Fedora has issued an advisory on May 14: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CWK3Y6R5POSAVF62X2W6FMZ4F3YGUT6T/ Upstream Changelog is here: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.11 Updated packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated openvpn packages fix security vulnerabilities: The openvpn package has been updated to version 2.3.11, which fixes several bugs and possible security issues. See the upstream ChangeLog for details. References: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.11 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CWK3Y6R5POSAVF62X2W6FMZ4F3YGUT6T/ ======================== Updated packages in core/updates_testing: ======================== openvpn-2.3.11-1.mga5 libopenvpn-devel-2.3.11-1.mga5 from openvpn-2.3.11-1.mga5.src.rpm
Testing ideas in Bug 17418.
Whiteboard: (none) => has_procedure
MGA5-32 [root@localhost brian]# uname -a Linux localhost 4.1.15-desktop-2.mga5 #1 SMP Wed Jan 20 17:37:30 UTC 2016 i686 i686 i686 GNU/Linux [root@localhost brian]# openvpn OpenVPN 2.3.11 i586-mageia-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on May 17 2016 openvpn --genkey --secret key openvpn --test-crypto --secret key Fri May 20 09:50:11 2016 TESTING ENCRYPT/DECRYPT of packet length=1500 Fri May 20 09:50:11 2016 OpenVPN crypto self-test mode SUCCEEDED. Testing client/server. You've got to modify the sample configuration file vi /usr/share/openvpn/sample-config-files/loopback-server modify the following in that file: dh /usr/share/openvpn/sample-keys/dh2048.pem ca /usr/share/openvpn/sample-keys/ca.crt key /usr/share/openvpn/sample-keys/server.key cert /usr/share/openvpn/sample-keys/server.crt --run server [root@localhost brian]# openvpn --config /usr/share/openvpn/sample-config-files/loopback-server Fri May 20 09:53:02 2016 OpenVPN 2.3.11 i586-mageia-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on May 17 2016 Fri May 20 09:53:02 2016 library versions: OpenSSL 1.0.2h 3 May 2016, LZO 2.09 Fri May 20 09:53:02 2016 Diffie-Hellman initialized with 2048 bit key Fri May 20 09:53:02 2016 WARNING: file '/usr/share/openvpn/sample-keys/server.key' is group or others accessible Fri May 20 09:53:02 2016 Socket Buffers: R=[163840->163840] S=[163840->163840] Fri May 20 09:53:02 2016 UDPv4 link local (bound): [AF_INET]127.0.0.1:16000 Fri May 20 09:53:02 2016 UDPv4 link remote: [AF_INET]127.0.0.1:16001 Next I have to edit the client side test configuration vi /usr/share/openvpn/sample-config-files/loopback-client Modify the following rows: ca /usr/share/openvpn/sample-keys/ca.crt key /usr/share/openvpn/sample-keys/client.key cert /usr/share/openvpn/sample-keys/client.crt Now run the client: [root@localhost brian]# vi /usr/share/openvpn/sample-config-files/loopback-client [root@localhost brian]# openvpn --config /usr/share/openvpn/sample-config-files/loopback-client Fri May 20 09:55:56 2016 OpenVPN 2.3.11 i586-mageia-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on May 17 2016 Fri May 20 09:55:56 2016 library versions: OpenSSL 1.0.2h 3 May 2016, LZO 2.09 Fri May 20 09:55:56 2016 WARNING: --ping should normally be used with --ping-restart or --ping-exit Fri May 20 09:55:56 2016 WARNING: file '/usr/share/openvpn/sample-keys/client.key' is group or others accessible Fri May 20 09:55:56 2016 Socket Buffers: R=[163840->163840] S=[163840->163840] Fri May 20 09:55:56 2016 UDPv4 link local (bound): [AF_INET]127.0.0.1:16001 Fri May 20 09:55:56 2016 UDPv4 link remote: [AF_INET]127.0.0.1:16000 Fri May 20 09:55:56 2016 TLS: Initial packet from [AF_INET]127.0.0.1:16000, sid=c45c4390 dd025d96 Fri May 20 09:55:56 2016 VERIFY OK: depth=1, C=KG, ST=NA, L=BISHKEK, O=OpenVPN-TEST, emailAddress=me@myhost.mydomain Fri May 20 09:55:56 2016 Validating certificate key usage Fri May 20 09:55:56 2016 ++ Certificate has key usage 00a0, expects 00a0 Fri May 20 09:55:56 2016 VERIFY KU OK Fri May 20 09:55:56 2016 Validating certificate extended key usage Fri May 20 09:55:56 2016 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Fri May 20 09:55:56 2016 VERIFY EKU OK Fri May 20 09:55:56 2016 VERIFY OK: depth=0, C=KG, ST=NA, O=OpenVPN-TEST, CN=Test-Server, emailAddress=me@myhost.mydomain Fri May 20 09:55:56 2016 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Fri May 20 09:55:56 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Fri May 20 09:55:56 2016 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Fri May 20 09:55:56 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Fri May 20 09:55:56 2016 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA Fri May 20 09:55:56 2016 [Test-Server] Peer Connection Initiated with [AF_INET]127.0.0.1:16000 Fri May 20 09:55:57 2016 Initialization Sequence Completed Fri May 20 09:56:06 2016 VERIFY OK: depth=1, C=KG, ST=NA, L=BISHKEK, O=OpenVPN-TEST, emailAddress=me@myhost.mydomain Fri May 20 09:56:06 2016 Validating certificate key usage Fri May 20 09:56:06 2016 ++ Certificate has key usage 00a0, expects 00a0 Fri May 20 09:56:06 2016 VERIFY KU OK Fri May 20 09:56:06 2016 Validating certificate extended key usage Fri May 20 09:56:06 2016 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Fri May 20 09:56:06 2016 VERIFY EKU OK Fri May 20 09:56:06 2016 VERIFY OK: depth=0, C=KG, ST=NA, O=OpenVPN-TEST, CN=Test-Server, emailAddress=me@myhost.mydomain Fri May 20 09:56:06 2016 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Fri May 20 09:56:06 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Fri May 20 09:56:06 2016 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Fri May 20 09:56:06 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Fri May 20 09:56:06 2016 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA Fri May 20 09:56:16 2016 TLS: soft reset sec=0 bytes=265/0 pkts=5/0 Fri May 20 09:56:16 2016 VERIFY OK: depth=1, C=KG, ST=NA, L=BISHKEK, O=OpenVPN-TEST, emailAddress=me@myhost.mydomain Fri May 20 09:56:16 2016 Validating certificate key usage Fri May 20 09:56:16 2016 ++ Certificate has key usage 00a0, expects 00a0 Fri May 20 09:56:16 2016 VERIFY KU OK Fri May 20 09:56:16 2016 Validating certificate extended key usage Fri May 20 09:56:16 2016 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Fri May 20 09:56:16 2016 VERIFY EKU OK Fri May 20 09:56:16 2016 VERIFY OK: depth=0, C=KG, ST=NA, O=OpenVPN-TEST, CN=Test-Server, emailAddress=me@myhost.mydomain Fri May 20 09:56:16 2016 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Fri May 20 09:56:16 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Fri May 20 09:56:16 2016 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Fri May 20 09:56:16 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Fri May 20 09:56:16 2016 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA Seems to be working as designed.
CC: (none) => brtians1Whiteboard: has_procedure => has_procedure MGA5-32-OK
MGA5-64 The following 4 packages are going to be installed: - lib64openvpn-devel-2.3.11-1.mga5.x86_64 - libobjc4-4.9.2-4.1.mga5.x86_64 - openvpn-2.3.11-1.mga5.x86_64 - perl-Authen-PAM-0.160.0-11.mga5.x86_64 2.1MB of additional disk space will be used. 742KB of packages will be retrieved. ---after installation [root@localhost brian]# openvpn OpenVPN 2.3.11 x86_64-mageia-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on May 17 2016 openvpn --genkey --secret key openvpn --test-crypto --secret key Fri May 20 10:33:53 2016 OpenVPN crypto self-test mode SUCCEEDED. Did configuration and ran server/client. (last of) Client messages: Fri May 20 10:37:47 2016 Validating certificate key usage Fri May 20 10:37:47 2016 ++ Certificate has key usage 00a0, expects 00a0 Fri May 20 10:37:47 2016 VERIFY KU OK Fri May 20 10:37:47 2016 Validating certificate extended key usage Fri May 20 10:37:47 2016 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Fri May 20 10:37:47 2016 VERIFY EKU OK Fri May 20 10:37:47 2016 VERIFY OK: depth=0, C=KG, ST=NA, O=OpenVPN-TEST, CN=Test-Server, emailAddress=me@myhost.mydomain Fri May 20 10:37:47 2016 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Fri May 20 10:37:47 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Fri May 20 10:37:47 2016 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Fri May 20 10:37:47 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Fri May 20 10:37:47 2016 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA ^CFri May 20 10:37:52 2016 event_wait : Interrupted system call (code=4) Fri May 20 10:37:52 2016 Closing TUN/TAP interface Fri May 20 10:37:52 2016 SIGINT[hard,] received, process exiting (Last of) Server Messages Fri May 20 10:37:46 2016 TLS: soft reset sec=0 bytes=578/0 pkts=11/0 Fri May 20 10:37:47 2016 VERIFY OK: depth=1, C=KG, ST=NA, L=BISHKEK, O=OpenVPN-TEST, emailAddress=me@myhost.mydomain Fri May 20 10:37:47 2016 VERIFY OK: depth=0, C=KG, ST=NA, O=OpenVPN-TEST, CN=Test-Client, emailAddress=me@myhost.mydomain Fri May 20 10:37:47 2016 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Fri May 20 10:37:47 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Fri May 20 10:37:47 2016 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Fri May 20 10:37:47 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Fri May 20 10:37:47 2016 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA Fri May 20 10:37:57 2016 TLS: soft reset sec=0 bytes=370/0 pkts=7/0 Fri May 20 10:38:57 2016 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Fri May 20 10:38:57 2016 TLS Error: TLS handshake failed Fri May 20 10:38:57 2016 TLS: move_session: dest=TM_LAME_DUCK src=TM_ACTIVE reinit_src=1 Fri May 20 10:39:03 2016 Inactivity timeout (--inactive), exiting Fri May 20 10:39:03 2016 Closing TUN/TAP interface Fri May 20 10:39:03 2016 SIGTERM[soft,inactive] received, process exiting seems to be working correctly
Whiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK MGA5-64-OK
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure advisory MGA5-32-OK MGA5-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0200.html
Status: NEW => RESOLVEDResolution: (none) => FIXED