First Last Prev Next    This bug is not in your last search results.
Bug 1175219 - OpenVPN fails with certificates on smart cards on Leap 15.2 and TW
OpenVPN fails with certificates on smart cards on Leap 15.2 and TW
Status: REOPENED
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.4
Other Other
: P5 - None : Normal (vote)
: ---
Assigned To: Otto Hollmann
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-08-13 08:40 UTC by Björn Voigt
Modified: 2023-03-17 14:37 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Björn Voigt 2020-08-13 08:40:12 UTC 
After upgrading from Leap 15.1 to Leap 15.2 working OpenVPN setups with PKCS11 certificates on Yubikeys are failing. The same applies to openSUSE Tumbleweed. Also other smart card devices may be affected.

OpenVPN does not show many details, even with highest logging level.

# openvpn --cd /etc/openvpn --config openvpn-yubikey-test.ovpn
[...]
Thu Aug 13 10:21:21 2020 VERIFY OK: depth=1, CN=Test CA
Thu Aug 13 10:21:21 2020 VERIFY KU OK
Thu Aug 13 10:21:21 2020 Validating certificate extended key usage
Thu Aug 13 10:21:21 2020 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Thu Aug 13 10:21:21 2020 VERIFY EKU OK
Thu Aug 13 10:21:21 2020 VERIFY OK: depth=0, CN=host1.example.com
Thu Aug 13 10:21:21 2020 OpenSSL: error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib
Thu Aug 13 10:21:21 2020 TLS_ERROR: BIO read tls_read_plaintext error
Thu Aug 13 10:21:21 2020 TLS Error: TLS object -> incoming plaintext read error
Thu Aug 13 10:21:21 2020 TLS Error: TLS handshake failed
Thu Aug 13 10:21:21 2020 Fatal TLS error (check_tls_errors_co), restarting
Thu Aug 13 10:21:21 2020 SIGUSR1[soft,tls-error] received, process restarting
Thu Aug 13 10:21:21 2020 Restart pause, 5 second(s)

The bug can be resolved by upgrading the pkcs11-helper packages from pkcs11-helper-1.25.1 to pkcs11-helper-devel-1.26.0.

# openvpn --cd /etc/openvpn --config openvpn-yubikey-test.ovpn
[...]
Thu Aug 13 10:32:36 2020 VERIFY OK: depth=1, CN=Test CA
Thu Aug 13 10:32:36 2020 VERIFY KU OK
Thu Aug 13 10:32:36 2020 Validating certificate extended key usage
Thu Aug 13 10:32:36 2020 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Thu Aug 13 10:32:36 2020 VERIFY EKU OK
Thu Aug 13 10:32:36 2020 VERIFY OK: depth=0, CN=host1.example.com
Enter user1 token Password: (press TAB for no echo)

There is a problem with inconsistent padding between OpenSSL 1.1.1 and pkcs11-helper-1.25.1. The details are described here: http://openssl.6102.n7.nabble.com/Issue-with-smartcard-authentication-for-openvpn-td76415.html

The pkcs11-helper-devel-1.26.0 Changelog contains this line:
- openssl: support RSA_NO_PADDING padding, thanks to Selva Nair
Comment 1 Marcus Meissner 2020-09-08 15:09:04 UTC 
(assign to jason for pkcs11-helper currently, not sure if right)
Comment 2 Jason Sikes 2022-11-22 03:30:22 UTC 
Hi. Do we know if this is still an issue that needs to be worked on?
Comment 3 Jason Sikes 2022-12-30 02:50:31 UTC 
Many of our smart card support packages were updated in Leap 15.3 and Tumbleweed. Also, since I didn't get a response from my query in some time I am going to assume the issue has been fixed by an update.

Please reopen if this is still an problem.
Comment 4 Björn Voigt 2022-12-30 20:23:27 UTC 
Unfortunately there is no update for pkcs11-helper in openSUSE Leap 15.4.

The reported bug is still valid for openSUSE Leap 15.4. The bug could still be fixed with pkcs11-helper >= 1.26.0.
Comment 5 Jason Sikes 2023-01-18 07:37:58 UTC 
Added patch sourced from https://github.com/OpenSC/pkcs11-helper/commit/c192bb48e9170d636e305d03a87c82580101a1a9

created request id 288440
First Last Prev Next    This bug is not in your last search results.