Page 1 of 2

Cryptographic warning & error in Core 123

Posted: September 8th, 2018, 6:27 pm
by JonM
I'm not an OpenVPN expert and I am looking for help. I read thru the wiki and thru the forum but this is over my head.

I recently completed an update to IPFire 2.21 (x86_64) Core 123. All seemed to go OK. At the top of the OpenVPN web page (Services > OpenVPN) is a Cryptographic error and warning.

Screen Shot 2018-09-08 at 12.00.16 PM.png

I clicked Generate Diffie-Hellman parameters at the bottom of the same page and updated the bit length from 1024 to 2048. I think that partially corrected the Cryptographic error. But I am guessing there is more that needs to be done. What needs to be re-created?

I have not been able to correct the Cryptographic warning. I tried stopping the OpenVPN Server and clicking Remove x509. This deleted all of the OpenVPN items listed in the Connection Status and -Control section and the Certificate Authorities and -Keys section.

I clicked the Generate root/host certificates and set the Diffie-Hellman parameters to a bit length of 2048 bit. And I added a new RoadWarrior client package. But the "Cryptographic warning: Your host certificate is not RFC3280 compliant." message is still present.

What am I doing wrong?

Re: Cryptographic warning & error in Core 123

Posted: September 8th, 2018, 6:46 pm
by ummeegge
Hi,
if you take a look into here --> https://forum.ipfire.org/viewtopic.php? ... 50#p118637 you can find a possible solution for this.

UE

Re: Cryptographic warning & error in Core 123

Posted: September 8th, 2018, 8:30 pm
by JonM
Thank you! That did help!
The extendedKeyUsage = clientAuth was missing from the /var/ipfire/ovpn/openssl/ovpn.cnf file. After that I did need to Remove x509 and then Generate root/host certificates. Now I see Error messages: A valid root certificate already exists. Did I not following the instructions properly?

Screen Shot 2018-09-08 at 3.25.49 PM.png

Re: Cryptographic warning & error in Core 123

Posted: September 8th, 2018, 9:02 pm
by JonM
I did a webpage refresh and the Error messages: A valid root certificate already exists went away! :)

Re: Cryptographic warning & error in Core 123

Posted: September 9th, 2018, 1:23 pm
by domsheldon1
Update 123 !!

Cryptographic warning
Your host certificate is not RFC3280 compliant.
Please update to the latest IPFire version and generate as soon as possible a new root and host certificate.

All OpenVPN clients needs then to be renewed!

Re: Cryptographic warning & error in Core 123

Posted: September 9th, 2018, 1:41 pm
by domsheldon1
A quick fix, I have 20 professional users logged in everyday!

please!

Re: Cryptographic warning & error in Core 123

Posted: September 9th, 2018, 2:16 pm
by ummeegge
Hi,
domsheldon1 wrote:
September 9th, 2018, 1:23 pm
All OpenVPN clients needs then to be renewed!
since there is the need that the peer certificate was signed with an explicit key usage and extended key usage based on RFC3280 TLS rules you will need to.
In here --> https://forum.ipfire.org/viewtopic.php?f=50&t=18852 you can find a little deeper discussion of the "--ns-cert-type is deprecated" problem and in here --> https://community.openvpn.net/openvpn/w ... -cert-type the OpenVPN announcement when the old option (which you currently use) will be removed (they remove it with OpenVPN-2.5 IPFire uses currently 2.4.6).

So there is time left until then (don´t know when this will be released) but better to be warned and be prepared that in the coming time the software won´t work with this kind of configuration.
domsheldon1 wrote:
September 9th, 2018, 1:41 pm
A quick fix, I have 20 professional users logged in everyday!

please!
I do not understand what that means ? If you mean a fix for this warning, it is already fixed but as described in the message, you will need to renew the certificates.

UE

Re: Cryptographic warning & error in Core 123

Posted: September 11th, 2018, 3:20 pm
by edumax64
Cryptographic warning
Your host certificate is not RFC3280 compliant.
Please update to the latest IPFire version and generate as soon as possible a new root and host certificate.

All OpenVPN clients needs then to be renewed!


I'm updated to the latest version, what should I do? Thank you

Re: Cryptographic warning & error in Core 123

Posted: September 12th, 2018, 7:30 am
by Arne.F
@ummeegge
I do not understand what that means ? If you mean a fix for this warning, it is already fixed but as described in the message, you will need to renew the certificates.
This is not correct because your patch doesn't update the conf in the update.sh so all systems that was updated from an older version print this message and recreating the certs will not help. Please add a patch to the update.sh for core124 that fix this, also the backup restore script need the same changes...

Re: Cryptographic warning & error in Core 123

Posted: September 12th, 2018, 7:55 am
by ummeegge
@Arne.F
Arne.F wrote:
September 12th, 2018, 7:30 am
This is not correct because your patch doesn't update the conf in the update.sh so all systems that was updated from an older version print this message and recreating the certs will not help.
this has already been implemented longer time ago --> https://patchwork.ipfire.org/patch/1441/ the CGI checks in the host certificate if the "TLS Web Server Authentication" string is presant. If it is "--remote-cert-tls server" will be used in client.ovpn. If not, the old "--ns-cert-type server" is used.

UE

Re: Cryptographic warning & error in Core 123

Posted: September 12th, 2018, 9:01 am
by edumax64
Thanks for the reply. Could it be a solution to format and reinstall IPFIRE again?

Re: Cryptographic warning & error in Core 123

Posted: September 12th, 2018, 9:20 am
by ummeegge
Hi,
edumax64 wrote:
September 12th, 2018, 9:01 am
Thanks for the reply. Could it be a solution to format and reinstall IPFIRE again?
the only thing to prevent this "Warning" (it is no Error and OpenVPN do works also with this message) is to "Remove the X509" --> https://wiki.ipfire.org/configuration/s ... upload_gen <-- take a look at the last paragraph and to generate new Root and Host certificates --> https://wiki.ipfire.org/configuration/s ... onfig/cert . After that you can setup your clients again and the warning should disappear.

You can find all informations above, please read it and check also the provided links.

Best,

UE

Re: Cryptographic warning & error in Core 123

Posted: September 12th, 2018, 3:55 pm
by fkienker
ummeegge, will the updated ovpn.cnf file be included in the Core 124 update?

TIA,
Fred

Re: Cryptographic warning & error in Core 123

Posted: September 12th, 2018, 5:07 pm
by ummeegge

Re: Cryptographic warning & error in Core 123

Posted: September 12th, 2018, 6:33 pm
by fkienker
ummeegge - Odd! All of our updated systems still had the old file. Not sure if we did something wrong or if this is a known issue. I will go back and check our Core 123 test system to see what is installed there.

Best regards,
Fred