search

opnsense / core

OPNsense GUI, API and systems backend
https://opnsense.org/
BSD 2-Clause "Simplified" License
3.25k stars 725 forks source link

openvpn: update p12 export algorithm #6130

Closed jo-krk closed 1 year ago

jo-krk commented 1 year ago

After upgrade to Ubuntu 22.10 my Openvpn Client doesn't connect anymore to Openvpn Server running on Opnsense. Investigation showed that new openssl version, that is shipped with Ubuntu 22.10, doesn't support deprecated algorithm that is used by Opnsense when exporting Openvpn config.

$ openssl pkcs12 -info -in openvpn_OpenVPN_Server_Zertifikat.p12
Enter Import Password:
MAC: sha1, Iteration 1
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Error outputting keys and certificates
80FB35FD2D7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:373:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()

Same openssl command, from above, with -legacy flag provides expected output

Opnsense version: _OPNsense 22.7.71 (amd64/OpenSSL) Openvpn package version @ OPNsense: 2.5.8

Client OS: Ubuntu 22.10 Client's openssl version: OpenSSL 3.0.5 5 Jul 2022 Client's openvpn version: _OpenVPN 2.6_git x8664-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]

OPNsense-bot commented 1 year ago

Thank you for creating an issue. Since the ticket doesn't seem to be using one of our templates, we're marking this issue as low priority until further notice.

For more information about the policies for this repository, please read https://github.com/opnsense/core/blob/master/CONTRIBUTING.md for further details.

The easiest option to gain traction is to close this ticket and open a new one using one of our templates.

jo-krk commented 1 year ago

Workaround On machine with OpenSSL 3.0.5:

  1. Decrypt p12 generated by OPNsense via:
$ openssl pkcs12 -info -in openvpn_OpenVPN_Server_Zertifikat.p12 -legacy
  1. Place certs in cert.pem and private key in key.pem
  2. Generate new p12 file with current algorithm: 
    $ pkcs12 -export -out good.p12 -inkey key.pem -in cert.pem
  3. Update your .opvn config accordingly
fichtner commented 1 year ago

We should update the default algorithm most likely, but the -legacy switch and deprecation is all on OpenSSL 3 and out of our reach

fichtner commented 1 year ago

If you want to have a laugh see https://www.openssl.org/docs/man1.1.1/man3/PKCS12_create.html

These defaults are: 40 bit RC2 encryption for certificates
fichtner commented 1 year ago

Upstream issue fixed eventually by moving to OpenSSL 3. But that's definitely not this year. Removing milestone.

OPNsense-bot commented 1 year ago

This issue has been automatically timed-out (after 180 days of inactivity).

For more information about the policies for this repository, please read https://github.com/opnsense/core/blob/master/CONTRIBUTING.md for further details.

If someone wants to step up and work on this issue, just let us know, so we can reopen the issue and assign an owner to it.

luckylinux commented 8 months ago

I made a small script based on @jo-krk suggestions. This allows to quickly regenerate the updated .p12 file with the required modifications.

The advantage is that it can be run unattended, i.e. you don't need to copy-paste the certs & keys inside the file manually.

#!/bin/bash

# Abort on errors
set -e

# Source: https://github.com/opnsense/core/issues/6130#issuecomment-1310237598

# .p12 file to read
read -p "Enter .p12 filename to convert to new OpenSSL 3.x format: " p12file
echo -e "\n"

# Get folder name and p12 filename
fullpath=$(dirname $p12file)

# Generate timestamp
timestamp=$(date +%Y%m%d%H%M)

# Create backup
cp "${p12file}" "${p12file}_backup_${timestamp}"

# Filenames only
p12filename=$(basename $p12file)
certfilename=${p12filename/".p12"/".cert.pem"}
keyfilename=${p12filename/".p12"/".key.pem"}

# Filenames with path
certfile="${fullpath}/${certfilename}"
keyfile="${fullpath}/${keyfilename}"

# Decrypt p12 generated by OPNsense via:
# Manual Process
#openssl pkcs12 -info -in $oldp12 -legacy

# Automatic Process
# And place the respective contents in a .cert and .key file
openssl pkcs12 -in $p12file -legacy -out $keyfile -nodes
openssl pkcs12 -in $p12file -legacy -out $certfile -nokeys

# Generate new p12 file with current algorithm:
openssl pkcs12 -export -out $p12file -inkey $keyfile -in $certfile

Note: following an upgrade, I also had to modify my /etc/openvpn/.conf and comment-out the compression directive, otherwise I won't be able to ping hosts

#comp-lzo adaptive