Openvpn: openssl 1.0.2h MD5 for certificate verification disabled by default [not relevant]
asked 2017-04-28 14:10:29 +0200
This post is a wiki. Anyone with karma >75 is welcome to improve it.
When trying to connect to my vpn provider (PureVPN) with openvpn in terminal i get an error:
[root@Sailfish nemo]# openvpn --config Purevpn-tcp.ovpnFri Apr 28 12:35:27 2017 OpenVPN 2.3.6 armv7l-unknown-linux-gnueabi [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Nov 27 2016
Fri Apr 28 12:35:27 2017 library versions: OpenSSL 1.0.2h-fips 3 May 2016, LZO 2.09
Enter Auth Username:###cencored###
Enter Auth Password:
Fri Apr 28 12:35:44 2017 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Apr 28 12:35:44 2017 WARNING: file '/home/nemo/.ovpn/Wdc.key' is group or others accessible
Fri Apr 28 12:35:44 2017 Control Channel Authentication: using '/home/nemo/.ovpn/Wdc.key' as a OpenVPN static key file
Fri Apr 28 12:35:44 2017 Attempting to establish TCP connection with [AF_INET]188.72.124.2:80 [nonblock]
Fri Apr 28 12:35:45 2017 TCP connection established with [AF_INET]188.72.124.2:80
Fri Apr 28 12:35:45 2017 TCPv4_CLIENT link local: [undef]
Fri Apr 28 12:35:45 2017 TCPv4_CLIENT link remote: [AF_INET]188.72.124.2:80
Fri Apr 28 12:35:45 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Apr 28 12:35:45 2017 VERIFY ERROR: depth=0, error=certificate signature failure: C=HK, ST=HK, L=HongKong, O=PureVPN, OU=IT, CN=PureVPN, name=PureVPN, emailAddress=mail@host.domain
Fri Apr 28 12:35:45 2017 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Fri Apr 28 12:35:45 2017 TLS Error: TLS object -> incoming plaintext read error
Fri Apr 28 12:35:45 2017 TLS Error: TLS handshake failed
Fri Apr 28 12:35:45 2017 Fatal TLS error (check_tls_errors_co), restarting
Fri Apr 28 12:35:45 2017 SIGUSR1[soft,tls-error] received, process restarting
^CFri Apr 28 12:35:49 2017 SIGINT[hard,init_instance] received, process exiting
While working fine in Ubuntu 16.04.2 with openssl library 1.0.2g it is not working with openssl 1.0.2h on Sailfish
But after some research i found this:https://www.centos.org/forums/viewtopic.php?t=47210
Starting openvpn with environment variable OPENSSL_ENABLE_MD5_VERIFY=1 is working!
However i can't find something in the cangelog for changes between 1.0.2g and 1.0.2h regarding MD5 verification disabled by default https://www.openssl.org/news/cl102.txt
Maybe this is set by some compile flag either in openssl or openvpn -> can't verify this right now mybe someone wants to check it
[root@Sailfish nemo]# OPENSSL_ENABLE_MD5_VERIFY=1 openvpn --config Purevpn-tcp.ovpn
Fri Apr 28 12:53:03 2017 OpenVPN 2.3.6 armv7l-unknown-linux-gnueabi [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Nov 27 2016
Fri Apr 28 12:53:03 2017 library versions: OpenSSL 1.0.2h-fips 3 May 2016, LZO 2.09
Enter Auth Username:###cencored###
Enter Auth Password:
Fri Apr 28 12:53:15 2017 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Apr 28 12:53:15 2017 WARNING: file '/home/nemo/.ovpn/Wdc.key' is group or others accessible
Fri Apr 28 12:53:15 2017 Control Channel Authentication: using '/home/nemo/.ovpn/Wdc.key' as a OpenVPN static key file
Fri Apr 28 12:53:15 2017 Attempting to establish TCP connection with [AF_INET]172.111.188.2:80 [nonblock]
Fri Apr 28 12:53:16 2017 TCP connection established with [AF_INET]172.111.188.2:80
Fri Apr 28 12:53:16 2017 TCPv4_CLIENT link local: [undef]
Fri Apr 28 12:53:16 2017 TCPv4_CLIENT link remote: [AF_INET]172.111.188.2:80
Fri Apr 28 12:53:16 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Apr 28 12:53:17 2017 [PureVPN] Peer Connection Initiated with [AF_INET]172.111.188.2:80
Fri Apr 28 12:53:20 2017 TUN/TAP device tun0 opened
Fri Apr 28 12:53:20 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Fri Apr 28 12:53:20 2017 /sbin/ip link set dev tun0 up mtu 1500
Fri Apr 28 12:53:20 2017 /sbin/ip addr add dev tun0 172.111.188.132/26 broadcast 172.111.188.191
RTNETLINK answers: File exists
Fri Apr 28 12:53:22 2017 ERROR: Linux route add command failed: external program exited with error status: 2
Fri Apr 28 12:53:22 2017 Initialization Sequence Completed
It seems like this also affects the built-in sailfish vpn and securefishnet. So maybe developers can take this into account...
Config files including certificates (PureVPN) for you to review can officially be downloaded here: https://s3-us-west-1.amazonaws.com/heartbleed/linux/linux-files.zip
Edit 25th July 2017: Still a problem in sfos 2.1.1.23. Would be nice to have a switch in settings to override this (maybe with a warning: This setting is unsafe. Do it on your own risk!)
Edit 24th August 2017: Still a problem in sfos 2.1.1.26. How can i set an env var for conman/vpn/gui elements? OPENSSL_ENABLE_MD5_VERIFY=1 set in /etc/environment and ~/,profile seem to be ignored by the vpn gui... openvpn client in terminal sees the env var and is working!
I just analyzed /proc/pid/environ with the pid of the connmand service. There is just a subset of env vars. Where does the process get these vars and can i set the one i need by myself?
Did a quick read here: https://bugzilla.redhat.com/show_bug.cgi?id=1175481 but did not find a solution yet.
MD5 hashes are insecure. Please contact your VPN provider and tell them to switch to a new secure system.
leszek ( 2017-04-28 14:54:22 +0200 )editi don't think they will change it soon. found this a second ago: https://support.purevpn.com/openvpn-connection-issue-on-fedora
daywalker ( 2017-04-28 15:07:05 +0200 )editi did contact purevpn. the service dude just said he would forward this issue to the admins... (don't think they will care though)
daywalker ( 2017-07-25 10:30:04 +0200 )editA VPN provider who don't care about security? That would be surprising, and in that case it would be time to find another one.
Sthocs ( 2017-07-25 11:22:37 +0200 )edit@Sthocs i will switch! but right now the service is paid and i don't use it for critical things, just some geo fencing bypass. just click the link in the second comment. since then nothing changed. seems like they don't really care about openvpn users. the also offer pptp conections while everybody knows mschapv2 is weak.
daywalker ( 2017-07-25 11:40:03 +0200 )edit