Bug #9744: fatal error if ECDH Curve not default - pfSense - pfSense bugtracker

Custom queries

2.7.0 - Resolved/Closed
2.7.1 - All Open Issues
2.7.1 - Resolved/Closed
2.7.2 - Resolved/Closed
2.8.0 - All Open Bugs
2.8.0 - All Open Features
2.8.0 - All Open Issues
2.8.0 - All Open Regressions
2.8.0 - Feedback
2.8.0 - Needs Attention
2.8.0 - New/Confirmed
2.8.0 - Pull Requests
2.8.0 - Regressions affecting 2.7.0
2.8.0 - Resolved/Closed
23.01 Plus - All Closed Issues
23.01 Target - All Closed Issues
23.05 Plus - All Closed Issues
23.05 Target - All Closed Issues
23.05.1 Plus - All Closed Issues
23.05.1 Target - All Closed Issues
23.09 Plus - All Closed Issues
23.09 Target - All Closed Issues
23.09.1 Plus - All Closed Issues
23.09.1 Target - All Closed Issues
24.03 Plus - All Closed Issues
24.03 Target - All Closed Issues
24.11 Plus - All Closed Issues
24.11 Target - All Closed Issues
25.03 Plus - All Closed Issues
25.03 Plus - All Open Issues
25.03 Plus - Feedback Issues
25.03 Plus - Needs Attention/Work
25.03 Plus - New/Confirmed/In Progress Issues
25.03 Plus - Pull Request Review
25.03 Plus - Waiting on Merge
25.03 Target - All Closed Issues
25.03 Target - All Open Issues
All Open Issues assigned to Me
All Open Pull Requests
Any Target - All Open Regressions
Any Target - Feedback Issues
CE-Next - All Closed Issues (Move to specific target)
CE-Next - All Open Issues
CE-Next - Feedback (Likely needs target changed)
New Issues by Category - Future Target
New Issues by Category - No Target
New Issues by Category - No Target+Future
No Target - All Open Issues (Base Only)
No Target - New Issues (Base Only)
No Target - New Issues (Base and Packages)
Release Notes - Plus Target Version (DO NOT EDIT)
Release Notes - Target Version (DO NOT EDIT)

Actions

Copy link

Bug #9744

closed

fatal error if ECDH Curve not default

Added by Viktor Gurov over 5 years ago. Updated about 5 years ago.

Status:

Resolved

Priority:

Normal

Assignee:

Jim Pingle

Category:

OpenVPN

Target version:

2.5.0

Start date:

09/11/2019

Due date:

% Done:

100%

Estimated time:

Plus Target Version:

Release Notes:

Affected Version:

2.5.0

Affected Architecture:

Description

If you select ECDH Curve server option other than default, <ecdh_curve>Oakley-EC2N-4</ecdh_curve> as example, you got:

Sep 11 13:56:58 pf4 openvpn⁷⁷⁸⁸¹: OpenVPN 2.4.7 amd64-portbld-freebsd12.0 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jul 18 2019
Sep 11 13:56:58 pf4 openvpn⁷⁷⁸⁸¹: library versions: OpenSSL 1.1.1a-freebsd 20 Nov 2018, LZO 2.10
Sep 11 13:56:58 pf4 openvpn⁷⁸²⁰³: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sep 11 13:56:58 pf4 openvpn⁷⁸²⁰³: SSL_CTX_set_tmp_ecdh: cannot add curve
Sep 11 13:56:58 pf4 openvpn⁷⁸²⁰³: Exiting due to fatal error

no such problem on pfSense 2.4.4-p3

2.5.0-DEVELOPMENT (amd64)
built on Tue Sep 10 19:08:55 EDT 2019
FreeBSD 12.0-RELEASE-p10

History
Notes
Property changes
Associated revisions

Actions

Copy link

Updated by Jim Pingle over 5 years ago

Target version set to 2.5.0

That's internal to OpenVPN/OpenSSL. The GUI presents the curves it claims to support exactly (From /usr/local/sbin/openvpn --show-curves) and it's using the correct config syntax. So from the looks of it, we're doing everything properly. If support wasn't there it would have complained much earlier and with a different error.

Actions

Copy link

Updated by Viktor Gurov over 5 years ago

Jim Pingle wrote:

That's internal to OpenVPN/OpenSSL. The GUI presents the curves it claims to support exactly (From /usr/local/sbin/openvpn --show-curves) and it's using the correct config syntax. So from the looks of it, we're doing everything properly. If support wasn't there it would have complained much earlier and with a different error.

OpenVPN 2.4.7 issue - same on Debian 10 and clean FreeBSD 12

no error with secp* curves:
secp112r1
secp112r2
secp128r1
secp128r2
secp160k1
secp160r1
secp160r2
secp192k1
secp224k1
secp224r1
secp256k1
secp384r1
secp521r1

and OpenVPN successfully run if you use random name for ecdh-curve option, i.e.:
ecdh-curve abc12345

Actions

Copy link

Updated by Jim Pingle over 5 years ago

Looks like https://community.openvpn.net/openvpn/ticket/1177

The initial title of the bug mentions FIPS but later in a comment they correct that to OpenSSL 1.1.1

Actions

Copy link

Updated by Jim Pingle about 5 years ago

Assignee set to Jim Pingle

If it works with the secp* curves then maybe we should filter the list like we have done for HTTPS and IPsec. At least until OpenVPN fixes that bug. Though the exact same method won't work as the OpenVPN CA/Cert functions are a bit more involved. We may still be able to leverage the same mechanism somehow, though.

Actions

Copy link

Updated by Jim Pingle about 5 years ago

Status changed from New to Feedback
% Done changed from 0 to 100

Applied in changeset bc3e78ab3dd4bffb89cb8d2533199e37f92fcbf2.

Actions

Copy link

Updated by Viktor Gurov about 5 years ago

last test result with pfSense 2.5.0.a.20191121.2127 (OpenVPN 2.4.8) and Debian 10.2 client (OpenVPN 2.4.7)

server start failed error:

Exiting due to fatal error
SSL_CTX_set_tmp_ecdh: cannot add curve

client TLS error:

TLS Error: TLS handshake failed
TLS Error: TLS object -> incoming plaintext read error
TLS_ERROR: BIO read tls_read_plaintext error
OpenSSL: error:141F7065:SSL routines:final_key_share:no suitable key share

secp112r1 - server start failed
secp112r2 - server start failed
secp128r1 - server start failed
secp128r2 - server start failed
secp160k1 - server started, client TLS error
secp160r1 - server started, client TLS error
secp160r2 - server started, client TLS error
secp192k1 - server started, client TLS error
secp224k1 - server started, client TLS error
secp224r1 - server started, client TLS error
secp256k1 - server started, client TLS error
secp384r1 - server started, client connected
secp521r1 - server started, client connected

also tested with prime256v1 - server started, client connected

so, OpenVPN ECDH curves = IPsec curves

Actions

Copy link