Bug 552

Summary: Missing password field in drakvpn VPN configuration for pkcs1x certs
Product: Mageia Reporter: Maat <maat-ml>
Component: RPM PackagesAssignee: Olivier Blin <mageia>
Status: ASSIGNED --- QA Contact:
Severity: major    
Priority: Normal CC: cazzaniga.sandro, marja11
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: drakx-net-2.42-1.mga7.src.rpm CVE:
Status comment:

Description Maat 2011-03-25 21:51:36 CET 
Description of problem:

When using net_applet to configure an openvpn access with a username.p12 file there is no way to enter the cert password to activate the vpn :-(

When launching openvpn with cli, openvpn asks for the password and then everything is okay

$ openvpn -f /etc/sysconfig/network-scripts/vpn.d/openvpn/myvpn.conf

While with net_applet the vpn connetion fails because the password is not provided to openvpn

Version-Release number of selected component (if applicable):

Name        : drakx-net
Version     : 0.93
Release     : 3.mga1

How reproducible:

Always

Steps to Reproduce:
1. have a openvpn server and a pki
2. create yourself a pkcs12 cert (username.p12)
3. Right click on net_applet tyray icon
4. choose VPN
5. Choose Manage
6. Choose OpenVPN 
7. Define a new one.. let's say "myvpn"
8. Define Type X509, give your username.p12 file in PKCS#12 field, click next
9. Give your vpn server ip or fqdn, click next
10. Try to start it
11. check /var/log/messages for openvpn failure message

Try with cli reusing the very same config file net_applet just created /etc/sysconfig/network-scripts/vpn.d/openvpn/myvpn.conf

give the password... watch that here openvpn is working

(This is likely to prevent people from using mageia with vpn connections)

Reproducible: 

Steps to Reproduce:
Comment 1 Marja Van Waes 2011-10-07 23:22:53 CEST 
We're now on a newer version of drakx-net (0.97-1.mga1 for Mageia 1), did this get solved?

CC: (none) => marja11

Comment 2 Maat 2011-10-11 12:01:52 CEST 
Sorry : no password asked :-/

Sample of logs juste for the sake of it :

Oct 11 12:01:35 laptop-xxx net_applet[3975]: running: consolehelper openvpn Linagora
Oct 11 12:01:36 laptop-xxx openvpn[16160]: OpenVPN 2.2.1 i586-mageia-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] built on Jul 25 2011
Oct 11 12:01:36 laptop-xxx openvpn[16160]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.                                                                                                                                         
Oct 11 12:01:36 laptop-xxx openvpn[16160]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables    
Oct 11 12:01:36 laptop-xxx openvpn[16160]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this  
Oct 11 12:01:36 laptop-xxx openvpn[16160]: OpenSSL ERROR code: 113                                                                                   
Oct 11 12:01:36 laptop-xxx openvpn[16160]: Error: private key password verification failed                                                           
Oct 11 12:01:36 laptop-pvxxxilarem openvpn[16160]: Exiting

=> the feature is simply missing... no hope of having this bug solved by chance with a new version :/
Comment 3 Marja Van Waes 2012-01-16 21:11:49 CET 
Pinging. because nothing happened to this report since more than 3 months ago, and it still has the status NEW or REOPENED.

@ Olivier
Please set status to ASSIGNED if you think this bug was assigned correctly. If for work flow reasons you can't do that, then please put OK on the whiteboard instead. (I leave out the "OK" bugs when searching for New and Reopened stale bugs)
Comment 4 Marja Van Waes 2012-04-20 08:12:20 CEST 
@ Olivier

Ping?
Comment 5 Maat 2012-04-29 11:20:14 CEST 
Still no  password for .p12 files as far as i can see :-(

So either you explode by hand the .p12 file extracting .cert and .key (setting an empty password for the .key) to use the other configuration option available (which does not allow to enter a password either)

But the drawback is that :
1/ You have to master openssl command line interface which is not really simple
2/ You have to weaken your VPN security (VPN connection without password)

=> imho we'd have a great improvement having mageia's VPN tool able to ask for passwords :)
Comment 6 Marja Van Waes 2012-05-26 13:05:18 CEST 
Hi,

This bug was filed against cauldron, but we do not have cauldron at the moment.

Please report whether this bug is still valid for Mageia 2.

Thanks :)

Cheers,
marja

Keywords: (none) => NEEDINFO

Comment 7 Marja Van Waes 2012-08-04 19:34:01 CEST 
maat just confirmed on IRC the bug is still valid for all versions of Mageia.

So:
drakx-net-1.13-1.mga3.src.rpm
drakx-net-1.12-1.mga2.src.rpm
drakx-net-0.97.2-1.mga1.src.rpm

@ Olivier

Please put OK on the whiteboard if you think this bug was assigned correctly, or set status to ASSIGNED

Whiteboard: (none) => MGA2TOO MGA1TOO
Keywords: NEEDINFO => (none)
Source RPM: drakx-net-0.93-3.mga1.src.rpm => drakx-net-1.13-1.mga3.src.rpm

Comment 8 Olivier Blin 2012-08-04 20:17:48 CEST 
We have support for querying passwords from openvpn.
We are running openvpn with --management 127.0.0.1 2222 --management-query-passwords" and expect ">PASSWORD:" strings.
Does anyone know if this changed?

Status: NEW => ASSIGNED

Sandro CAZZANIGA 2013-06-10 19:13:29 CEST

CC: (none) => cazzaniga.sandro
Whiteboard: MGA2TOO MGA1TOO => MGA2TOO MGA1TOO MGA3TOO

Comment 9 Samuel Verschelde 2015-04-23 12:45:35 CEST 
Still valid in Mageia 4 I guess.

Whiteboard: MGA2TOO MGA1TOO MGA3TOO => MGA2TOO MGA1TOO MGA3TOO MGA4TOO
Hardware: i586 => All

Comment 10 Frédéric "LpSolit" Buclin 2021-01-19 22:37:19 CET 
Unless I miss something, this has nothing to do with net_applet. Clicking "VPN > Manage" simply calls drakvpn, which comes from drakx-net.

Please revert my changes if I'm wrong.

Summary: Missing password field in net_applet VPN configuration for pkcs1x certs => Missing password field in drakvpn VPN configuration for pkcs1x certs
Whiteboard: MGA2TOO MGA1TOO MGA3TOO MGA4TOO => (none)
Source RPM: drakx-net-1.13-1.mga3.src.rpm => drakx-net-2.42-1.mga7.src.rpm