OpenVPN na Ubuntu

[jkristan]

Ahoj, nemohl by jste mi nekdo poradit co se mohlo stat? Po posledni aktualizaci se mi nedari se pripojit k openvpn. Do te doby jsem se pripojoval bez problemu.
Ted kdyz spustim "openvpn soubor.ovpn tak se mi zobrazi tato hlaska:
Thu May 15 15:24:47 2008 OpenVPN 2.1_rc7 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on May 13 2008
Thu May 15 15:24:47 2008 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Thu May 15 15:24:47 2008 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Thu May 15 15:24:47 2008 /usr/sbin/openssl-vulnkey -q jk2.key
Thu May 15 15:24:47 2008 ERROR: 'jk2.key' is a known vulnerable key. See 'man openssl-vulnkey' for details.
Thu May 15 15:24:47 2008 Exiting
 pokouseli jsme se revokovat klice a i vygenerovat nove, ale stale je to stajne.

Vygenerovane soubory mam v /etc/openvpn/

-rw-r--r-- 1 user user 1155 2008-04-17 10:11 ca.crt
-rw-r--r-- 1 user user  207 2008-05-15 14:24 soubor.ovpn
-rw------- 1 user user 3433 2008-05-15 12:34 user.crt
-rw------- 1 user user  887 2008-05-15 12:33 user.key

pokud dam prikaz openssl-vulnkey user.key tak se mi objevi hlaska:

root@pc:/etc/openvpn# openssl-vulnkey user.key
COMPROMISED: hexacod.......ad35649f36...atd user.key

ale jak jsem rikal, klice jsme na serveru revokovali a dokonce jsme vygenerovali nove , stale je to stejne!!!

Muze mi nekdo poradit???

[Krtko]

no vsak to tam mas napisane. tvoje kluce boli vygenerovane prave tou blaznivou verziou opessl a su zranitelne a tym padom su na blackliste.

Kód: [Vybrat]

Thu May 15 15:24:47 2008 ERROR: 'jk2.key' is a known vulnerable key. See 'man openssl-vulnkey' for details.


[8472]

hm, ja mam tiez trocha problem s OpenVPNkom po tychto aktualizaciach.
server je ubuntu, instalovany niekedy zaciatkom roka 2007, a kratko na to boli generovane prve kluce (teraz presne neviem odkedy tam bola ta chyba v openssl) + priebezne upgradovane na novsie verzie OS, momentalne je na 7.10. klient je tiez ubuntu 7.10. vcera sa mi vobec nedarilo pripojit, a dnes vypluli nejaku dalsiu aktualizaciu na tieto openssl, ssh, a aj openvpn balicky, som to doobeda natlacil na server, a aj teraz vecer doma na pc, a uz sa mi podari prihlasit, ale ide to trocha divnym sposobom. predtym sa na "pass-phrase" pytal len raz, teraz sa to spyta rovno tri krat (co uz neni moc fajn).:

Kód: [Vybrat]

Enter pass phrase for ... :
Enter pass phrase for ... :
Enter Private Key Password:

az potom sa pripoji. divne, co to moze byt?

ked som spustil openssl-vulnkey na moj kluc, tak povedalo ze:

Kód: [Vybrat]

Not blacklistedtakze podla toho by som asi nemal byt zasiahnuty tou chybou, no nejde mi do hlavy preco to zrazu odo mna chce 3 krat pass-phrase

tu je vlastne cely vypis z pripojenia:

Kód: [Vybrat]

Thu May 15 17:51:55 2008 OpenVPN 2.0.9 i486-pc-linux-gnu [SSL] [LZO] [EPOLL] built on May 14 2008
Thu May 15 17:51:55 2008 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Thu May 15 17:51:55 2008 /usr/sbin/openssl-vulnkey -q /home/user/.openvpn/user.key
Enter pass phrase for /home/user/.openvpn/user.key:
Enter pass phrase for /home/user/.openvpn/user.key:
Enter Private Key Password:
Thu May 15 17:52:06 2008 WARNING: file '/home/user/.openvpn/user.key' is group or others accessible
Thu May 15 17:52:06 2008 WARNING: file '/home/user/.openvpn/ta.key' is group or others accessible
Thu May 15 17:52:06 2008 Control Channel Authentication: using '/home/user/.openvpn/ta.key' as a OpenVPN static key file
Thu May 15 17:52:06 2008 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu May 15 17:52:06 2008 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu May 15 17:52:06 2008 LZO compression initialized
Thu May 15 17:52:06 2008 Control Channel MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:0 ]
Thu May 15 17:52:06 2008 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Thu May 15 17:52:06 2008 Local Options hash (VER=V4): '........'
Thu May 15 17:52:06 2008 Expected Remote Options hash (VER=V4): '........'
Thu May 15 17:52:06 2008 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Thu May 15 17:52:06 2008 UDPv4 link local: [undef]
Thu May 15 17:52:06 2008 UDPv4 link remote: 2.2.2.2:1194
Thu May 15 17:52:11 2008 TLS: Initial packet from 2.2.2.2:1194, sid=........ ........
Thu May 15 17:52:11 2008 VERIFY OK: depth=1, /C=SK/ST=nieco/L=mesto/O=domena__a.s./OU=IT/CN=domena-OpenVPN-CA/emailAddress=openvpn@domena.sk
Thu May 15 17:52:11 2008 VERIFY OK: nsCertType=SERVER
Thu May 15 17:52:11 2008 VERIFY OK: depth=0, /C=SK/ST=nieco/O=domena__a.s./OU=IT/CN=server/emailAddress=openvpn@domena.sk
Thu May 15 17:52:15 2008 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Thu May 15 17:52:15 2008 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu May 15 17:52:15 2008 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Thu May 15 17:52:15 2008 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu May 15 17:52:15 2008 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Thu May 15 17:52:15 2008 [server] Peer Connection Initiated with 2.2.2.2:1194
Thu May 15 17:52:16 2008 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Thu May 15 17:52:16 2008 PUSH: Received control message: 'PUSH_REPLY,route 0.0.0.0 255.0.0.0,route 0.0.1.0 255.0.0.0,dhcp-option DNS 0.0.0.21,dhcp-option DNS 0.0.0.20,dhcp-option DOMAIN domena.sk,route 1.1.1..0 255.255.0.0,ping 10,ping-restart 120,ifconfig 1.1.1..6 1.1.1..5'
Thu May 15 17:52:16 2008 OPTIONS IMPORT: timers and/or timeouts modified
Thu May 15 17:52:16 2008 OPTIONS IMPORT: --ifconfig/up options modified
Thu May 15 17:52:16 2008 OPTIONS IMPORT: route options modified
Thu May 15 17:52:16 2008 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu May 15 17:52:16 2008 TUN/TAP device tun0 opened
Thu May 15 17:52:16 2008 ifconfig tun0 1.1.1..6 pointopoint 1.1.1..5 mtu 1500
Thu May 15 17:52:16 2008 route add -net 0.0.0.0 netmask 255.0.0.0 gw 1.1.1..5
Thu May 15 17:52:16 2008 route add -net 0.0.1.0 netmask 255.0.0.0 gw 1.1.1..5
Thu May 15 17:52:16 2008 route add -net 1.1.1..0 netmask 255.0.0.0 gw 1.1.1..5
Thu May 15 17:52:16 2008 GID set to nogroup
Thu May 15 17:52:16 2008 UID set to nobody
Thu May 15 17:52:16 2008 Initialization Sequence Completed


skusal som to aj na dvoch linux masinach v praci, jedno moje, jedno pc je testovacie, na oboch ubuntu, jedno ma 7.10 , druhe 8.04 , a na vsetkych sa to sprava takto isto

viete niekto preco to takto otravuje?
thx.

[Krtko]

ak boli kluce generovane tou "postihnutou" verziou openssl, tak ich treba nanovo vygenerovat na obidvoch stranach.

[8472]

ak boli kluce generovane tou "postihnutou" verziou openssl, tak ich treba nanovo vygenerovat na obidvoch stranach.

co presne znamena na oboch stranach?
rozumiem tomu ze by sa mal pregenerovat ten moj kluc, ale co na tej druhej - serverovej strane?

btw. skusal som dnes pre noveho uzivatela vytvarat dalsi kluc do VPNky (na serveri spomenutom vyssie kde su vsetky posledne aktualizacie), a zistil som, ze na ubuntu klientovi mi aj na tom novom kluci pri pripajani sa rovnako vyskoci 3x dotaz na heslo (a to aj napriek tomu ze to je novy - dnes generovany kluc, ktory by uz nemal byt postihnuty tou chybou, a vlastne ani ten moj predchodzi nebol po tom overeni cez openssl-vulnkey)
tak som z toho jelen.

[8472]

tak som este trocha patral, kedze sa mi nezda ze je problem s klucmi na mojej strane, alebo na strane servera, a dopatral som sa k tomuto, ze to ocividne vyzera na dalsi BUG.

https://bugs.launchpad.net/ubuntu/+source/network-manager-openvpn/+bug/230197/comments/6

I'm using a certificate and having a similar issue. I think the problem is that the private portion is password locked. If I run openvpn from the command line, it asks for my password twice (I'm assuming once for openssl-vulnkey). But with network manager running the show, I don't think it knows how to get the password to openssl-vulnkey.

https://bugs.launchpad.net/ubuntu/+source/network-manager-openvpn/+bug/230197/comments/8

Russ: Yes, the password prompt by openssl-vulnkey is the problem.

It would be really nice to know if someone is working on this as this causes serious problems. I am in a production environment, too, and I'm not alone.

However, I'm not sure whether this is a bug in the openvpn or in the network-manager package, or both. Pirx is not using network-manager but is experiencing similar problems.

vsetka diskusia je tu:
https://bugs.launchpad.net/ubuntu/+source/network-manager-openvpn/+bug/230197

[Krtko]

to je zaujimave.openvpn pouzivam casto a tento problem som si nevsimol.klienta mam ubuntu 8.04 a server je debian sarge.obidva po aktualizaciach.

[8472]

to je zaujimave.openvpn pouzivam casto a tento problem som si nevsimol.klienta mam ubuntu 8.04 a server je debian sarge.obidva po aktualizaciach.

ved ja tiez pouzivam openvpn pomaly 1,5 roka a doteraz taky problem nebol, az ked vypluli tam tie aktualizacie sa to rozhasilo.
a pouzivas openvpn z riadku, alebo cez network managera v gnome, alebo?