Bug #16328
closed
openvpn-client-export 1.9.5 | Viscosity Bundle | ECDSA cert missing key when Password Protect Certificate is ticked
0%
Description
In the same vain as #15086, today I had cause to export a OpenVPN client profile. As an extra layer of protection I ticked "Password Protect Certificate", provided a password and clicked "Viscosity Bundle".
The resulting "XXXX-Viscosity.visc.zip" file was missing the key.key file.
I have access to a number of different pfsense firewalls here, of differing ages. The older ones, which all have RSA based PKI all include a key.key when I export a "Viscosity Bundle" with "Password Protect Certificate" ticked. The firewalls which have been more recently deployed are using EC based PKI and when I export a "Viscosity Bundle" with "Password Protect Certificate" ticked the exports are missing the key.key file.
I suspect the root cause is line 823 in https://github.com/pfsense/FreeBSD-ports/blob/devel/security/pfSense-pkg-openvpn-client-export/files/usr/local/pkg/openvpn-client-export.inc
exec("/usr/bin/openssl rsa -in ${eclearkeyfile} -out ${ekeyfile} -des3 -passout pass:${eoutpass}");
There's a clear assumption the key is RSA.
As a test, I downloaded the bundle without "Password Protect Certificate" ticked and attempted to encrypt the key manually and got an error...
/usr/bin/openssl rsa -in key.key -out key2.key -des3 -passout pass:example_password Not an RSA key
If I change the command to use ec, it works...
/usr/bin/openssl ec -in key.key -out key2.key -des3 -passout pass:example_password read EC key writing EC key
And if I rename key2.key to key.key I'm able to connect to the VPN with the expected additional prompt for the password for the private key.
In the same vain as #15086, today I had cause to export a OpenVPN client profile. As an extra layer of protection I ticked "Password Protect Certificate", provided a password and clicked "Viscosity Bundle".
The resulting "XXXX-Viscosity.visc.zip" file was missing the key.key file.
I have access to a number of different pfsense firewalls here, of differing ages. The older ones, which all have RSA based PKI all include a key.key when I export a "Viscosity Bundle" with "Password Protect Certificate" ticked. The firewalls which have been more recently deployed are using EC based PKI and when I export a "Viscosity Bundle" with "Password Protect Certificate" ticked the exports are missing the key.key file.
I suspect the root cause is line 823 in https://github.com/pfsense/FreeBSD-ports/blob/devel/security/pfSense-pkg-openvpn-client-export/files/usr/local/pkg/openvpn-client-export.inc
exec("/usr/bin/openssl rsa -in ${eclearkeyfile} -out ${ekeyfile} -des3 -passout pass:${eoutpass}");
There's a clear assumption the key is RSA.
As a test, I downloaded the bundle without "Password Protect Certificate" ticked and attempted to encrypt the key manually...
/usr/bin/openssl rsa -in key.key -out key2.key -des3 -passout pass:example_password Not an RSA key
If I change the command to use ec, it works...
/usr/bin/openssl ec -in key.key -out key2.key -des3 -passout pass:example_password read EC key writing EC key
Sadly, I've been unable to find a decent way to determined if a key is RSA or ECA. The closes I've come is...
$ openssl pkey -in key.key -text -noout | head -n 1 Private-Key: (256 bit) $ openssl pkey -in rsa.key -text -noout | head -n 1 Private-Key: (4096 bit, 2 primes)
and then maybe assume if the output mentioned primes it'll be RSA key?
Updated by Steve Scotter about 1 month ago
Updated by Kris Phillips about 1 month ago
- Status changed from New to Duplicate
Closing out Duplicate.