search

OpenVPN / openvpn3

OpenVPN 3 is a C++ class library that implements the functionality of an OpenVPN client, and is protocol-compatible with the OpenVPN 2.x branch.
https://openvpn.net
Other
1k stars 401 forks source link

test_suite_x509parse FAILED #280

Closed kaperusov closed 1 year ago

kaperusov commented 1 year ago 
Operating System: Debian GNU/Linux trixie/sid        
          Kernel: Linux 6.4.0-1-amd64
    Architecture: x86-64

g++ (Debian 13.2.0-1) 13.2.0
make: 4.3-4.1
cmake: 3.27.1-2
libssl-dev: 3.0.10-1
libmbedtls-dev: 2.28.3-1
liblz4-dev: 1.9.4-1

I tried to build dependencies run commands from README: 

$ cd core/scripts/linux/
$ ./build-all

and build failed: 

[...omitted...]
test_suite_version ................................................ PASS
test_suite_x509parse .............................................. FAIL
test_suite_x509write .............................................. PASS
test_suite_xtea ................................................... PASS
------------------------------------------------------------------------
FAILED (103 suites, 15155 tests run)
make[1]: *** [Makefile:160: check] Error 1
make[1]: Leaving directory '/home/sk/O3/deps/mbedtls-2.28.2/tests'
make: *** [Makefile:98: check] Error 2

Then, I ran ~/O3/deps/mbedtls-2.28.2/tests/test_suite_x509parse for details and wrote output to a log file: 

sk@smk:~/O3/deps/mbedtls-2.28.2/tests$ grep 'FAILED' test_suite_x509parse.log 
X509 CRT verification #32 (Valid, EC cert, RSA CA) ................ FAILED
X509 CRT verification #93 (Suite B invalid, EC cert, RSA CA) ...... FAILED
X509 CRT verify chain #12 (suiteb profile, RSA root) .............. FAILED
X509 OID numstring #5 (arithmetic overflow) ....................... FAILED
FAILED (732 / 736 tests (34 skipped))
dsommers commented 1 year ago

This error happens in the mbedtls library. This is not related to OpenVPN 3. Please open a ticket for the mbed team to look into; this is not something we can do much with.

That said, unless there are specific reasons to use mbed TLS, do consider to use OpenSSL. Feature and performance wise, OpenSSL generally performs better. And OpenSSL is now a well funded and functional project, when compared against the time before the Heartbleed issue. We also generally have the impression mbed TLS development is moving slower forward than OpenSSL these days.

kaperusov commented 1 year ago

This error happens in the mbedtls library. This is not related to OpenVPN 3. Please open a ticket for the mbed team to look into; this is not something we can do much with.

That said, unless there are specific reasons to use mbed TLS, do consider to use OpenSSL. Feature and performance wise, OpenSSL generally performs better. And OpenSSL is now a well funded and functional project, when compared against the time before the Heartbleed issue. We also generally have the impression mbed TLS development is moving slower forward than OpenSSL these days.

OK, thanks.

I also built the OpenVPN 3 client wrapper (cli) with OpenSSL library. It has been built.

But when I ran:

sudo test/ovpncli/ovpncli myprofile.ovpn route-nopull

CONNECTING...
Thread starting...
Fri Aug 11 13:42:41.741 2023 OpenVPN core 3.8 linux x86_64 64-bit
Fri Aug 11 13:42:41.751 2023 Frame=512/2112/512 mssfix-ctrl=1250
connect error: PKey::parse_pem: error in private key:: error:1C800064:Provider routines::bad decrypt / error:11800074:PKCS12 routines::pkcs12 cipherfinal error / error:1C800064:Provider routines::bad decrypt / error:11800074:PKCS12 routines::pkcs12 cipherfinal error
Thread finished
STATS:

:-(

What am I doing wrong? Is it also mbedtls library? Or should I open a new issue?

schwabe commented 1 year ago

No that is probably either broken key or outdated encryption on your that requires enabling the legacy algorithms

ericosmic commented 6 months ago

@kaperusov hi, I met same error, but how to build with openssl?