Hi Stuart and Joel, Just to confirm for others reading, you are very correct.
And patch 014_libcrypto has fixed this :) So just run syspatch (or openup) and you'll be working again. Thanks for the commits ;) PS; good to hear from you again Stuart! Long time.. I'm on this email now rather than andy@brandwatch, it's been a while since I've been around the lists. I knew I could rely on you amazing peeps. Take care, happy summer. Andy Sent from a teeny tiny keyboard, so please excuse typos > On 3 Jul 2017, at 16:51, Joel Sing <j...@sing.id.au> wrote: > >> On Tuesday 20 June 2017 23:26:10 Andrew Lemin wrote: >> Hi, >> >> Sadly in my testing it seems that CVE-2017-8301 ( >> http://seclists.org/oss-sec/2017/q2/145) is still broken with the >> latest LibreSSL >> (2.5.4) and OpenVPN 2.4.2. >> >> Here is someone else reporting the same issue; >> https://discourse.trueos.org/t/libre-openssl-tls-error-when-using-openvpn/13 >> 58/4 >> >> Of course I may have gotten this wrong somewhere, but for now it seems not >> possible to use OpenVPN as a client with TLS static certificate based >> server on OpenBSD. >> >> Hope this helps clarify for anyone else finding the same issue until some >> clever person does a fix. >> >> >> Error same with latest; >> >> Tue Jun 20 22:51:15 2017 OpenVPN 2.4.2 x86_64-unknown-openbsd6.1 [SSL >> (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jun 20 2017 >> >> Tue Jun 20 22:51:15 2017 library versions: LibreSSL 2.5.4, LZO 2.10 >> >> Tue Jun 20 22:52:08 2017 VERIFY ERROR: depth=0, error=self signed >> certificate: < Cert Info > >> >> Tue Jun 20 22:52:08 2017 OpenSSL: error:14007086:SSL >> routines:CONNECT_CR_CERT:certificate verify failed >> >> Tue Jun 20 22:52:08 2017 TLS_ERROR: BIO read tls_read_plaintext error >> >> Tue Jun 20 22:52:08 2017 TLS Error: TLS object -> incoming plaintext read >> error >> >> Tue Jun 20 22:52:08 2017 TLS Error: TLS handshake failed >> >> Tue Jun 20 22:52:08 2017 SIGUSR1[soft,tls-error] received, process >> restarting > > This should be fixed on -current (via r1.30 of libcrypto/x509v3/v3_purp.c) - > you should also be able to workaround the issue by using different CNs for > the > CA and server certificates (they're likely identical in this case).
