Hi, Sadly in my testing it seems that CVE-2017-8301 ( http://seclists.org/oss-sec/2017/q2/145) is still broken with the latest LibreSSL (2.5.4) and OpenVPN 2.4.2.
Here is someone else reporting the same issue; https://discourse.trueos.org/t/libre-openssl-tls-error-when-using-openvpn/1358/4 Of course I may have gotten this wrong somewhere, but for now it seems not possible to use OpenVPN as a client with TLS static certificate based server on OpenBSD. Hope this helps clarify for anyone else finding the same issue until some clever person does a fix. Error same with latest; Tue Jun 20 22:51:15 2017 OpenVPN 2.4.2 x86_64-unknown-openbsd6.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jun 20 2017 Tue Jun 20 22:51:15 2017 library versions: LibreSSL 2.5.4, LZO 2.10 . . Tue Jun 20 22:52:08 2017 VERIFY ERROR: depth=0, error=self signed certificate: < Cert Info > Tue Jun 20 22:52:08 2017 OpenSSL: error:14007086:SSL routines:CONNECT_CR_CERT:certificate verify failed Tue Jun 20 22:52:08 2017 TLS_ERROR: BIO read tls_read_plaintext error Tue Jun 20 22:52:08 2017 TLS Error: TLS object -> incoming plaintext read error Tue Jun 20 22:52:08 2017 TLS Error: TLS handshake failed Tue Jun 20 22:52:08 2017 SIGUSR1[soft,tls-error] received, process restarting On Tue, Jun 20, 2017 at 8:49 PM, Andy Lemin <andrew.le...@gmail.com> wrote: > I've just found this hint on GitHub for the Openvpn compile options for > Libressl; > https://gist.github.com/gsora/2b3e9eb31c15a356c7662b0f960e2995 > > So will try a build later tonight and share back here if that CVE is fixed. > > Would prefer to rebuild with the same options as the packaged binary, and > it occurred to me that I don't know how to find that on OpenBSD? > > Thanks again :) > > > Sent from a teeny tiny keyboard, so please excuse typos > > On 20 Jun 2017, at 20:23, Andrew Lemin <andrew.le...@gmail.com> wrote: > > Hi Misc, > > Has anyone else come across any issues recently with Openvpn, Libressl and > TLS on OpenBSD 6.1? > > I am using an .ovpn file with TLS auth static key and cert inline within > the file, to connect to VPN service. Running openvpn binary from command > line without any special params, just .ovpn file. > > I have tested this is working fine on a Linux server with same config > (using Openssl), so the server side, CA and cert are fine etc. > > I noticed on the Linux server the line; "Control Channel Authentication: > tls-auth using INLINE static key file", but I do not see this debug on the > OpenBSD version. Wondered if Libressl is not negotiating tls properly. > > > I have since found CVE-2017-8301 which I believe is related. And confirmed > that OpenBSD 6.1 seems to be running LibreSSL version 2.5.2 > > The CVE shows issue known between 2.5.1 and 2.5.3, and looking at the > OpenBSD trees I can see 2.5.4 was cut around 1st of May.. > > I used MTier to grab all major patches etc, but LibreSSL not in patch list > yet. openvpn did have a minor. > > So downloaded Libressl 2.5.4 source, compiled and installed as per INSTALL > etc.. However notice that openvpn is still linking to 2.5.2. > > It would be great if someone would be kind enough to confirm if this CVE > is indeed the same issue, and if 2.5.4 includes the relevant fixes for it? > > And if yes, a gentle nudge as to how to get openvpn to link to the 2.5.4 > install? > > Thanks for your time. > Kind regards, Andy Lemin > > > > Sent from a teeny tiny keyboard, so please excuse typos > >
