Hi Piotr, On 29/03/16 23:41, Piotr Dobrogost wrote: > Hi! > > When I start OpenVPN as a deamon from command line like this: > `sudo OPENSSL_ENABLE_MD5_VERIFY=1 openvpn --daemon --config > /etc/openvpn/xxx.conf` > the tunnel comes up with no problem. > However, when I start it as a systemd service I get this error: > > Mar 23 21:59:40 demon openvpn[10065]: VERIFY OK: depth=2, C=PL, > L=Warszawa, O=xxx, OU=xxx CA, CN=xxx Root CA > Mar 23 21:59:40 demon openvpn[10065]: VERIFY ERROR: depth=1, > error=certificate signature failure: C=PL, O=xxx, OU=xxx CA, CN=xxx > VPN CA > > I've been getting the same error when starting OpenVPN as a deamon > from command line before I added "OPENSSL_ENABLE_MD5_VERIFY=1". That's > why I thought the reason for error is that when starting OpenVPN as a > systemd service OPENSSL_ENABLE_MD5_VERIFY does not get set. However I > verified it gets set by adding "ExecStartPre=/usr/bin/env" to the > service template file.
hmmm you're using AES256 encryption in combination with MD5 signed certs? that's strong encryption with VERY weak certificate hashing - your server is prone to all kinds of attacks this way. However, if you *must* use MD5 hashed certificates then try something like ExecStart=/usr/sbin/md5-openvpn --daemon --writepid and create a script /usr/sbin/md5-openvpn like #!/bin/bash export OPENSSL_ENABLE_MD5_VERIFY=1 exec /usr/sbin/openvpn $@ HTH, JJK > Below is content of relevant files: > > ====== /usr/lib/systemd/system/openvpn@.service > [Unit] > Description=OpenVPN Robust And Highly Flexible Tunneling Application On %I > After=network.target > > [Service] > PrivateTmp=true > Type=forking > PIDFile=/var/run/openvpn/%i.pid > ExecStartPre=/usr/bin/env > ExecStart=/usr/sbin/openvpn --daemon --writepid > /var/run/openvpn/%i.pid --cd /etc/openvpn/ --config %i.conf > > [Install] > WantedBy=multi-user.target > > > ====== /etc/systemd/system/openvpn@xxx.service.d/env.conf > [Service] > Environment=OPENSSL_ENABLE_MD5_VERIFY=1 > > > ====== /etc/openvpn/xxx.conf > client > dev tun > proto udp > remote x.x.x.x 1194 > remote y.y.y.y 1194 > resolv-retry infinite > nobind > script-security 2 > up /etc/openvpn/client.up > plugin /usr/lib64/openvpn/plugins/openvpn-plugin-down-root.so > "/etc/openvpn/client.down" > persist-key > persist-tun > pkcs12 /etc/openvpn/xxx/piotr.dobrogost.xxx.vpn.p12 > cipher AES-256-CBC > comp-lzo > mute-replay-warnings > verb 3 > > ------------------------------------------------------------------------------ Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140 _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
