Closed jo-krk closed 1 year ago
Thank you for creating an issue. Since the ticket doesn't seem to be using one of our templates, we're marking this issue as low priority until further notice.
For more information about the policies for this repository, please read https://github.com/opnsense/core/blob/master/CONTRIBUTING.md for further details.
The easiest option to gain traction is to close this ticket and open a new one using one of our templates.
Workaround On machine with OpenSSL 3.0.5:
$ openssl pkcs12 -info -in openvpn_OpenVPN_Server_Zertifikat.p12 -legacy
$ pkcs12 -export -out good.p12 -inkey key.pem -in cert.pem
We should update the default algorithm most likely, but the -legacy
switch and deprecation is all on OpenSSL 3 and out of our reach
If you want to have a laugh see https://www.openssl.org/docs/man1.1.1/man3/PKCS12_create.html
These defaults are: 40 bit RC2 encryption for certificates
Upstream issue fixed eventually by moving to OpenSSL 3. But that's definitely not this year. Removing milestone.
This issue has been automatically timed-out (after 180 days of inactivity).
For more information about the policies for this repository, please read https://github.com/opnsense/core/blob/master/CONTRIBUTING.md for further details.
If someone wants to step up and work on this issue, just let us know, so we can reopen the issue and assign an owner to it.
I made a small script based on @jo-krk suggestions. This allows to quickly regenerate the updated .p12 file with the required modifications.
The advantage is that it can be run unattended, i.e. you don't need to copy-paste the certs & keys inside the file manually.
#!/bin/bash
# Abort on errors
set -e
# Source: https://github.com/opnsense/core/issues/6130#issuecomment-1310237598
# .p12 file to read
read -p "Enter .p12 filename to convert to new OpenSSL 3.x format: " p12file
echo -e "\n"
# Get folder name and p12 filename
fullpath=$(dirname $p12file)
# Generate timestamp
timestamp=$(date +%Y%m%d%H%M)
# Create backup
cp "${p12file}" "${p12file}_backup_${timestamp}"
# Filenames only
p12filename=$(basename $p12file)
certfilename=${p12filename/".p12"/".cert.pem"}
keyfilename=${p12filename/".p12"/".key.pem"}
# Filenames with path
certfile="${fullpath}/${certfilename}"
keyfile="${fullpath}/${keyfilename}"
# Decrypt p12 generated by OPNsense via:
# Manual Process
#openssl pkcs12 -info -in $oldp12 -legacy
# Automatic Process
# And place the respective contents in a .cert and .key file
openssl pkcs12 -in $p12file -legacy -out $keyfile -nodes
openssl pkcs12 -in $p12file -legacy -out $certfile -nokeys
# Generate new p12 file with current algorithm:
openssl pkcs12 -export -out $p12file -inkey $keyfile -in $certfile
Note: following an upgrade, I also had to modify my /etc/openvpn/
#comp-lzo adaptive
After upgrade to Ubuntu 22.10 my Openvpn Client doesn't connect anymore to Openvpn Server running on Opnsense. Investigation showed that new openssl version, that is shipped with Ubuntu 22.10, doesn't support deprecated algorithm that is used by Opnsense when exporting Openvpn config.
Same openssl command, from above, with
-legacy
flag provides expected outputOpnsense version: _OPNsense 22.7.71 (amd64/OpenSSL) Openvpn package version @ OPNsense: 2.5.8
Client OS: Ubuntu 22.10 Client's openssl version: OpenSSL 3.0.5 5 Jul 2022 Client's openvpn version: _OpenVPN 2.6_git x8664-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]