On 2017-06-20, Andrew Lemin <andrew.le...@gmail.com> wrote: > Has anyone else come across any issues recently with Openvpn, Libressl and > TLS on OpenBSD 6.1?
Yes there have been problems reported like this: (This is from the "Investigating self-signed cert behavior change" posts on the libressl mailing list). Mon May 1 22:14:27 2017 UDP link remote: [AF_INET]75.102.1.76:1194 Mon May 1 22:14:27 2017 VERIFY ERROR: depth=0, error=self signed certificate: C=XX, ST=XX, L=XX, O=XX, CN=xxx.xxx.com, emailAddress=x...@xxx.com Mon May 1 22:14:27 2017 OpenSSL: error:14007086:SSL routines:CONNECT_CR_CERT:certificate verify failed Mon May 1 22:14:27 2017 TLS_ERROR: BIO read tls_read_plaintext error Mon May 1 22:14:27 2017 TLS Error: TLS object -> incoming plaintext read error Mon May 1 22:14:27 2017 TLS Error: TLS handshake failed I have had OpenVPN working on a 6.1 machine, pretty sure it's cert- dependent rather than a more general problem. beck@ and guenther@ asked for certificates (not keys) showing the problem, but neither the reporter nor the person who said they also saw the problem replied with certs. > I have since found CVE-2017-8301 which I believe is related. And confirmed > that OpenBSD 6.1 seems to be running LibreSSL version 2.5.2 > > The CVE shows issue known between 2.5.1 and 2.5.3, and looking at the > OpenBSD trees I can see 2.5.4 was cut around 1st of May.. > > I used MTier to grab all major patches etc, but LibreSSL not in patch list > yet. openvpn did have a minor. .. > It would be great if someone would be kind enough to confirm if this CVE is > indeed the same issue, and if 2.5.4 includes the relevant fixes for it? That's not the problem you see here. openvpn's verify callback function doesn't trigger this problem. Even if it did, that bug would cause false acceptance of a cert, not false rejection. The relevant fix for OpenBSD 6.1 is 003_libressl, you can check with syspatch -l to see if it's listed. (Current versions of mtier's openup tool run syspatch for you automatically to get base OS updates). > So downloaded Libressl 2.5.4 source, compiled and installed as per INSTALL > etc.. However notice that openvpn is still linking to 2.5.2. .. > And if yes, a gentle nudge as to how to get openvpn to link to the 2.5.4 > install? I would avoid fiddling with the libressl version on a release/stable installation. If you want something newer than that, just use -current snapshots.
