Project

General

Profile

Bug #9744

fatal error if ECDH Curve not default

Added by Viktor Gurov about 1 month ago. Updated about 1 month ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
OpenVPN
Target version:
Start date:
09/11/2019
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.5.0
Affected Architecture:

Description

If you select ECDH Curve server option other than default, <ecdh_curve>Oakley-EC2N-4</ecdh_curve> as example, you got:

Sep 11 13:56:58 pf4 openvpn77881: OpenVPN 2.4.7 amd64-portbld-freebsd12.0 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jul 18 2019
Sep 11 13:56:58 pf4 openvpn77881: library versions: OpenSSL 1.1.1a-freebsd 20 Nov 2018, LZO 2.10
Sep 11 13:56:58 pf4 openvpn78203: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sep 11 13:56:58 pf4 openvpn78203: SSL_CTX_set_tmp_ecdh: cannot add curve
Sep 11 13:56:58 pf4 openvpn78203: Exiting due to fatal error

no such problem on pfSense 2.4.4-p3

2.5.0-DEVELOPMENT (amd64)
built on Tue Sep 10 19:08:55 EDT 2019
FreeBSD 12.0-RELEASE-p10

History

#1 Updated by Jim Pingle about 1 month ago

  • Target version set to 2.5.0

That's internal to OpenVPN/OpenSSL. The GUI presents the curves it claims to support exactly (From /usr/local/sbin/openvpn --show-curves) and it's using the correct config syntax. So from the looks of it, we're doing everything properly. If support wasn't there it would have complained much earlier and with a different error.

#2 Updated by Viktor Gurov about 1 month ago

Jim Pingle wrote:

That's internal to OpenVPN/OpenSSL. The GUI presents the curves it claims to support exactly (From /usr/local/sbin/openvpn --show-curves) and it's using the correct config syntax. So from the looks of it, we're doing everything properly. If support wasn't there it would have complained much earlier and with a different error.

OpenVPN 2.4.7 issue - same on Debian 10 and clean FreeBSD 12

no error with secp* curves:
secp112r1
secp112r2
secp128r1
secp128r2
secp160k1
secp160r1
secp160r2
secp192k1
secp224k1
secp224r1
secp256k1
secp384r1
secp521r1

and OpenVPN successfully run if you use random name for ecdh-curve option, i.e.:
ecdh-curve abc12345

#3 Updated by Jim Pingle about 1 month ago

Looks like https://community.openvpn.net/openvpn/ticket/1177

The initial title of the bug mentions FIPS but later in a comment they correct that to OpenSSL 1.1.1

Also available in: Atom PDF