Revision history [back]
 | 1 | initial version | posted 2017-04-28 14:10:29 +0200 |
Openvpn: openssl 1.0.2h MD5 for certificate verification disabled by default
When trying to connect to my vpn provider (PureVPN) with openvpn in terminal i get an error:
[root@Sailfish nemo]# openvpn --config Purevpn-tcp.ovpnFri Apr 28 12:35:27 2017 OpenVPN 2.3.6 armv7l-unknown-linux-gnueabi [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Nov 27 2016
Fri Apr 28 12:35:27 2017 library versions: OpenSSL 1.0.2h-fips 3 May 2016, LZO 2.09
Enter Auth Username:###cencored###
Enter Auth Password:
Fri Apr 28 12:35:44 2017 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Apr 28 12:35:44 2017 WARNING: file '/home/nemo/.ovpn/Wdc.key' is group or others accessible
Fri Apr 28 12:35:44 2017 Control Channel Authentication: using '/home/nemo/.ovpn/Wdc.key' as a OpenVPN static key file
Fri Apr 28 12:35:44 2017 Attempting to establish TCP connection with [AF_INET]188.72.124.2:80 [nonblock]
Fri Apr 28 12:35:45 2017 TCP connection established with [AF_INET]188.72.124.2:80
Fri Apr 28 12:35:45 2017 TCPv4_CLIENT link local: [undef]
Fri Apr 28 12:35:45 2017 TCPv4_CLIENT link remote: [AF_INET]188.72.124.2:80
Fri Apr 28 12:35:45 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Apr 28 12:35:45 2017 VERIFY ERROR: depth=0, error=certificate signature failure: C=HK, ST=HK, L=HongKong, O=PureVPN, OU=IT, CN=PureVPN, name=PureVPN, emailAddress=mail@host.domain
Fri Apr 28 12:35:45 2017 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Fri Apr 28 12:35:45 2017 TLS Error: TLS object -> incoming plaintext read error
Fri Apr 28 12:35:45 2017 TLS Error: TLS handshake failed
Fri Apr 28 12:35:45 2017 Fatal TLS error (check_tls_errors_co), restarting
Fri Apr 28 12:35:45 2017 SIGUSR1[soft,tls-error] received, process restarting
^CFri Apr 28 12:35:49 2017 SIGINT[hard,init_instance] received, process exiting
While working fine in Ubuntu 16.04 with openssl library 1.0.2g it is not working with openssl 1.0.2h on Sailfish
But after some research i found this: https://www.centos.org/forums/viewtopic.php?t=47210
Starting openvpn with environment variables OPENSSL_ENABLE_MD5_VERIFY=1 and NSS_HASH_ALG_SUPPORT=+MD5 works! However i can't find something in the cangelog for changes between 1.0.2g and 1.0.2h regarding MD5 verification disabled by default https://www.openssl.org/news/cl102.txt
[root@Sailfish nemo]# OPENSSL_ENABLE_MD5_VERIFY=1 NSS_HASH_ALG_SUPPORT=+MD5 openvpn --config Purevpn-tcp.ovpn
Fri Apr 28 12:53:03 2017 OpenVPN 2.3.6 armv7l-unknown-linux-gnueabi [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Nov 27 2016
Fri Apr 28 12:53:03 2017 library versions: OpenSSL 1.0.2h-fips 3 May 2016, LZO 2.09
Enter Auth Username:###cencored###
Enter Auth Password:
Fri Apr 28 12:53:15 2017 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Apr 28 12:53:15 2017 WARNING: file '/home/nemo/.ovpn/Wdc.key' is group or others accessible
Fri Apr 28 12:53:15 2017 Control Channel Authentication: using '/home/nemo/.ovpn/Wdc.key' as a OpenVPN static key file
Fri Apr 28 12:53:15 2017 Attempting to establish TCP connection with [AF_INET]172.111.188.2:80 [nonblock]
Fri Apr 28 12:53:16 2017 TCP connection established with [AF_INET]172.111.188.2:80
Fri Apr 28 12:53:16 2017 TCPv4_CLIENT link local: [undef]
Fri Apr 28 12:53:16 2017 TCPv4_CLIENT link remote: [AF_INET]172.111.188.2:80
Fri Apr 28 12:53:16 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Apr 28 12:53:17 2017 [PureVPN] Peer Connection Initiated with [AF_INET]172.111.188.2:80
Fri Apr 28 12:53:20 2017 TUN/TAP device tun0 opened
Fri Apr 28 12:53:20 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Fri Apr 28 12:53:20 2017 /sbin/ip link set dev tun0 up mtu 1500
Fri Apr 28 12:53:20 2017 /sbin/ip addr add dev tun0 172.111.188.132/26 broadcast 172.111.188.191
RTNETLINK answers: File exists
Fri Apr 28 12:53:22 2017 ERROR: Linux route add command failed: external program exited with error status: 2
Fri Apr 28 12:53:22 2017 Initialization Sequence Completed
It seems like this also affects the buildin sailfish vpn and securefishnet. So maybe developers can take this into account...
Config files including certificates for my example with PureVPN can officialy be downloaded here: https://s3-us-west-1.amazonaws.com/heartbleed/linux/linux-files.zip
| | 2 | No.2 Revision |
Openvpn: openssl 1.0.2h MD5 for certificate verification disabled by default
When trying to connect to my vpn provider (PureVPN) with openvpn in terminal i get an error:
[root@Sailfish nemo]# openvpn --config Purevpn-tcp.ovpnFri Apr 28 12:35:27 2017 OpenVPN 2.3.6 armv7l-unknown-linux-gnueabi [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Nov 27 2016
Fri Apr 28 12:35:27 2017 library versions: OpenSSL 1.0.2h-fips 3 May 2016, LZO 2.09
Enter Auth Username:###cencored###
Enter Auth Password:
Fri Apr 28 12:35:44 2017 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Apr 28 12:35:44 2017 WARNING: file '/home/nemo/.ovpn/Wdc.key' is group or others accessible
Fri Apr 28 12:35:44 2017 Control Channel Authentication: using '/home/nemo/.ovpn/Wdc.key' as a OpenVPN static key file
Fri Apr 28 12:35:44 2017 Attempting to establish TCP connection with [AF_INET]188.72.124.2:80 [nonblock]
Fri Apr 28 12:35:45 2017 TCP connection established with [AF_INET]188.72.124.2:80
Fri Apr 28 12:35:45 2017 TCPv4_CLIENT link local: [undef]
Fri Apr 28 12:35:45 2017 TCPv4_CLIENT link remote: [AF_INET]188.72.124.2:80
Fri Apr 28 12:35:45 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Apr 28 12:35:45 2017 VERIFY ERROR: depth=0, error=certificate signature failure: C=HK, ST=HK, L=HongKong, O=PureVPN, OU=IT, CN=PureVPN, name=PureVPN, emailAddress=mail@host.domain
Fri Apr 28 12:35:45 2017 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Fri Apr 28 12:35:45 2017 TLS Error: TLS object -> incoming plaintext read error
Fri Apr 28 12:35:45 2017 TLS Error: TLS handshake failed
Fri Apr 28 12:35:45 2017 Fatal TLS error (check_tls_errors_co), restarting
Fri Apr 28 12:35:45 2017 SIGUSR1[soft,tls-error] received, process restarting
^CFri Apr 28 12:35:49 2017 SIGINT[hard,init_instance] received, process exiting
While working fine in Ubuntu 16.04 16.04.2 with openssl library 1.0.2g it is not working with openssl 1.0.2h on Sailfish
But after some research i found this: https://www.centos.org/forums/viewtopic.php?t=47210
Starting openvpn with environment variables OPENSSL_ENABLE_MD5_VERIFY=1 and NSS_HASH_ALG_SUPPORT=+MD5 works! However i can't find something in the cangelog for changes between 1.0.2g and 1.0.2h regarding MD5 verification disabled by default https://www.openssl.org/news/cl102.txt
[root@Sailfish nemo]# OPENSSL_ENABLE_MD5_VERIFY=1 NSS_HASH_ALG_SUPPORT=+MD5 openvpn --config Purevpn-tcp.ovpn
Fri Apr 28 12:53:03 2017 OpenVPN 2.3.6 armv7l-unknown-linux-gnueabi [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Nov 27 2016
Fri Apr 28 12:53:03 2017 library versions: OpenSSL 1.0.2h-fips 3 May 2016, LZO 2.09
Enter Auth Username:###cencored###
Enter Auth Password:
Fri Apr 28 12:53:15 2017 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Apr 28 12:53:15 2017 WARNING: file '/home/nemo/.ovpn/Wdc.key' is group or others accessible
Fri Apr 28 12:53:15 2017 Control Channel Authentication: using '/home/nemo/.ovpn/Wdc.key' as a OpenVPN static key file
Fri Apr 28 12:53:15 2017 Attempting to establish TCP connection with [AF_INET]172.111.188.2:80 [nonblock]
Fri Apr 28 12:53:16 2017 TCP connection established with [AF_INET]172.111.188.2:80
Fri Apr 28 12:53:16 2017 TCPv4_CLIENT link local: [undef]
Fri Apr 28 12:53:16 2017 TCPv4_CLIENT link remote: [AF_INET]172.111.188.2:80
Fri Apr 28 12:53:16 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Apr 28 12:53:17 2017 [PureVPN] Peer Connection Initiated with [AF_INET]172.111.188.2:80
Fri Apr 28 12:53:20 2017 TUN/TAP device tun0 opened
Fri Apr 28 12:53:20 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Fri Apr 28 12:53:20 2017 /sbin/ip link set dev tun0 up mtu 1500
Fri Apr 28 12:53:20 2017 /sbin/ip addr add dev tun0 172.111.188.132/26 broadcast 172.111.188.191
RTNETLINK answers: File exists
Fri Apr 28 12:53:22 2017 ERROR: Linux route add command failed: external program exited with error status: 2
Fri Apr 28 12:53:22 2017 Initialization Sequence Completed
It seems like this also affects the buildin sailfish vpn and securefishnet. So maybe developers can take this into account...
Config files including certificates for my example with PureVPN can officialy be downloaded here: https://s3-us-west-1.amazonaws.com/heartbleed/linux/linux-files.zip
| | 3 | No.3 Revision |
Openvpn: openssl 1.0.2h MD5 for certificate verification disabled by default
When trying to connect to my vpn provider (PureVPN) with openvpn in terminal i get an error:
[root@Sailfish nemo]# openvpn --config Purevpn-tcp.ovpnFri Apr 28 12:35:27 2017 OpenVPN 2.3.6 armv7l-unknown-linux-gnueabi [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Nov 27 2016
Fri Apr 28 12:35:27 2017 library versions: OpenSSL 1.0.2h-fips 3 May 2016, LZO 2.09
Enter Auth Username:###cencored###
Enter Auth Password:
Fri Apr 28 12:35:44 2017 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Apr 28 12:35:44 2017 WARNING: file '/home/nemo/.ovpn/Wdc.key' is group or others accessible
Fri Apr 28 12:35:44 2017 Control Channel Authentication: using '/home/nemo/.ovpn/Wdc.key' as a OpenVPN static key file
Fri Apr 28 12:35:44 2017 Attempting to establish TCP connection with [AF_INET]188.72.124.2:80 [nonblock]
Fri Apr 28 12:35:45 2017 TCP connection established with [AF_INET]188.72.124.2:80
Fri Apr 28 12:35:45 2017 TCPv4_CLIENT link local: [undef]
Fri Apr 28 12:35:45 2017 TCPv4_CLIENT link remote: [AF_INET]188.72.124.2:80
Fri Apr 28 12:35:45 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Apr 28 12:35:45 2017 VERIFY ERROR: depth=0, error=certificate signature failure: C=HK, ST=HK, L=HongKong, O=PureVPN, OU=IT, CN=PureVPN, name=PureVPN, emailAddress=mail@host.domain
Fri Apr 28 12:35:45 2017 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Fri Apr 28 12:35:45 2017 TLS Error: TLS object -> incoming plaintext read error
Fri Apr 28 12:35:45 2017 TLS Error: TLS handshake failed
Fri Apr 28 12:35:45 2017 Fatal TLS error (check_tls_errors_co), restarting
Fri Apr 28 12:35:45 2017 SIGUSR1[soft,tls-error] received, process restarting
^CFri Apr 28 12:35:49 2017 SIGINT[hard,init_instance] received, process exiting
While working fine in Ubuntu 16.04.2 with openssl library 1.0.2g it is not working with openssl 1.0.2h on Sailfish
But after some research i found this: https://www.centos.org/forums/viewtopic.php?t=47210
Starting openvpn with environment variables OPENSSL_ENABLE_MD5_VERIFY=1 and NSS_HASH_ALG_SUPPORT=+MD5 works! However i can't find something in the cangelog for changes between 1.0.2g and 1.0.2h regarding MD5 verification disabled by default https://www.openssl.org/news/cl102.txt
[root@Sailfish nemo]# OPENSSL_ENABLE_MD5_VERIFY=1 NSS_HASH_ALG_SUPPORT=+MD5 openvpn --config Purevpn-tcp.ovpn
Fri Apr 28 12:53:03 2017 OpenVPN 2.3.6 armv7l-unknown-linux-gnueabi [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Nov 27 2016
Fri Apr 28 12:53:03 2017 library versions: OpenSSL 1.0.2h-fips 3 May 2016, LZO 2.09
Enter Auth Username:###cencored###
Enter Auth Password:
Fri Apr 28 12:53:15 2017 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Apr 28 12:53:15 2017 WARNING: file '/home/nemo/.ovpn/Wdc.key' is group or others accessible
Fri Apr 28 12:53:15 2017 Control Channel Authentication: using '/home/nemo/.ovpn/Wdc.key' as a OpenVPN static key file
Fri Apr 28 12:53:15 2017 Attempting to establish TCP connection with [AF_INET]172.111.188.2:80 [nonblock]
Fri Apr 28 12:53:16 2017 TCP connection established with [AF_INET]172.111.188.2:80
Fri Apr 28 12:53:16 2017 TCPv4_CLIENT link local: [undef]
Fri Apr 28 12:53:16 2017 TCPv4_CLIENT link remote: [AF_INET]172.111.188.2:80
Fri Apr 28 12:53:16 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Apr 28 12:53:17 2017 [PureVPN] Peer Connection Initiated with [AF_INET]172.111.188.2:80
Fri Apr 28 12:53:20 2017 TUN/TAP device tun0 opened
Fri Apr 28 12:53:20 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Fri Apr 28 12:53:20 2017 /sbin/ip link set dev tun0 up mtu 1500
Fri Apr 28 12:53:20 2017 /sbin/ip addr add dev tun0 172.111.188.132/26 broadcast 172.111.188.191
RTNETLINK answers: File exists
Fri Apr 28 12:53:22 2017 ERROR: Linux route add command failed: external program exited with error status: 2
Fri Apr 28 12:53:22 2017 Initialization Sequence Completed
It seems like this also affects the buildin sailfish vpn and securefishnet. So maybe developers can take this into account...
Config files including certificates (PureVPN) for my example with PureVPN you to review can officialy officially be downloaded here: https://s3-us-west-1.amazonaws.com/heartbleed/linux/linux-files.zip
| | 4 | No.4 Revision |
Openvpn: openssl 1.0.2h MD5 for certificate verification disabled by default
When trying to connect to my vpn provider (PureVPN) with openvpn in terminal i get an error:
[root@Sailfish nemo]# openvpn --config Purevpn-tcp.ovpnFri Apr 28 12:35:27 2017 OpenVPN 2.3.6 armv7l-unknown-linux-gnueabi [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Nov 27 2016
Fri Apr 28 12:35:27 2017 library versions: OpenSSL 1.0.2h-fips 3 May 2016, LZO 2.09
Enter Auth Username:###cencored###
Enter Auth Password:
Fri Apr 28 12:35:44 2017 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Apr 28 12:35:44 2017 WARNING: file '/home/nemo/.ovpn/Wdc.key' is group or others accessible
Fri Apr 28 12:35:44 2017 Control Channel Authentication: using '/home/nemo/.ovpn/Wdc.key' as a OpenVPN static key file
Fri Apr 28 12:35:44 2017 Attempting to establish TCP connection with [AF_INET]188.72.124.2:80 [nonblock]
Fri Apr 28 12:35:45 2017 TCP connection established with [AF_INET]188.72.124.2:80
Fri Apr 28 12:35:45 2017 TCPv4_CLIENT link local: [undef]
Fri Apr 28 12:35:45 2017 TCPv4_CLIENT link remote: [AF_INET]188.72.124.2:80
Fri Apr 28 12:35:45 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Apr 28 12:35:45 2017 VERIFY ERROR: depth=0, error=certificate signature failure: C=HK, ST=HK, L=HongKong, O=PureVPN, OU=IT, CN=PureVPN, name=PureVPN, emailAddress=mail@host.domain
Fri Apr 28 12:35:45 2017 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Fri Apr 28 12:35:45 2017 TLS Error: TLS object -> incoming plaintext read error
Fri Apr 28 12:35:45 2017 TLS Error: TLS handshake failed
Fri Apr 28 12:35:45 2017 Fatal TLS error (check_tls_errors_co), restarting
Fri Apr 28 12:35:45 2017 SIGUSR1[soft,tls-error] received, process restarting
^CFri Apr 28 12:35:49 2017 SIGINT[hard,init_instance] received, process exiting
While working fine in Ubuntu 16.04.2 with openssl library 1.0.2g it is not working with openssl 1.0.2h on Sailfish
But after some research i found this: https://www.centos.org/forums/viewtopic.php?t=47210
Starting openvpn with environment variables OPENSSL_ENABLE_MD5_VERIFY=1 and NSS_HASH_ALG_SUPPORT=+MD5 works! However i can't find something in the cangelog for changes between 1.0.2g and 1.0.2h regarding MD5 verification disabled by default https://www.openssl.org/news/cl102.txt
[root@Sailfish nemo]# OPENSSL_ENABLE_MD5_VERIFY=1 NSS_HASH_ALG_SUPPORT=+MD5 openvpn --config Purevpn-tcp.ovpn
Fri Apr 28 12:53:03 2017 OpenVPN 2.3.6 armv7l-unknown-linux-gnueabi [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Nov 27 2016
Fri Apr 28 12:53:03 2017 library versions: OpenSSL 1.0.2h-fips 3 May 2016, LZO 2.09
Enter Auth Username:###cencored###
Enter Auth Password:
Fri Apr 28 12:53:15 2017 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Apr 28 12:53:15 2017 WARNING: file '/home/nemo/.ovpn/Wdc.key' is group or others accessible
Fri Apr 28 12:53:15 2017 Control Channel Authentication: using '/home/nemo/.ovpn/Wdc.key' as a OpenVPN static key file
Fri Apr 28 12:53:15 2017 Attempting to establish TCP connection with [AF_INET]172.111.188.2:80 [nonblock]
Fri Apr 28 12:53:16 2017 TCP connection established with [AF_INET]172.111.188.2:80
Fri Apr 28 12:53:16 2017 TCPv4_CLIENT link local: [undef]
Fri Apr 28 12:53:16 2017 TCPv4_CLIENT link remote: [AF_INET]172.111.188.2:80
Fri Apr 28 12:53:16 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Apr 28 12:53:17 2017 [PureVPN] Peer Connection Initiated with [AF_INET]172.111.188.2:80
Fri Apr 28 12:53:20 2017 TUN/TAP device tun0 opened
Fri Apr 28 12:53:20 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Fri Apr 28 12:53:20 2017 /sbin/ip link set dev tun0 up mtu 1500
Fri Apr 28 12:53:20 2017 /sbin/ip addr add dev tun0 172.111.188.132/26 broadcast 172.111.188.191
RTNETLINK answers: File exists
Fri Apr 28 12:53:22 2017 ERROR: Linux route add command failed: external program exited with error status: 2
Fri Apr 28 12:53:22 2017 Initialization Sequence Completed
It seems like this also affects the buildin built-in sailfish vpn and securefishnet.
So maybe developers can take this into account...
Config files including certificates (PureVPN) for you to review can officially be downloaded here: https://s3-us-west-1.amazonaws.com/heartbleed/linux/linux-files.zip
| | 5 | No.5 Revision |
Openvpn: openssl 1.0.2h MD5 for certificate verification disabled by default
When trying to connect to my vpn provider (PureVPN) with openvpn in terminal i get an error:
[root@Sailfish nemo]# openvpn --config Purevpn-tcp.ovpnFri Apr 28 12:35:27 2017 OpenVPN 2.3.6 armv7l-unknown-linux-gnueabi [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Nov 27 2016
Fri Apr 28 12:35:27 2017 library versions: OpenSSL 1.0.2h-fips 3 May 2016, LZO 2.09
Enter Auth Username:###cencored###
Enter Auth Password:
Fri Apr 28 12:35:44 2017 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Apr 28 12:35:44 2017 WARNING: file '/home/nemo/.ovpn/Wdc.key' is group or others accessible
Fri Apr 28 12:35:44 2017 Control Channel Authentication: using '/home/nemo/.ovpn/Wdc.key' as a OpenVPN static key file
Fri Apr 28 12:35:44 2017 Attempting to establish TCP connection with [AF_INET]188.72.124.2:80 [nonblock]
Fri Apr 28 12:35:45 2017 TCP connection established with [AF_INET]188.72.124.2:80
Fri Apr 28 12:35:45 2017 TCPv4_CLIENT link local: [undef]
Fri Apr 28 12:35:45 2017 TCPv4_CLIENT link remote: [AF_INET]188.72.124.2:80
Fri Apr 28 12:35:45 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Apr 28 12:35:45 2017 VERIFY ERROR: depth=0, error=certificate signature failure: C=HK, ST=HK, L=HongKong, O=PureVPN, OU=IT, CN=PureVPN, name=PureVPN, emailAddress=mail@host.domain
Fri Apr 28 12:35:45 2017 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Fri Apr 28 12:35:45 2017 TLS Error: TLS object -> incoming plaintext read error
Fri Apr 28 12:35:45 2017 TLS Error: TLS handshake failed
Fri Apr 28 12:35:45 2017 Fatal TLS error (check_tls_errors_co), restarting
Fri Apr 28 12:35:45 2017 SIGUSR1[soft,tls-error] received, process restarting
^CFri Apr 28 12:35:49 2017 SIGINT[hard,init_instance] received, process exiting
While working fine in Ubuntu 16.04.2 with openssl library 1.0.2g it is not working with openssl 1.0.2h on Sailfish
But after some research i found this: https://www.centos.org/forums/viewtopic.php?t=47210
Starting openvpn with environment variables OPENSSL_ENABLE_MD5_VERIFY=1 and NSS_HASH_ALG_SUPPORT=+MD5 works!
variable OPENSSL_ENABLE_MD5_VERIFY=1 is working!
However i can't find something in the cangelog for changes between 1.0.2g and 1.0.2h regarding MD5 verification disabled by default https://www.openssl.org/news/cl102.txt
[root@Sailfish nemo]# OPENSSL_ENABLE_MD5_VERIFY=1 NSS_HASH_ALG_SUPPORT=+MD5 openvpn --config Purevpn-tcp.ovpn
Fri Apr 28 12:53:03 2017 OpenVPN 2.3.6 armv7l-unknown-linux-gnueabi [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Nov 27 2016
Fri Apr 28 12:53:03 2017 library versions: OpenSSL 1.0.2h-fips 3 May 2016, LZO 2.09
Enter Auth Username:###cencored###
Enter Auth Password:
Fri Apr 28 12:53:15 2017 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Apr 28 12:53:15 2017 WARNING: file '/home/nemo/.ovpn/Wdc.key' is group or others accessible
Fri Apr 28 12:53:15 2017 Control Channel Authentication: using '/home/nemo/.ovpn/Wdc.key' as a OpenVPN static key file
Fri Apr 28 12:53:15 2017 Attempting to establish TCP connection with [AF_INET]172.111.188.2:80 [nonblock]
Fri Apr 28 12:53:16 2017 TCP connection established with [AF_INET]172.111.188.2:80
Fri Apr 28 12:53:16 2017 TCPv4_CLIENT link local: [undef]
Fri Apr 28 12:53:16 2017 TCPv4_CLIENT link remote: [AF_INET]172.111.188.2:80
Fri Apr 28 12:53:16 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Apr 28 12:53:17 2017 [PureVPN] Peer Connection Initiated with [AF_INET]172.111.188.2:80
Fri Apr 28 12:53:20 2017 TUN/TAP device tun0 opened
Fri Apr 28 12:53:20 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Fri Apr 28 12:53:20 2017 /sbin/ip link set dev tun0 up mtu 1500
Fri Apr 28 12:53:20 2017 /sbin/ip addr add dev tun0 172.111.188.132/26 broadcast 172.111.188.191
RTNETLINK answers: File exists
Fri Apr 28 12:53:22 2017 ERROR: Linux route add command failed: external program exited with error status: 2
Fri Apr 28 12:53:22 2017 Initialization Sequence Completed
It seems like this also affects the built-in sailfish vpn and securefishnet. So maybe developers can take this into account...
Config files including certificates (PureVPN) for you to review can officially be downloaded here: https://s3-us-west-1.amazonaws.com/heartbleed/linux/linux-files.zip
| | 6 | No.6 Revision |
Openvpn: openssl 1.0.2h MD5 for certificate verification disabled by default
When trying to connect to my vpn provider (PureVPN) with openvpn in terminal i get an error:
[root@Sailfish nemo]# openvpn --config Purevpn-tcp.ovpnFri Apr 28 12:35:27 2017 OpenVPN 2.3.6 armv7l-unknown-linux-gnueabi [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Nov 27 2016
Fri Apr 28 12:35:27 2017 library versions: OpenSSL 1.0.2h-fips 3 May 2016, LZO 2.09
Enter Auth Username:###cencored###
Enter Auth Password:
Fri Apr 28 12:35:44 2017 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Apr 28 12:35:44 2017 WARNING: file '/home/nemo/.ovpn/Wdc.key' is group or others accessible
Fri Apr 28 12:35:44 2017 Control Channel Authentication: using '/home/nemo/.ovpn/Wdc.key' as a OpenVPN static key file
Fri Apr 28 12:35:44 2017 Attempting to establish TCP connection with [AF_INET]188.72.124.2:80 [nonblock]
Fri Apr 28 12:35:45 2017 TCP connection established with [AF_INET]188.72.124.2:80
Fri Apr 28 12:35:45 2017 TCPv4_CLIENT link local: [undef]
Fri Apr 28 12:35:45 2017 TCPv4_CLIENT link remote: [AF_INET]188.72.124.2:80
Fri Apr 28 12:35:45 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Apr 28 12:35:45 2017 VERIFY ERROR: depth=0, error=certificate signature failure: C=HK, ST=HK, L=HongKong, O=PureVPN, OU=IT, CN=PureVPN, name=PureVPN, emailAddress=mail@host.domain
Fri Apr 28 12:35:45 2017 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Fri Apr 28 12:35:45 2017 TLS Error: TLS object -> incoming plaintext read error
Fri Apr 28 12:35:45 2017 TLS Error: TLS handshake failed
Fri Apr 28 12:35:45 2017 Fatal TLS error (check_tls_errors_co), restarting
Fri Apr 28 12:35:45 2017 SIGUSR1[soft,tls-error] received, process restarting
^CFri Apr 28 12:35:49 2017 SIGINT[hard,init_instance] received, process exiting
While working fine in Ubuntu 16.04.2 with openssl library 1.0.2g it is not working with openssl 1.0.2h on Sailfish
But after some research i found this: https://www.centos.org/forums/viewtopic.php?t=47210
Starting openvpn with environment variable OPENSSL_ENABLE_MD5_VERIFY=1 is working!
However i can't find something in the cangelog for changes between 1.0.2g and 1.0.2h regarding MD5 verification disabled by default https://www.openssl.org/news/cl102.txthttps://www.openssl.org/news/cl102.txt
Maybe it is set by some compile flag -> can't verify this right now mybe someone wants to check it
[root@Sailfish nemo]# OPENSSL_ENABLE_MD5_VERIFY=1 openvpn --config Purevpn-tcp.ovpn
Fri Apr 28 12:53:03 2017 OpenVPN 2.3.6 armv7l-unknown-linux-gnueabi [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Nov 27 2016
Fri Apr 28 12:53:03 2017 library versions: OpenSSL 1.0.2h-fips 3 May 2016, LZO 2.09
Enter Auth Username:###cencored###
Enter Auth Password:
Fri Apr 28 12:53:15 2017 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Apr 28 12:53:15 2017 WARNING: file '/home/nemo/.ovpn/Wdc.key' is group or others accessible
Fri Apr 28 12:53:15 2017 Control Channel Authentication: using '/home/nemo/.ovpn/Wdc.key' as a OpenVPN static key file
Fri Apr 28 12:53:15 2017 Attempting to establish TCP connection with [AF_INET]172.111.188.2:80 [nonblock]
Fri Apr 28 12:53:16 2017 TCP connection established with [AF_INET]172.111.188.2:80
Fri Apr 28 12:53:16 2017 TCPv4_CLIENT link local: [undef]
Fri Apr 28 12:53:16 2017 TCPv4_CLIENT link remote: [AF_INET]172.111.188.2:80
Fri Apr 28 12:53:16 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Apr 28 12:53:17 2017 [PureVPN] Peer Connection Initiated with [AF_INET]172.111.188.2:80
Fri Apr 28 12:53:20 2017 TUN/TAP device tun0 opened
Fri Apr 28 12:53:20 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Fri Apr 28 12:53:20 2017 /sbin/ip link set dev tun0 up mtu 1500
Fri Apr 28 12:53:20 2017 /sbin/ip addr add dev tun0 172.111.188.132/26 broadcast 172.111.188.191
RTNETLINK answers: File exists
Fri Apr 28 12:53:22 2017 ERROR: Linux route add command failed: external program exited with error status: 2
Fri Apr 28 12:53:22 2017 Initialization Sequence Completed
It seems like this also affects the built-in sailfish vpn and securefishnet. So maybe developers can take this into account...
Config files including certificates (PureVPN) for you to review can officially be downloaded here: https://s3-us-west-1.amazonaws.com/heartbleed/linux/linux-files.zip
| | 7 | No.7 Revision |
Openvpn: openssl 1.0.2h MD5 for certificate verification disabled by default
When trying to connect to my vpn provider (PureVPN) with openvpn in terminal i get an error:
[root@Sailfish nemo]# openvpn --config Purevpn-tcp.ovpnFri Apr 28 12:35:27 2017 OpenVPN 2.3.6 armv7l-unknown-linux-gnueabi [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Nov 27 2016
Fri Apr 28 12:35:27 2017 library versions: OpenSSL 1.0.2h-fips 3 May 2016, LZO 2.09
Enter Auth Username:###cencored###
Enter Auth Password:
Fri Apr 28 12:35:44 2017 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Apr 28 12:35:44 2017 WARNING: file '/home/nemo/.ovpn/Wdc.key' is group or others accessible
Fri Apr 28 12:35:44 2017 Control Channel Authentication: using '/home/nemo/.ovpn/Wdc.key' as a OpenVPN static key file
Fri Apr 28 12:35:44 2017 Attempting to establish TCP connection with [AF_INET]188.72.124.2:80 [nonblock]
Fri Apr 28 12:35:45 2017 TCP connection established with [AF_INET]188.72.124.2:80
Fri Apr 28 12:35:45 2017 TCPv4_CLIENT link local: [undef]
Fri Apr 28 12:35:45 2017 TCPv4_CLIENT link remote: [AF_INET]188.72.124.2:80
Fri Apr 28 12:35:45 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Apr 28 12:35:45 2017 VERIFY ERROR: depth=0, error=certificate signature failure: C=HK, ST=HK, L=HongKong, O=PureVPN, OU=IT, CN=PureVPN, name=PureVPN, emailAddress=mail@host.domain
Fri Apr 28 12:35:45 2017 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Fri Apr 28 12:35:45 2017 TLS Error: TLS object -> incoming plaintext read error
Fri Apr 28 12:35:45 2017 TLS Error: TLS handshake failed
Fri Apr 28 12:35:45 2017 Fatal TLS error (check_tls_errors_co), restarting
Fri Apr 28 12:35:45 2017 SIGUSR1[soft,tls-error] received, process restarting
^CFri Apr 28 12:35:49 2017 SIGINT[hard,init_instance] received, process exiting
While working fine in Ubuntu 16.04.2 with openssl library 1.0.2g it is not working with openssl 1.0.2h on Sailfish
But after some research i found this: https://www.centos.org/forums/viewtopic.php?t=47210
Starting openvpn with environment variable OPENSSL_ENABLE_MD5_VERIFY=1 is working!
However i can't find something in the cangelog for changes between 1.0.2g and 1.0.2h regarding MD5 verification disabled by default https://www.openssl.org/news/cl102.txt
Maybe it this is set by some compile flag either in openssl or openvpn -> can't verify this right now mybe someone wants to check it
[root@Sailfish nemo]# OPENSSL_ENABLE_MD5_VERIFY=1 openvpn --config Purevpn-tcp.ovpn
Fri Apr 28 12:53:03 2017 OpenVPN 2.3.6 armv7l-unknown-linux-gnueabi [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Nov 27 2016
Fri Apr 28 12:53:03 2017 library versions: OpenSSL 1.0.2h-fips 3 May 2016, LZO 2.09
Enter Auth Username:###cencored###
Enter Auth Password:
Fri Apr 28 12:53:15 2017 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Apr 28 12:53:15 2017 WARNING: file '/home/nemo/.ovpn/Wdc.key' is group or others accessible
Fri Apr 28 12:53:15 2017 Control Channel Authentication: using '/home/nemo/.ovpn/Wdc.key' as a OpenVPN static key file
Fri Apr 28 12:53:15 2017 Attempting to establish TCP connection with [AF_INET]172.111.188.2:80 [nonblock]
Fri Apr 28 12:53:16 2017 TCP connection established with [AF_INET]172.111.188.2:80
Fri Apr 28 12:53:16 2017 TCPv4_CLIENT link local: [undef]
Fri Apr 28 12:53:16 2017 TCPv4_CLIENT link remote: [AF_INET]172.111.188.2:80
Fri Apr 28 12:53:16 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Apr 28 12:53:17 2017 [PureVPN] Peer Connection Initiated with [AF_INET]172.111.188.2:80
Fri Apr 28 12:53:20 2017 TUN/TAP device tun0 opened
Fri Apr 28 12:53:20 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Fri Apr 28 12:53:20 2017 /sbin/ip link set dev tun0 up mtu 1500
Fri Apr 28 12:53:20 2017 /sbin/ip addr add dev tun0 172.111.188.132/26 broadcast 172.111.188.191
RTNETLINK answers: File exists
Fri Apr 28 12:53:22 2017 ERROR: Linux route add command failed: external program exited with error status: 2
Fri Apr 28 12:53:22 2017 Initialization Sequence Completed
It seems like this also affects the built-in sailfish vpn and securefishnet. So maybe developers can take this into account...
Config files including certificates (PureVPN) for you to review can officially be downloaded here: https://s3-us-west-1.amazonaws.com/heartbleed/linux/linux-files.zip
| | 8 | retagged |
Openvpn: openssl 1.0.2h MD5 for certificate verification disabled by default
When trying to connect to my vpn provider (PureVPN) with openvpn in terminal i get an error:
[root@Sailfish nemo]# openvpn --config Purevpn-tcp.ovpnFri Apr 28 12:35:27 2017 OpenVPN 2.3.6 armv7l-unknown-linux-gnueabi [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Nov 27 2016
Fri Apr 28 12:35:27 2017 library versions: OpenSSL 1.0.2h-fips 3 May 2016, LZO 2.09
Enter Auth Username:###cencored###
Enter Auth Password:
Fri Apr 28 12:35:44 2017 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Apr 28 12:35:44 2017 WARNING: file '/home/nemo/.ovpn/Wdc.key' is group or others accessible
Fri Apr 28 12:35:44 2017 Control Channel Authentication: using '/home/nemo/.ovpn/Wdc.key' as a OpenVPN static key file
Fri Apr 28 12:35:44 2017 Attempting to establish TCP connection with [AF_INET]188.72.124.2:80 [nonblock]
Fri Apr 28 12:35:45 2017 TCP connection established with [AF_INET]188.72.124.2:80
Fri Apr 28 12:35:45 2017 TCPv4_CLIENT link local: [undef]
Fri Apr 28 12:35:45 2017 TCPv4_CLIENT link remote: [AF_INET]188.72.124.2:80
Fri Apr 28 12:35:45 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Apr 28 12:35:45 2017 VERIFY ERROR: depth=0, error=certificate signature failure: C=HK, ST=HK, L=HongKong, O=PureVPN, OU=IT, CN=PureVPN, name=PureVPN, emailAddress=mail@host.domain
Fri Apr 28 12:35:45 2017 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Fri Apr 28 12:35:45 2017 TLS Error: TLS object -> incoming plaintext read error
Fri Apr 28 12:35:45 2017 TLS Error: TLS handshake failed
Fri Apr 28 12:35:45 2017 Fatal TLS error (check_tls_errors_co), restarting
Fri Apr 28 12:35:45 2017 SIGUSR1[soft,tls-error] received, process restarting
^CFri Apr 28 12:35:49 2017 SIGINT[hard,init_instance] received, process exiting
While working fine in Ubuntu 16.04.2 with openssl library 1.0.2g it is not working with openssl 1.0.2h on Sailfish
But after some research i found this: https://www.centos.org/forums/viewtopic.php?t=47210
Starting openvpn with environment variable OPENSSL_ENABLE_MD5_VERIFY=1 is working! However i can't find something in the cangelog for changes between 1.0.2g and 1.0.2h regarding MD5 verification disabled by default https://www.openssl.org/news/cl102.txt Maybe this is set by some compile flag either in openssl or openvpn -> can't verify this right now mybe someone wants to check it
[root@Sailfish nemo]# OPENSSL_ENABLE_MD5_VERIFY=1 openvpn --config Purevpn-tcp.ovpn
Fri Apr 28 12:53:03 2017 OpenVPN 2.3.6 armv7l-unknown-linux-gnueabi [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Nov 27 2016
Fri Apr 28 12:53:03 2017 library versions: OpenSSL 1.0.2h-fips 3 May 2016, LZO 2.09
Enter Auth Username:###cencored###
Enter Auth Password:
Fri Apr 28 12:53:15 2017 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Apr 28 12:53:15 2017 WARNING: file '/home/nemo/.ovpn/Wdc.key' is group or others accessible
Fri Apr 28 12:53:15 2017 Control Channel Authentication: using '/home/nemo/.ovpn/Wdc.key' as a OpenVPN static key file
Fri Apr 28 12:53:15 2017 Attempting to establish TCP connection with [AF_INET]172.111.188.2:80 [nonblock]
Fri Apr 28 12:53:16 2017 TCP connection established with [AF_INET]172.111.188.2:80
Fri Apr 28 12:53:16 2017 TCPv4_CLIENT link local: [undef]
Fri Apr 28 12:53:16 2017 TCPv4_CLIENT link remote: [AF_INET]172.111.188.2:80
Fri Apr 28 12:53:16 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Apr 28 12:53:17 2017 [PureVPN] Peer Connection Initiated with [AF_INET]172.111.188.2:80
Fri Apr 28 12:53:20 2017 TUN/TAP device tun0 opened
Fri Apr 28 12:53:20 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Fri Apr 28 12:53:20 2017 /sbin/ip link set dev tun0 up mtu 1500
Fri Apr 28 12:53:20 2017 /sbin/ip addr add dev tun0 172.111.188.132/26 broadcast 172.111.188.191
RTNETLINK answers: File exists
Fri Apr 28 12:53:22 2017 ERROR: Linux route add command failed: external program exited with error status: 2
Fri Apr 28 12:53:22 2017 Initialization Sequence Completed
It seems like this also affects the built-in sailfish vpn and securefishnet. So maybe developers can take this into account...
Config files including certificates (PureVPN) for you to review can officially be downloaded here: https://s3-us-west-1.amazonaws.com/heartbleed/linux/linux-files.zip
| | 9 | No.9 Revision |
Openvpn: openssl 1.0.2h MD5 for certificate verification disabled by default
When trying to connect to my vpn provider (PureVPN) with openvpn in terminal i get an error:
[root@Sailfish nemo]# openvpn --config Purevpn-tcp.ovpnFri Apr 28 12:35:27 2017 OpenVPN 2.3.6 armv7l-unknown-linux-gnueabi [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Nov 27 2016
Fri Apr 28 12:35:27 2017 library versions: OpenSSL 1.0.2h-fips 3 May 2016, LZO 2.09
Enter Auth Username:###cencored###
Enter Auth Password:
Fri Apr 28 12:35:44 2017 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Apr 28 12:35:44 2017 WARNING: file '/home/nemo/.ovpn/Wdc.key' is group or others accessible
Fri Apr 28 12:35:44 2017 Control Channel Authentication: using '/home/nemo/.ovpn/Wdc.key' as a OpenVPN static key file
Fri Apr 28 12:35:44 2017 Attempting to establish TCP connection with [AF_INET]188.72.124.2:80 [nonblock]
Fri Apr 28 12:35:45 2017 TCP connection established with [AF_INET]188.72.124.2:80
Fri Apr 28 12:35:45 2017 TCPv4_CLIENT link local: [undef]
Fri Apr 28 12:35:45 2017 TCPv4_CLIENT link remote: [AF_INET]188.72.124.2:80
Fri Apr 28 12:35:45 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Apr 28 12:35:45 2017 VERIFY ERROR: depth=0, error=certificate signature failure: C=HK, ST=HK, L=HongKong, O=PureVPN, OU=IT, CN=PureVPN, name=PureVPN, emailAddress=mail@host.domain
Fri Apr 28 12:35:45 2017 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Fri Apr 28 12:35:45 2017 TLS Error: TLS object -> incoming plaintext read error
Fri Apr 28 12:35:45 2017 TLS Error: TLS handshake failed
Fri Apr 28 12:35:45 2017 Fatal TLS error (check_tls_errors_co), restarting
Fri Apr 28 12:35:45 2017 SIGUSR1[soft,tls-error] received, process restarting
^CFri Apr 28 12:35:49 2017 SIGINT[hard,init_instance] received, process exiting
While working fine in Ubuntu 16.04.2 with openssl library 1.0.2g it is not working with openssl 1.0.2h on Sailfish
But after some research i found this: https://www.centos.org/forums/viewtopic.php?t=47210
Starting openvpn with environment variable OPENSSL_ENABLE_MD5_VERIFY=1 is working!
working!
However i can't find something in the cangelog for changes between 1.0.2g and 1.0.2h regarding MD5 verification disabled by default https://www.openssl.org/news/cl102.txt
https://www.openssl.org/news/cl102.txt
Maybe this is set by some compile flag either in openssl or openvpn -> can't verify this right now mybe someone wants to check it
[root@Sailfish nemo]# OPENSSL_ENABLE_MD5_VERIFY=1 openvpn --config Purevpn-tcp.ovpn
Fri Apr 28 12:53:03 2017 OpenVPN 2.3.6 armv7l-unknown-linux-gnueabi [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Nov 27 2016
Fri Apr 28 12:53:03 2017 library versions: OpenSSL 1.0.2h-fips 3 May 2016, LZO 2.09
Enter Auth Username:###cencored###
Enter Auth Password:
Fri Apr 28 12:53:15 2017 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Apr 28 12:53:15 2017 WARNING: file '/home/nemo/.ovpn/Wdc.key' is group or others accessible
Fri Apr 28 12:53:15 2017 Control Channel Authentication: using '/home/nemo/.ovpn/Wdc.key' as a OpenVPN static key file
Fri Apr 28 12:53:15 2017 Attempting to establish TCP connection with [AF_INET]172.111.188.2:80 [nonblock]
Fri Apr 28 12:53:16 2017 TCP connection established with [AF_INET]172.111.188.2:80
Fri Apr 28 12:53:16 2017 TCPv4_CLIENT link local: [undef]
Fri Apr 28 12:53:16 2017 TCPv4_CLIENT link remote: [AF_INET]172.111.188.2:80
Fri Apr 28 12:53:16 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Apr 28 12:53:17 2017 [PureVPN] Peer Connection Initiated with [AF_INET]172.111.188.2:80
Fri Apr 28 12:53:20 2017 TUN/TAP device tun0 opened
Fri Apr 28 12:53:20 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Fri Apr 28 12:53:20 2017 /sbin/ip link set dev tun0 up mtu 1500
Fri Apr 28 12:53:20 2017 /sbin/ip addr add dev tun0 172.111.188.132/26 broadcast 172.111.188.191
RTNETLINK answers: File exists
Fri Apr 28 12:53:22 2017 ERROR: Linux route add command failed: external program exited with error status: 2
Fri Apr 28 12:53:22 2017 Initialization Sequence Completed
It seems like this also affects the built-in sailfish vpn and securefishnet. So maybe developers can take this into account...
Config files including certificates (PureVPN) for you to review can officially be downloaded here: https://s3-us-west-1.amazonaws.com/heartbleed/linux/linux-files.zip
| | 10 | No.10 Revision |
Openvpn: openssl 1.0.2h MD5 for certificate verification disabled by default
When trying to connect to my vpn provider (PureVPN) with openvpn in terminal i get an error:
[root@Sailfish nemo]# openvpn --config Purevpn-tcp.ovpnFri Apr 28 12:35:27 2017 OpenVPN 2.3.6 armv7l-unknown-linux-gnueabi [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Nov 27 2016
Fri Apr 28 12:35:27 2017 library versions: OpenSSL 1.0.2h-fips 3 May 2016, LZO 2.09
Enter Auth Username:###cencored###
Enter Auth Password:
Fri Apr 28 12:35:44 2017 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Apr 28 12:35:44 2017 WARNING: file '/home/nemo/.ovpn/Wdc.key' is group or others accessible
Fri Apr 28 12:35:44 2017 Control Channel Authentication: using '/home/nemo/.ovpn/Wdc.key' as a OpenVPN static key file
Fri Apr 28 12:35:44 2017 Attempting to establish TCP connection with [AF_INET]188.72.124.2:80 [nonblock]
Fri Apr 28 12:35:45 2017 TCP connection established with [AF_INET]188.72.124.2:80
Fri Apr 28 12:35:45 2017 TCPv4_CLIENT link local: [undef]
Fri Apr 28 12:35:45 2017 TCPv4_CLIENT link remote: [AF_INET]188.72.124.2:80
Fri Apr 28 12:35:45 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Apr 28 12:35:45 2017 VERIFY ERROR: depth=0, error=certificate signature failure: C=HK, ST=HK, L=HongKong, O=PureVPN, OU=IT, CN=PureVPN, name=PureVPN, emailAddress=mail@host.domain
Fri Apr 28 12:35:45 2017 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Fri Apr 28 12:35:45 2017 TLS Error: TLS object -> incoming plaintext read error
Fri Apr 28 12:35:45 2017 TLS Error: TLS handshake failed
Fri Apr 28 12:35:45 2017 Fatal TLS error (check_tls_errors_co), restarting
Fri Apr 28 12:35:45 2017 SIGUSR1[soft,tls-error] received, process restarting
^CFri Apr 28 12:35:49 2017 SIGINT[hard,init_instance] received, process exiting
While working fine in Ubuntu 16.04.2 with openssl library 1.0.2g it is not working with openssl 1.0.2h on Sailfish
But after some research i found this: https://www.centos.org/forums/viewtopic.php?t=47210
Starting openvpn with environment variable OPENSSL_ENABLE_MD5_VERIFY=1 is working!
However i can't find something in the cangelog for changes between 1.0.2g and 1.0.2h regarding MD5 verification disabled by default https://www.openssl.org/news/cl102.txt
Maybe this is set by some compile flag either in openssl or openvpn -> can't verify this right now mybe someone wants to check it
[root@Sailfish nemo]# OPENSSL_ENABLE_MD5_VERIFY=1 openvpn --config Purevpn-tcp.ovpn
Fri Apr 28 12:53:03 2017 OpenVPN 2.3.6 armv7l-unknown-linux-gnueabi [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Nov 27 2016
Fri Apr 28 12:53:03 2017 library versions: OpenSSL 1.0.2h-fips 3 May 2016, LZO 2.09
Enter Auth Username:###cencored###
Enter Auth Password:
Fri Apr 28 12:53:15 2017 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Apr 28 12:53:15 2017 WARNING: file '/home/nemo/.ovpn/Wdc.key' is group or others accessible
Fri Apr 28 12:53:15 2017 Control Channel Authentication: using '/home/nemo/.ovpn/Wdc.key' as a OpenVPN static key file
Fri Apr 28 12:53:15 2017 Attempting to establish TCP connection with [AF_INET]172.111.188.2:80 [nonblock]
Fri Apr 28 12:53:16 2017 TCP connection established with [AF_INET]172.111.188.2:80
Fri Apr 28 12:53:16 2017 TCPv4_CLIENT link local: [undef]
Fri Apr 28 12:53:16 2017 TCPv4_CLIENT link remote: [AF_INET]172.111.188.2:80
Fri Apr 28 12:53:16 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Apr 28 12:53:17 2017 [PureVPN] Peer Connection Initiated with [AF_INET]172.111.188.2:80
Fri Apr 28 12:53:20 2017 TUN/TAP device tun0 opened
Fri Apr 28 12:53:20 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Fri Apr 28 12:53:20 2017 /sbin/ip link set dev tun0 up mtu 1500
Fri Apr 28 12:53:20 2017 /sbin/ip addr add dev tun0 172.111.188.132/26 broadcast 172.111.188.191
RTNETLINK answers: File exists
Fri Apr 28 12:53:22 2017 ERROR: Linux route add command failed: external program exited with error status: 2
Fri Apr 28 12:53:22 2017 Initialization Sequence Completed
It seems like this also affects the built-in sailfish vpn and securefishnet. So maybe developers can take this into account...
Config files including certificates (PureVPN) for you to review can officially be downloaded here: https://s3-us-west-1.amazonaws.com/heartbleed/linux/linux-files.zip
Edit 25th July 2017: Still a problem in sfos 2.1.1.23. Would be nice to have a switch in settings to override this (maybe with a warning: This setting is unsafe. Do it on your own risk!)
| | 11 | No.11 Revision |
Openvpn: openssl 1.0.2h MD5 for certificate verification disabled by default
When trying to connect to my vpn provider (PureVPN) with openvpn in terminal i get an error:
[root@Sailfish nemo]# openvpn --config Purevpn-tcp.ovpnFri Apr 28 12:35:27 2017 OpenVPN 2.3.6 armv7l-unknown-linux-gnueabi [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Nov 27 2016
Fri Apr 28 12:35:27 2017 library versions: OpenSSL 1.0.2h-fips 3 May 2016, LZO 2.09
Enter Auth Username:###cencored###
Enter Auth Password:
Fri Apr 28 12:35:44 2017 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Apr 28 12:35:44 2017 WARNING: file '/home/nemo/.ovpn/Wdc.key' is group or others accessible
Fri Apr 28 12:35:44 2017 Control Channel Authentication: using '/home/nemo/.ovpn/Wdc.key' as a OpenVPN static key file
Fri Apr 28 12:35:44 2017 Attempting to establish TCP connection with [AF_INET]188.72.124.2:80 [nonblock]
Fri Apr 28 12:35:45 2017 TCP connection established with [AF_INET]188.72.124.2:80
Fri Apr 28 12:35:45 2017 TCPv4_CLIENT link local: [undef]
Fri Apr 28 12:35:45 2017 TCPv4_CLIENT link remote: [AF_INET]188.72.124.2:80
Fri Apr 28 12:35:45 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Apr 28 12:35:45 2017 VERIFY ERROR: depth=0, error=certificate signature failure: C=HK, ST=HK, L=HongKong, O=PureVPN, OU=IT, CN=PureVPN, name=PureVPN, emailAddress=mail@host.domain
Fri Apr 28 12:35:45 2017 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Fri Apr 28 12:35:45 2017 TLS Error: TLS object -> incoming plaintext read error
Fri Apr 28 12:35:45 2017 TLS Error: TLS handshake failed
Fri Apr 28 12:35:45 2017 Fatal TLS error (check_tls_errors_co), restarting
Fri Apr 28 12:35:45 2017 SIGUSR1[soft,tls-error] received, process restarting
^CFri Apr 28 12:35:49 2017 SIGINT[hard,init_instance] received, process exiting
While working fine in Ubuntu 16.04.2 with openssl library 1.0.2g it is not working with openssl 1.0.2h on Sailfish
But after some research i found this: https://www.centos.org/forums/viewtopic.php?t=47210
Starting openvpn with environment variable OPENSSL_ENABLE_MD5_VERIFY=1 is working!
However i can't find something in the cangelog for changes between 1.0.2g and 1.0.2h regarding MD5 verification disabled by default https://www.openssl.org/news/cl102.txt
Maybe this is set by some compile flag either in openssl or openvpn -> can't verify this right now mybe someone wants to check it
[root@Sailfish nemo]# OPENSSL_ENABLE_MD5_VERIFY=1 openvpn --config Purevpn-tcp.ovpn
Fri Apr 28 12:53:03 2017 OpenVPN 2.3.6 armv7l-unknown-linux-gnueabi [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Nov 27 2016
Fri Apr 28 12:53:03 2017 library versions: OpenSSL 1.0.2h-fips 3 May 2016, LZO 2.09
Enter Auth Username:###cencored###
Enter Auth Password:
Fri Apr 28 12:53:15 2017 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Apr 28 12:53:15 2017 WARNING: file '/home/nemo/.ovpn/Wdc.key' is group or others accessible
Fri Apr 28 12:53:15 2017 Control Channel Authentication: using '/home/nemo/.ovpn/Wdc.key' as a OpenVPN static key file
Fri Apr 28 12:53:15 2017 Attempting to establish TCP connection with [AF_INET]172.111.188.2:80 [nonblock]
Fri Apr 28 12:53:16 2017 TCP connection established with [AF_INET]172.111.188.2:80
Fri Apr 28 12:53:16 2017 TCPv4_CLIENT link local: [undef]
Fri Apr 28 12:53:16 2017 TCPv4_CLIENT link remote: [AF_INET]172.111.188.2:80
Fri Apr 28 12:53:16 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Apr 28 12:53:17 2017 [PureVPN] Peer Connection Initiated with [AF_INET]172.111.188.2:80
Fri Apr 28 12:53:20 2017 TUN/TAP device tun0 opened
Fri Apr 28 12:53:20 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Fri Apr 28 12:53:20 2017 /sbin/ip link set dev tun0 up mtu 1500
Fri Apr 28 12:53:20 2017 /sbin/ip addr add dev tun0 172.111.188.132/26 broadcast 172.111.188.191
RTNETLINK answers: File exists
Fri Apr 28 12:53:22 2017 ERROR: Linux route add command failed: external program exited with error status: 2
Fri Apr 28 12:53:22 2017 Initialization Sequence Completed
It seems like this also affects the built-in sailfish vpn and securefishnet. So maybe developers can take this into account...
Config files including certificates (PureVPN) for you to review can officially be downloaded here: https://s3-us-west-1.amazonaws.com/heartbleed/linux/linux-files.zip
Edit 25th July 2017: Still a problem in sfos 2.1.1.23. Would be nice to have a switch in settings to override this (maybe with a warning: This setting is unsafe. Do it on your own risk!)
Edit 24th August 2017: Still a problem in sfos 2.1.1.26. How can i set an env var for conman/vpn/gui elements? OPENSSL_ENABLE_MD5_VERIFY=1 set in /etc/environment and ~/,profile seem to be ignored by the vpn gui... openvpn client in terminal sees the env var and is working!
| | 12 | No.12 Revision |
Openvpn: openssl 1.0.2h MD5 for certificate verification disabled by default
When trying to connect to my vpn provider (PureVPN) with openvpn in terminal i get an error:
[root@Sailfish nemo]# openvpn --config Purevpn-tcp.ovpnFri Apr 28 12:35:27 2017 OpenVPN 2.3.6 armv7l-unknown-linux-gnueabi [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Nov 27 2016
Fri Apr 28 12:35:27 2017 library versions: OpenSSL 1.0.2h-fips 3 May 2016, LZO 2.09
Enter Auth Username:###cencored###
Enter Auth Password:
Fri Apr 28 12:35:44 2017 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Apr 28 12:35:44 2017 WARNING: file '/home/nemo/.ovpn/Wdc.key' is group or others accessible
Fri Apr 28 12:35:44 2017 Control Channel Authentication: using '/home/nemo/.ovpn/Wdc.key' as a OpenVPN static key file
Fri Apr 28 12:35:44 2017 Attempting to establish TCP connection with [AF_INET]188.72.124.2:80 [nonblock]
Fri Apr 28 12:35:45 2017 TCP connection established with [AF_INET]188.72.124.2:80
Fri Apr 28 12:35:45 2017 TCPv4_CLIENT link local: [undef]
Fri Apr 28 12:35:45 2017 TCPv4_CLIENT link remote: [AF_INET]188.72.124.2:80
Fri Apr 28 12:35:45 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Apr 28 12:35:45 2017 VERIFY ERROR: depth=0, error=certificate signature failure: C=HK, ST=HK, L=HongKong, O=PureVPN, OU=IT, CN=PureVPN, name=PureVPN, emailAddress=mail@host.domain
Fri Apr 28 12:35:45 2017 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Fri Apr 28 12:35:45 2017 TLS Error: TLS object -> incoming plaintext read error
Fri Apr 28 12:35:45 2017 TLS Error: TLS handshake failed
Fri Apr 28 12:35:45 2017 Fatal TLS error (check_tls_errors_co), restarting
Fri Apr 28 12:35:45 2017 SIGUSR1[soft,tls-error] received, process restarting
^CFri Apr 28 12:35:49 2017 SIGINT[hard,init_instance] received, process exiting
While working fine in Ubuntu 16.04.2 with openssl library 1.0.2g it is not working with openssl 1.0.2h on Sailfish
But after some research i found this: https://www.centos.org/forums/viewtopic.php?t=47210
Starting openvpn with environment variable OPENSSL_ENABLE_MD5_VERIFY=1 is working!
However i can't find something in the cangelog for changes between 1.0.2g and 1.0.2h regarding MD5 verification disabled by default https://www.openssl.org/news/cl102.txt
Maybe this is set by some compile flag either in openssl or openvpn -> can't verify this right now mybe someone wants to check it
[root@Sailfish nemo]# OPENSSL_ENABLE_MD5_VERIFY=1 openvpn --config Purevpn-tcp.ovpn
Fri Apr 28 12:53:03 2017 OpenVPN 2.3.6 armv7l-unknown-linux-gnueabi [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Nov 27 2016
Fri Apr 28 12:53:03 2017 library versions: OpenSSL 1.0.2h-fips 3 May 2016, LZO 2.09
Enter Auth Username:###cencored###
Enter Auth Password:
Fri Apr 28 12:53:15 2017 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Apr 28 12:53:15 2017 WARNING: file '/home/nemo/.ovpn/Wdc.key' is group or others accessible
Fri Apr 28 12:53:15 2017 Control Channel Authentication: using '/home/nemo/.ovpn/Wdc.key' as a OpenVPN static key file
Fri Apr 28 12:53:15 2017 Attempting to establish TCP connection with [AF_INET]172.111.188.2:80 [nonblock]
Fri Apr 28 12:53:16 2017 TCP connection established with [AF_INET]172.111.188.2:80
Fri Apr 28 12:53:16 2017 TCPv4_CLIENT link local: [undef]
Fri Apr 28 12:53:16 2017 TCPv4_CLIENT link remote: [AF_INET]172.111.188.2:80
Fri Apr 28 12:53:16 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Apr 28 12:53:17 2017 [PureVPN] Peer Connection Initiated with [AF_INET]172.111.188.2:80
Fri Apr 28 12:53:20 2017 TUN/TAP device tun0 opened
Fri Apr 28 12:53:20 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Fri Apr 28 12:53:20 2017 /sbin/ip link set dev tun0 up mtu 1500
Fri Apr 28 12:53:20 2017 /sbin/ip addr add dev tun0 172.111.188.132/26 broadcast 172.111.188.191
RTNETLINK answers: File exists
Fri Apr 28 12:53:22 2017 ERROR: Linux route add command failed: external program exited with error status: 2
Fri Apr 28 12:53:22 2017 Initialization Sequence Completed
It seems like this also affects the built-in sailfish vpn and securefishnet. So maybe developers can take this into account...
Config files including certificates (PureVPN) for you to review can officially be downloaded here: https://s3-us-west-1.amazonaws.com/heartbleed/linux/linux-files.zip
Edit 25th July 2017: Still a problem in sfos 2.1.1.23. Would be nice to have a switch in settings to override this (maybe with a warning: This setting is unsafe. Do it on your own risk!)
Edit 24th August 2017: Still a problem in sfos 2.1.1.26. How can i set an env var for conman/vpn/gui elements? OPENSSL_ENABLE_MD5_VERIFY=1 set in /etc/environment and ~/,profile seem to be ignored by the vpn gui... openvpn client in terminal sees the env var and is working!
I just analyzed /proc/pid/environ with the pid of the connmand service. There is just a subset of env vars. Where does the process get these vars and can i set the one i need by myself?
| | 13 | No.13 Revision |
Openvpn: openssl 1.0.2h MD5 for certificate verification disabled by default
When trying to connect to my vpn provider (PureVPN) with openvpn in terminal i get an error:
[root@Sailfish nemo]# openvpn --config Purevpn-tcp.ovpnFri Apr 28 12:35:27 2017 OpenVPN 2.3.6 armv7l-unknown-linux-gnueabi [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Nov 27 2016
Fri Apr 28 12:35:27 2017 library versions: OpenSSL 1.0.2h-fips 3 May 2016, LZO 2.09
Enter Auth Username:###cencored###
Enter Auth Password:
Fri Apr 28 12:35:44 2017 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Apr 28 12:35:44 2017 WARNING: file '/home/nemo/.ovpn/Wdc.key' is group or others accessible
Fri Apr 28 12:35:44 2017 Control Channel Authentication: using '/home/nemo/.ovpn/Wdc.key' as a OpenVPN static key file
Fri Apr 28 12:35:44 2017 Attempting to establish TCP connection with [AF_INET]188.72.124.2:80 [nonblock]
Fri Apr 28 12:35:45 2017 TCP connection established with [AF_INET]188.72.124.2:80
Fri Apr 28 12:35:45 2017 TCPv4_CLIENT link local: [undef]
Fri Apr 28 12:35:45 2017 TCPv4_CLIENT link remote: [AF_INET]188.72.124.2:80
Fri Apr 28 12:35:45 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Apr 28 12:35:45 2017 VERIFY ERROR: depth=0, error=certificate signature failure: C=HK, ST=HK, L=HongKong, O=PureVPN, OU=IT, CN=PureVPN, name=PureVPN, emailAddress=mail@host.domain
Fri Apr 28 12:35:45 2017 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Fri Apr 28 12:35:45 2017 TLS Error: TLS object -> incoming plaintext read error
Fri Apr 28 12:35:45 2017 TLS Error: TLS handshake failed
Fri Apr 28 12:35:45 2017 Fatal TLS error (check_tls_errors_co), restarting
Fri Apr 28 12:35:45 2017 SIGUSR1[soft,tls-error] received, process restarting
^CFri Apr 28 12:35:49 2017 SIGINT[hard,init_instance] received, process exiting
While working fine in Ubuntu 16.04.2 with openssl library 1.0.2g it is not working with openssl 1.0.2h on Sailfish
But after some research i found this: https://www.centos.org/forums/viewtopic.php?t=47210
Starting openvpn with environment variable OPENSSL_ENABLE_MD5_VERIFY=1 is working!
However i can't find something in the cangelog for changes between 1.0.2g and 1.0.2h regarding MD5 verification disabled by default https://www.openssl.org/news/cl102.txt
Maybe this is set by some compile flag either in openssl or openvpn -> can't verify this right now mybe someone wants to check it
[root@Sailfish nemo]# OPENSSL_ENABLE_MD5_VERIFY=1 openvpn --config Purevpn-tcp.ovpn
Fri Apr 28 12:53:03 2017 OpenVPN 2.3.6 armv7l-unknown-linux-gnueabi [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Nov 27 2016
Fri Apr 28 12:53:03 2017 library versions: OpenSSL 1.0.2h-fips 3 May 2016, LZO 2.09
Enter Auth Username:###cencored###
Enter Auth Password:
Fri Apr 28 12:53:15 2017 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Apr 28 12:53:15 2017 WARNING: file '/home/nemo/.ovpn/Wdc.key' is group or others accessible
Fri Apr 28 12:53:15 2017 Control Channel Authentication: using '/home/nemo/.ovpn/Wdc.key' as a OpenVPN static key file
Fri Apr 28 12:53:15 2017 Attempting to establish TCP connection with [AF_INET]172.111.188.2:80 [nonblock]
Fri Apr 28 12:53:16 2017 TCP connection established with [AF_INET]172.111.188.2:80
Fri Apr 28 12:53:16 2017 TCPv4_CLIENT link local: [undef]
Fri Apr 28 12:53:16 2017 TCPv4_CLIENT link remote: [AF_INET]172.111.188.2:80
Fri Apr 28 12:53:16 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Apr 28 12:53:17 2017 [PureVPN] Peer Connection Initiated with [AF_INET]172.111.188.2:80
Fri Apr 28 12:53:20 2017 TUN/TAP device tun0 opened
Fri Apr 28 12:53:20 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Fri Apr 28 12:53:20 2017 /sbin/ip link set dev tun0 up mtu 1500
Fri Apr 28 12:53:20 2017 /sbin/ip addr add dev tun0 172.111.188.132/26 broadcast 172.111.188.191
RTNETLINK answers: File exists
Fri Apr 28 12:53:22 2017 ERROR: Linux route add command failed: external program exited with error status: 2
Fri Apr 28 12:53:22 2017 Initialization Sequence Completed
It seems like this also affects the built-in sailfish vpn and securefishnet. So maybe developers can take this into account...
Config files including certificates (PureVPN) for you to review can officially be downloaded here: https://s3-us-west-1.amazonaws.com/heartbleed/linux/linux-files.zip
Edit 25th July 2017: Still a problem in sfos 2.1.1.23. Would be nice to have a switch in settings to override this (maybe with a warning: This setting is unsafe. Do it on your own risk!)
Edit 24th August 2017: Still a problem in sfos 2.1.1.26. How can i set an env var for conman/vpn/gui elements? OPENSSL_ENABLE_MD5_VERIFY=1 set in /etc/environment and ~/,profile seem to be ignored by the vpn gui... openvpn client in terminal sees the env var and is working!
I just analyzed /proc/pid/environ with the pid of the connmand service. There is just a subset of env vars. Where does the process get these vars and can i set the one i need by myself?
| | 14 | No.14 Revision |
Openvpn: openssl 1.0.2h MD5 for certificate verification disabled by default
When trying to connect to my vpn provider (PureVPN) with openvpn in terminal i get an error:
[root@Sailfish nemo]# openvpn --config Purevpn-tcp.ovpnFri Apr 28 12:35:27 2017 OpenVPN 2.3.6 armv7l-unknown-linux-gnueabi [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Nov 27 2016
Fri Apr 28 12:35:27 2017 library versions: OpenSSL 1.0.2h-fips 3 May 2016, LZO 2.09
Enter Auth Username:###cencored###
Enter Auth Password:
Fri Apr 28 12:35:44 2017 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Apr 28 12:35:44 2017 WARNING: file '/home/nemo/.ovpn/Wdc.key' is group or others accessible
Fri Apr 28 12:35:44 2017 Control Channel Authentication: using '/home/nemo/.ovpn/Wdc.key' as a OpenVPN static key file
Fri Apr 28 12:35:44 2017 Attempting to establish TCP connection with [AF_INET]188.72.124.2:80 [nonblock]
Fri Apr 28 12:35:45 2017 TCP connection established with [AF_INET]188.72.124.2:80
Fri Apr 28 12:35:45 2017 TCPv4_CLIENT link local: [undef]
Fri Apr 28 12:35:45 2017 TCPv4_CLIENT link remote: [AF_INET]188.72.124.2:80
Fri Apr 28 12:35:45 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Apr 28 12:35:45 2017 VERIFY ERROR: depth=0, error=certificate signature failure: C=HK, ST=HK, L=HongKong, O=PureVPN, OU=IT, CN=PureVPN, name=PureVPN, emailAddress=mail@host.domain
Fri Apr 28 12:35:45 2017 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Fri Apr 28 12:35:45 2017 TLS Error: TLS object -> incoming plaintext read error
Fri Apr 28 12:35:45 2017 TLS Error: TLS handshake failed
Fri Apr 28 12:35:45 2017 Fatal TLS error (check_tls_errors_co), restarting
Fri Apr 28 12:35:45 2017 SIGUSR1[soft,tls-error] received, process restarting
^CFri Apr 28 12:35:49 2017 SIGINT[hard,init_instance] received, process exiting
While working fine in Ubuntu 16.04.2 with openssl library 1.0.2g it is not working with openssl 1.0.2h on Sailfish
But after some research i found this: https://www.centos.org/forums/viewtopic.php?t=47210
Starting openvpn with environment variable OPENSSL_ENABLE_MD5_VERIFY=1 is working!
However i can't find something in the cangelog for changes between 1.0.2g and 1.0.2h regarding MD5 verification disabled by default https://www.openssl.org/news/cl102.txt
Maybe this is set by some compile flag either in openssl or openvpn -> can't verify this right now mybe someone wants to check it
[root@Sailfish nemo]# OPENSSL_ENABLE_MD5_VERIFY=1 openvpn --config Purevpn-tcp.ovpn
Fri Apr 28 12:53:03 2017 OpenVPN 2.3.6 armv7l-unknown-linux-gnueabi [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Nov 27 2016
Fri Apr 28 12:53:03 2017 library versions: OpenSSL 1.0.2h-fips 3 May 2016, LZO 2.09
Enter Auth Username:###cencored###
Enter Auth Password:
Fri Apr 28 12:53:15 2017 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Apr 28 12:53:15 2017 WARNING: file '/home/nemo/.ovpn/Wdc.key' is group or others accessible
Fri Apr 28 12:53:15 2017 Control Channel Authentication: using '/home/nemo/.ovpn/Wdc.key' as a OpenVPN static key file
Fri Apr 28 12:53:15 2017 Attempting to establish TCP connection with [AF_INET]172.111.188.2:80 [nonblock]
Fri Apr 28 12:53:16 2017 TCP connection established with [AF_INET]172.111.188.2:80
Fri Apr 28 12:53:16 2017 TCPv4_CLIENT link local: [undef]
Fri Apr 28 12:53:16 2017 TCPv4_CLIENT link remote: [AF_INET]172.111.188.2:80
Fri Apr 28 12:53:16 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Apr 28 12:53:17 2017 [PureVPN] Peer Connection Initiated with [AF_INET]172.111.188.2:80
Fri Apr 28 12:53:20 2017 TUN/TAP device tun0 opened
Fri Apr 28 12:53:20 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Fri Apr 28 12:53:20 2017 /sbin/ip link set dev tun0 up mtu 1500
Fri Apr 28 12:53:20 2017 /sbin/ip addr add dev tun0 172.111.188.132/26 broadcast 172.111.188.191
RTNETLINK answers: File exists
Fri Apr 28 12:53:22 2017 ERROR: Linux route add command failed: external program exited with error status: 2
Fri Apr 28 12:53:22 2017 Initialization Sequence Completed
It seems like this also affects the built-in sailfish vpn and securefishnet. So maybe developers can take this into account...
Config files including certificates (PureVPN) for you to review can officially be downloaded here: https://s3-us-west-1.amazonaws.com/heartbleed/linux/linux-files.zip
Edit 25th July 2017: Still a problem in sfos 2.1.1.23. Would be nice to have a switch in settings to override this (maybe with a warning: This setting is unsafe. Do it on your own risk!)
Edit 24th August 2017: Still a problem in sfos 2.1.1.26. How can i set an env var for conman/vpn/gui elements? OPENSSL_ENABLE_MD5_VERIFY=1 set in /etc/environment and ~/,profile seem to be ignored by the vpn gui... openvpn client in terminal sees the env var and is working!
I just analyzed /proc/pid/environ with the pid of the connmand service. There is just a subset of env vars. Where does the process get these vars and can i set the one i need by myself?
Did a quick read here: https://bugzilla.redhat.com/show_bug.cgi?id=1175481 but did not find a solution yet.