openvpn icon indicating copy to clipboard operation
openvpn copied to clipboard
verified publisher icon OpenVPN

v2.6.008 OpenVPNgui is asking for password and should not with Remote Access ( SSL/TLS )

Open balmmva opened this issue 2 years ago • 5 comments

v2.6.008 OpenVPNgui is asking for password and should not. reverted to previous version 2.5.040 and it is working fine with Remote Access ( SSL/TLS ). No popup.

on win10. installed today using winget -> KO removed and reinstalled specifying v2.5.040 -> OK

balmmva avatar Feb 03 '23 16:02 balmmva

Your issue is lacking everything we could need to help you figure out what is going on.

First, start with OpenVPN logfiles from 2.5 and 2.6 to see where it differs, and why 2.6 wants to ask for a username+password where 2.5 doesn't. Then, having the openvpn config file (remove keys!) would be useful to be able to reproduce the issue.

cron2 avatar Feb 14 '23 15:02 cron2

The problem with the password dialog always occurs when using pkcs12 files. It is caused by OpenSSl 3.0.x. The new OpenSSl version does not accept empty passwords for pkcs12 files.

If a pkcs12 file should be opened there is only the feedback that this password is protected and then in OpenVPN the function pem_password_callback in ssl_openssl.c line 840 is triggered. This always opens the OpenVPN password dialog.

Such configurations can be created with firewalls (pfsense, opnsense) as an archive export. Normally no passwords for p12 files are set there.

Testexample for OpenSSL 3.0.x and OpenSSL 1.1.1t

OpenSSL 3.0.x e:\TEST\openssl\openssl-3\x64\bin>openssl version OpenSSL 3.0.8 7 Feb 2023 (Library: OpenSSL 3.0.8 7 Feb 2023)

e:\TEST\openssl\openssl-3\x64\bin>openssl pkcs12 -in TEST.p12 Password required

e:\TEST\openssl\openssl-3\x64\bin>openssl pkcs12 -in TEST.p12 -password pass: Error outputting keys and certificates F4430000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:..\crypto\evp\evp_fetch.c:373:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()

OpenSSL 1.1.1x c:\Program Files\OpenVPN\bin>openssl version OpenSSL 1.1.1t 7 Feb 2023

c:\Program Files\OpenVPN\bin>openssl pkcs12 -in e:\TEST\openssl\openssl-3\x64\bin\TEST.p12 Enter Import Password: (Enter pressed) Bag Attributes localKeyID: 95 DE 83 37 A7 AF E2 76 CB 91 6D 79 36 A0 67 3B A1 05 AA A5

c:\Program Files\OpenVPN\bin>openssl pkcs12 -in e:\TEST\openssl\openssl-3\x64\bin\TEST.p12 -password pass: Bag Attributes localKeyID: 95 DE 83 37 A7 AF E2 76 CB 91 6D 79 36 A0 67 3B A1 05 AA A5

kretze avatar Mar 10 '23 13:03 kretze

Empty password with pkcs12 have been always sketchy and I am not surprised that they break now. I would suggest just using key and cert file.

That being said, your problem seem to be that your pkcs12 are still RC2 encrypted:

F4430000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:..\crypto\evp\evp_fetch.c:373:Global default library context, Algorithm (RC2-40-CBC : 0), Properties () you will need to switch to a better encryption scheme or load the legacy provider --providers legacy default for openvpn and -provider legacy -provider default for OpenSSL 3.0.

schwabe avatar Mar 10 '23 13:03 schwabe

The problem with the password dialog always occurs when using pkcs12 files. It is caused by OpenSSl 3.0.x. The new OpenSSl version does not accept empty passwords for pkcs12 files.

Your pkcs12 file is encrypted by an algorithm (RC2?) that is deprecated in OpenSSL3.0. You either need to recreate the pkcs12 file -- import using the -legacy option and export back without using -legacy. Or use the change passphrase menu in the GUI -- this is possible only if the pkcs12 file is in a writeable location by the user.

The GUI will still prompt for password in the first run, you can opt to save it at that time and will not prompt again. Or just import the pkcs12 file into Windows certificate store and use cryptoapicert. Arguably more secure and easier once setup.

selvanair avatar Mar 10 '23 13:03 selvanair

c:\Program Files\OpenVPN\bin>openssl pkcs12 -in e:\TEST\openssl\openssl-3\x64\bin\TEST2.p12 -info Enter Import Password: MAC: sha1, Iteration 1 MAC length: 20, salt length: 8 PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048 Certificate bag Bag Attributes localKeyID: 95 DE 83 37 A7 AF E2 76 CB 91 6D 79 36 A0 67 3B A1 05 AA A5

Yes, it is RC2-CBC

OK, then the archive configurations of the firewalls do not work because they are still encrypted with RC2-CBC which is no longer used in OpenSSL 3. Since we have no direct influence on the OpenVPN Client Export functions of the firewalls (opnsense), we have to wait until they are updated or switch to mbed TLS (inline configuration files).

kretze avatar Mar 10 '23 14:03 kretze