Am 03.01.18 um 03:22 schrieb Selva Nair: > Hi, > > I expected an error message saying only RSA certs are supported for > --management-external-key, but openvpn appears to segfault if a cert > with an ECC key is used with that option. > > A stack trace shows it fails in ssl_openssl.c line 1117 when trying to > copy n and e. In fact the call > > pub_rsa = EVP_PKEY_get0_RSA(pkey); > > before that (line 1104) should have failed and the code does correctly > check its return value. But that call succeeds for some reason. > Instead, RSA_get0_key() returns invalid n and e pointers and passing > those to BN_dup() fails. > > This is with openssl 1.0.1 and that could be the problem -- it may not > have EVP_PKEY_get0_RSA() in which case the compatibility interface in > use is probably not smart enough... > > Is this a known issue or is it just me?
There in acked patch from me for that issue that got commited (bb23eca/4b8d654) that introduces the first check. So the question is what strange certificate/config do you have so that the first call succeeds. Also might be OpenSSL 1.0.1 that does not behave correctly. Arne ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
