| Summary: | openvpn new security issue fixed upstream in 2.3.9 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | brtians1, davidwhodgins, sysadmin-bugs |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/669524/ | ||
| Whiteboard: | MGA5-32-OK MGA5-64-OK advisory | ||
| Source RPM: | openvpn-2.3.6-1.mga5.src.rpm | CVE: | |
| Status comment: | |||
| Attachments: | This was the sample crypto-key test | ||
|
Description
David Walser
2015-12-29 19:40:29 CET
[root@localhost sbin]# openvpn OpenVPN 2.3.9 i586-mageia-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Dec 29 2015 Test Crypto: ./openvpn --genkey --secret key ./openvpn --test-crypto --secret key This succeeded (see attachment after this post) Testing client/server. You've got to modify the sample configuration file vi /usr/share/openvpn/sample-config-files/loopback-server modify the following in that file: dh /usr/share/openvpn/sample-keys/dh2048.pem ca /usr/share/openvpn/sample-keys/ca.crt key /usr/share/openvpn/sample-keys/server.key cert /usr/share/openvpn/sample-keys/server.crt I run it again [root@localhost sbin]# openvpn --config /usr/share/openvpn/sample-config-files/loopback-server Sat Jan 9 10:46:41 2016 OpenVPN 2.3.9 i586-mageia-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Dec 29 2015 Sat Jan 9 10:46:41 2016 library versions: OpenSSL 1.0.2e 3 Dec 2015, LZO 2.09 Sat Jan 9 10:46:41 2016 WARNING: --ping should normally be used with --ping-restart or --ping-exit Sat Jan 9 10:46:41 2016 Diffie-Hellman initialized with 2048 bit key Sat Jan 9 10:46:41 2016 WARNING: file '/usr/share/openvpn/sample-keys/server.key' is group or others accessible Sat Jan 9 10:46:41 2016 Socket Buffers: R=[163840->163840] S=[163840->163840] Sat Jan 9 10:46:41 2016 UDPv4 link local (bound): [AF_INET]127.0.0.1:16000 Sat Jan 9 10:46:41 2016 UDPv4 link remote: [AF_INET]127.0.0.1:16001 Next I have to edit the client side test configuration vi /usr/share/openvpn/sample-config-files/loopback-client Modify the following rows: ca /usr/share/openvpn/sample-keys/ca.crt key /usr/share/openvpn/sample-keys/client.key cert /usr/share/openvpn/sample-keys/client.crt Now run the client: [root@localhost sbin]# openvpn --config /usr/share/openvpn/sample-config-files/loopback-client Sat Jan 9 10:52:39 2016 OpenVPN 2.3.9 i586-mageia-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Dec 29 2015 Sat Jan 9 10:52:39 2016 library versions: OpenSSL 1.0.2e 3 Dec 2015, LZO 2.09 Sat Jan 9 10:52:39 2016 WARNING: --ping should normally be used with --ping-restart or --ping-exit Sat Jan 9 10:52:39 2016 WARNING: file '/usr/share/openvpn/sample-keys/client.key' is group or others accessible Sat Jan 9 10:52:39 2016 Socket Buffers: R=[163840->163840] S=[163840->163840] Sat Jan 9 10:52:39 2016 UDPv4 link local (bound): [AF_INET]127.0.0.1:16001 Sat Jan 9 10:52:39 2016 UDPv4 link remote: [AF_INET]127.0.0.1:16000 Sat Jan 9 10:52:39 2016 TLS: Initial packet from [AF_INET]127.0.0.1:16000, sid=5b4c4dc9 e82cd17b Sat Jan 9 10:52:39 2016 VERIFY OK: depth=1, C=KG, ST=NA, L=BISHKEK, O=OpenVPN-TEST, emailAddress=me@myhost.mydomain Sat Jan 9 10:52:39 2016 Validating certificate key usage Sat Jan 9 10:52:39 2016 ++ Certificate has key usage 00a0, expects 00a0 Sat Jan 9 10:52:39 2016 VERIFY KU OK Sat Jan 9 10:52:39 2016 Validating certificate extended key usage Sat Jan 9 10:52:39 2016 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Sat Jan 9 10:52:39 2016 VERIFY EKU OK Sat Jan 9 10:52:39 2016 VERIFY OK: depth=0, C=KG, ST=NA, O=OpenVPN-TEST, CN=Test-Server, emailAddress=me@myhost.mydomain Sat Jan 9 10:52:39 2016 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Sat Jan 9 10:52:39 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Sat Jan 9 10:52:39 2016 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Sat Jan 9 10:52:39 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Sat Jan 9 10:52:39 2016 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA Sat Jan 9 10:52:39 2016 [Test-Server] Peer Connection Initiated with [AF_INET]127.0.0.1:16000 This is running fine. CC:
(none) =>
brtians1 Created attachment 7328 [details]
This was the sample crypto-key test
Brian Rockwell
2016-01-09 17:55:58 CET
Whiteboard:
(none) =>
MGA5-32-OK Some other notes - I picked up my tests from the following URL: https://openvpn.net/index.php/open-source/documentation/install.html MGA5-64bit (Virtualbox VM) [root@localhost sbin]# openvpn OpenVPN 2.3.9 x86_64-mageia-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Dec 29 2015 Ran the crypto testing [root@localhost sbin]# openvpn --genkey --secret key [root@localhost sbin]# openvpn --test-crypto --secret key testing succeeded testing client/server. You've got to modify the sample configuration file vi /usr/share/openvpn/sample-config-files/loopback-server modify the following in that file: dh /usr/share/openvpn/sample-keys/dh2048.pem ca /usr/share/openvpn/sample-keys/ca.crt key /usr/share/openvpn/sample-keys/server.key cert /usr/share/openvpn/sample-keys/server.crt [root@localhost sbin]# openvpn --config /usr/share/openvpn/sample-config-files/loopback-server Sun Jan 10 07:20:34 2016 OpenVPN 2.3.9 x86_64-mageia-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Dec 29 2015 Sun Jan 10 07:20:34 2016 library versions: OpenSSL 1.0.2e 3 Dec 2015, LZO 2.09 Sun Jan 10 07:20:34 2016 WARNING: --ping should normally be used with --ping-restart or --ping-exit Sun Jan 10 07:20:34 2016 Diffie-Hellman initialized with 2048 bit key Sun Jan 10 07:20:34 2016 WARNING: file '/usr/share/openvpn/sample-keys/server.key' is group or others accessible Sun Jan 10 07:20:34 2016 Socket Buffers: R=[212992->212992] S=[212992->212992] Sun Jan 10 07:20:34 2016 UDPv4 link local (bound): [AF_INET]127.0.0.1:16000 Sun Jan 10 07:20:34 2016 UDPv4 link remote: [AF_INET]127.0.0.1:16001 --server is running now modify the client per prior post and run the client. [root@localhost brian]# openvpn --config /usr/share/openvpn/sample-config-files/loopback-client Sun Jan 10 07:23:23 2016 OpenVPN 2.3.9 x86_64-mageia-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Dec 29 2015 Sun Jan 10 07:23:23 2016 library versions: OpenSSL 1.0.2e 3 Dec 2015, LZO 2.09 Sun Jan 10 07:23:23 2016 WARNING: --ping should normally be used with --ping-restart or --ping-exit Sun Jan 10 07:23:23 2016 WARNING: file '/usr/share/openvpn/sample-keys/client.key' is group or others accessible Sun Jan 10 07:23:23 2016 Socket Buffers: R=[212992->212992] S=[212992->212992] Sun Jan 10 07:23:23 2016 UDPv4 link local (bound): [AF_INET]127.0.0.1:16001 Sun Jan 10 07:23:23 2016 UDPv4 link remote: [AF_INET]127.0.0.1:16000 Sun Jan 10 07:23:23 2016 TLS: Initial packet from [AF_INET]127.0.0.1:16000, sid=e87f2e6c 75af9f45 Sun Jan 10 07:23:23 2016 VERIFY OK: depth=1, C=KG, ST=NA, L=BISHKEK, O=OpenVPN-TEST, emailAddress=me@myhost.mydomain Sun Jan 10 07:23:23 2016 Validating certificate key usage Sun Jan 10 07:23:23 2016 ++ Certificate has key usage 00a0, expects 00a0 Sun Jan 10 07:23:23 2016 VERIFY KU OK Sun Jan 10 07:23:23 2016 Validating certificate extended key usage Sun Jan 10 07:23:23 2016 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Sun Jan 10 07:23:23 2016 VERIFY EKU OK Sun Jan 10 07:23:23 2016 VERIFY OK: depth=0, C=KG, ST=NA, O=OpenVPN-TEST, CN=Test-Server, emailAddress=me@myhost.mydomain Sun Jan 10 07:23:23 2016 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Sun Jan 10 07:23:23 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Sun Jan 10 07:23:23 2016 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Sun Jan 10 07:23:23 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Sun Jan 10 07:23:23 2016 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA Sun Jan 10 07:23:23 2016 [Test-Server] Peer Connection Initiated with [AF_INET]127.0.0.1:16000 Sun Jan 10 07:23:24 2016 Initialization Sequence Completed Sun Jan 10 07:23:33 2016 TLS: soft reset sec=0 bytes=945/0 pkts=18/0 Sun Jan 10 07:23:33 2016 VERIFY OK: depth=1, C=KG, ST=NA, L=BISHKEK, O=OpenVPN-TEST, emailAddress=me@myhost.mydomain Sun Jan 10 07:23:33 2016 Validating certificate key usage Sun Jan 10 07:23:33 2016 ++ Certificate has key usage 00a0, expects 00a0 Sun Jan 10 07:23:33 2016 VERIFY KU OK Sun Jan 10 07:23:33 2016 Validating certificate extended key usage Sun Jan 10 07:23:33 2016 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Sun Jan 10 07:23:33 2016 VERIFY EKU OK Sun Jan 10 07:23:33 2016 VERIFY OK: depth=0, C=KG, ST=NA, O=OpenVPN-TEST, CN=Test-Server, emailAddress=me@myhost.mydomain Sun Jan 10 07:23:33 2016 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Sun Jan 10 07:23:33 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Sun Jan 10 07:23:33 2016 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Sun Jan 10 07:23:33 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Sun Jan 10 07:23:33 2016 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA seems to be working to me Whiteboard:
MGA5-32-OK =>
MGA5-32-OK MGA5-64-OK
Brian Rockwell
2016-01-10 14:25:25 CET
CC:
(none) =>
sysadmin-bugs
Dave Hodgins
2016-01-12 06:40:01 CET
CC:
(none) =>
davidwhodgins An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0010.html Status:
NEW =>
RESOLVED |