Project

General

Profile

Bug #9744

fatal error if ECDH Curve not default

Added by Viktor Gurov about 1 year ago. Updated 11 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
OpenVPN
Target version:
Start date:
09/11/2019
Due date:
% Done:

100%

Estimated time:
Affected Version:
2.5.0
Affected Architecture:

Description

If you select ECDH Curve server option other than default, <ecdh_curve>Oakley-EC2N-4</ecdh_curve> as example, you got:

Sep 11 13:56:58 pf4 openvpn77881: OpenVPN 2.4.7 amd64-portbld-freebsd12.0 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jul 18 2019
Sep 11 13:56:58 pf4 openvpn77881: library versions: OpenSSL 1.1.1a-freebsd 20 Nov 2018, LZO 2.10
Sep 11 13:56:58 pf4 openvpn78203: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sep 11 13:56:58 pf4 openvpn78203: SSL_CTX_set_tmp_ecdh: cannot add curve
Sep 11 13:56:58 pf4 openvpn78203: Exiting due to fatal error

no such problem on pfSense 2.4.4-p3

2.5.0-DEVELOPMENT (amd64)
built on Tue Sep 10 19:08:55 EDT 2019
FreeBSD 12.0-RELEASE-p10

Associated revisions

Revision bc3e78ab (diff)
Added by Jim Pingle 11 months ago

OpenVPN ECDH/ECDSA filtering. Fixes #9744

Can be revisited in the future if the corresponding OpenVPN bug is
resolved.

Revision ca3cddbe (diff)
Added by Jim Pingle 11 months ago

Update OpenVPN EC list based on testing. Issue #9744

History

#1 Updated by Jim Pingle about 1 year ago

  • Target version set to 2.5.0

That's internal to OpenVPN/OpenSSL. The GUI presents the curves it claims to support exactly (From /usr/local/sbin/openvpn --show-curves) and it's using the correct config syntax. So from the looks of it, we're doing everything properly. If support wasn't there it would have complained much earlier and with a different error.

#2 Updated by Viktor Gurov about 1 year ago

Jim Pingle wrote:

That's internal to OpenVPN/OpenSSL. The GUI presents the curves it claims to support exactly (From /usr/local/sbin/openvpn --show-curves) and it's using the correct config syntax. So from the looks of it, we're doing everything properly. If support wasn't there it would have complained much earlier and with a different error.

OpenVPN 2.4.7 issue - same on Debian 10 and clean FreeBSD 12

no error with secp* curves:
secp112r1
secp112r2
secp128r1
secp128r2
secp160k1
secp160r1
secp160r2
secp192k1
secp224k1
secp224r1
secp256k1
secp384r1
secp521r1

and OpenVPN successfully run if you use random name for ecdh-curve option, i.e.:
ecdh-curve abc12345

#3 Updated by Jim Pingle about 1 year ago

Looks like https://community.openvpn.net/openvpn/ticket/1177

The initial title of the bug mentions FIPS but later in a comment they correct that to OpenSSL 1.1.1

#4 Updated by Jim Pingle 12 months ago

  • Assignee set to Jim Pingle

If it works with the secp* curves then maybe we should filter the list like we have done for HTTPS and IPsec. At least until OpenVPN fixes that bug. Though the exact same method won't work as the OpenVPN CA/Cert functions are a bit more involved. We may still be able to leverage the same mechanism somehow, though.

#5 Updated by Jim Pingle 11 months ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

#6 Updated by Viktor Gurov 11 months ago

last test result with pfSense 2.5.0.a.20191121.2127 (OpenVPN 2.4.8) and Debian 10.2 client (OpenVPN 2.4.7)

server start failed error:

Exiting due to fatal error
SSL_CTX_set_tmp_ecdh: cannot add curve

client TLS error:

TLS Error: TLS handshake failed
TLS Error: TLS object -> incoming plaintext read error
TLS_ERROR: BIO read tls_read_plaintext error
OpenSSL: error:141F7065:SSL routines:final_key_share:no suitable key share

secp112r1 - server start failed
secp112r2 - server start failed
secp128r1 - server start failed
secp128r2 - server start failed
secp160k1 - server started, client TLS error
secp160r1 - server started, client TLS error
secp160r2 - server started, client TLS error
secp192k1 - server started, client TLS error
secp224k1 - server started, client TLS error
secp224r1 - server started, client TLS error
secp256k1 - server started, client TLS error
secp384r1 - server started, client connected
secp521r1 - server started, client connected

also tested with prime256v1 - server started, client connected

so, OpenVPN ECDH curves = IPsec curves

#7 Updated by Jim Pingle 11 months ago

I pushed an update in ca3cddbec4 to change the OpenVPN curve list to match IPsec

#8 Updated by Viktor Gurov 11 months ago

Jim Pingle wrote:

I pushed an update in ca3cddbec4 to change the OpenVPN curve list to match IPsec

tested on 2.5.0.a.20191210.1722

Resolved

#9 Updated by Jim Pingle 11 months ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF