18:10:20 2018 UDP link local: (not bound)
    Fri Dec 07 18:10:20 2018 UDP link remote: [AF_INET]x.x.x.x:1194
    Fri Dec 07 18:10:20 2018 Certificate does not have key usage extension
    Fri Dec 07 18:10:20 2018 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
    Fri Dec 07 18:10:20 2018 TLS_ERROR: BIO read tls_read_plaintext error
    Fri Dec 07 18:10:20 2018 TLS Error: TLS object -> incoming plaintext read error
    Fri Dec 07 18:10:20 2018 TLS Error: TLS handshake failed
    Fri Dec 07 18:10:20 2018 SIGUSR1[soft,tls-error] received, process restarting
    Fri Dec 07 18:10:25 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]98.182.122.98:1194
    Fri Dec 07 18:10:25 2018 UDP link local: (not bound)
    Fri Dec 07 18:10:25 2018 UDP link remote: [AF_INET]x.x.x.x:1194
    Fri Dec 07 18:10:25 2018 Certificate does not have key usage extension
    Fri Dec 07 18:10:25 2018 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
    Fri Dec 07 18:10:25 2018 TLS_ERROR: BIO read tls_read_plaintext error
    Fri Dec 07 18:10:25 2018 TLS Error: TLS object -> incoming plaintext read error
    Fri Dec 07 18:10:25 2018 TLS Error: TLS handshake failed
    Fri Dec 07 18:10:25 2018 SIGUSR1[soft,tls-error] received, process restarting
    Fri Dec 07 18:10:28 2018 SIGTERM[hard,init_instance] received, process exiting
    This log from a "new" VPN client, older clients can connect but not route traffic properly. The logs on the station I cannot get exactly, but the user reported a warning about LZO compression.

    Blowing away the module, reinstalling it, and redistributing clients has fixed it. But I'd like to know why it broke because again, I confirmed the server certificate on this unit was sha512WithRSAEncryption BEFORE I nuked the module. And I'm assuming that 14.1 isn't expected to break OpenVPN. Otherwise, and yet I've got a unit that seems to have had working OpenVPN on 14.0.1, and broken on 14.1.

    I say seems... because I don't have a unit I can just push the magic button on and confirm.
    Last edited by sky-knight; 12-07-2018 at 06:56 PM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  9. #19
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,747

    Default

    Quote Originally Posted by sky-knight View Post
    I say seems... because I don't have a unit I can just push the magic button on and confirm.
    If you still have the issue, open a case and enable remote support and we'll take a look.
    PM me the ticket number with the info and I'll look now.

    If you've already nuked everything, then there isn't much to investigate.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  10. #20
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,993

    Default

    Quote Originally Posted by dmorris View Post
    If you still have the issue, open a case and enable remote support and we'll take a look.
    PM me the ticket number with the info and I'll look now.

    If you've already nuked everything, then there isn't much to investigate.
    Yeah I know, my NFR hasn't gone to 14.1 yet, I'm hoping it does the same thing so I can leave it to dig into it. The first unit that did this was coinciding with a pile of RDP issues and I didn't realize the VPN was broken too until half way through. It wasn't until this second unit exhibited the same behavior on the VPN that I considered something might be up. (That unit could have had an old MD5 certificate too, most of these installs have been around for ages)

    I'm going to dig around my other units that have and haven't upgraded to see if I cannot drum up another problem child.

    I really wanted to leave the unit that died this evening, but the business owner is in the middle of an ugly audit and needed to work remotely this weekend.
    Last edited by sky-knight; 12-07-2018 at 08:04 PM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Page 2 of 8 FirstFirst 1234 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2