Cryptographic warning & error in Core 123

General questions.
JonM
Posts: 88
Joined: August 4th, 2017, 5:49 pm
Location: US

Cryptographic warning & error in Core 123

Post by JonM » September 8th, 2018, 6:27 pm

I'm not an OpenVPN expert and I am looking for help. I read thru the wiki and thru the forum but this is over my head.

I recently completed an update to IPFire 2.21 (x86_64) Core 123. All seemed to go OK. At the top of the OpenVPN web page (Services > OpenVPN) is a Cryptographic error and warning.

Screen Shot 2018-09-08 at 12.00.16 PM.png

I clicked Generate Diffie-Hellman parameters at the bottom of the same page and updated the bit length from 1024 to 2048. I think that partially corrected the Cryptographic error. But I am guessing there is more that needs to be done. What needs to be re-created?

I have not been able to correct the Cryptographic warning. I tried stopping the OpenVPN Server and clicking Remove x509. This deleted all of the OpenVPN items listed in the Connection Status and -Control section and the Certificate Authorities and -Keys section.

I clicked the Generate root/host certificates and set the Diffie-Hellman parameters to a bit length of 2048 bit. And I added a new RoadWarrior client package. But the "Cryptographic warning: Your host certificate is not RFC3280 compliant." message is still present.

What am I doing wrong?
Production:
Image

Testing Raspi 3B+:
Image

ummeegge
Community Developer
Community Developer
Posts: 4860
Joined: October 9th, 2010, 10:00 am

Re: Cryptographic warning & error in Core 123

Post by ummeegge » September 8th, 2018, 6:46 pm

Hi,
if you take a look into here --> https://forum.ipfire.org/viewtopic.php? ... 50#p118637 you can find a possible solution for this.

UE
Image
Image

JonM
Posts: 88
Joined: August 4th, 2017, 5:49 pm
Location: US

Re: Cryptographic warning & error in Core 123

Post by JonM » September 8th, 2018, 8:30 pm

Thank you! That did help!
The extendedKeyUsage = clientAuth was missing from the /var/ipfire/ovpn/openssl/ovpn.cnf file. After that I did need to Remove x509 and then Generate root/host certificates. Now I see Error messages: A valid root certificate already exists. Did I not following the instructions properly?

Screen Shot 2018-09-08 at 3.25.49 PM.png
Production:
Image

Testing Raspi 3B+:
Image

JonM
Posts: 88
Joined: August 4th, 2017, 5:49 pm
Location: US

Re: Cryptographic warning & error in Core 123

Post by JonM » September 8th, 2018, 9:02 pm

I did a webpage refresh and the Error messages: A valid root certificate already exists went away! :)
Production:
Image

Testing Raspi 3B+:
Image

User avatar
domsheldon1
Posts: 242
Joined: October 11th, 2011, 9:44 am
Location: Mons - Belgium

Re: Cryptographic warning & error in Core 123

Post by domsheldon1 » September 9th, 2018, 1:23 pm

Update 123 !!

Cryptographic warning
Your host certificate is not RFC3280 compliant.
Please update to the latest IPFire version and generate as soon as possible a new root and host certificate.

All OpenVPN clients needs then to be renewed!
Best regards,
Domsheldon1
(From Belgium)

http://fireinfo.ipfire.org/profile/edbd ... ffc0739326

User avatar
domsheldon1
Posts: 242
Joined: October 11th, 2011, 9:44 am
Location: Mons - Belgium

Re: Cryptographic warning & error in Core 123

Post by domsheldon1 » September 9th, 2018, 1:41 pm

A quick fix, I have 20 professional users logged in everyday!

please!
Best regards,
Domsheldon1
(From Belgium)

http://fireinfo.ipfire.org/profile/edbd ... ffc0739326

ummeegge
Community Developer
Community Developer
Posts: 4860
Joined: October 9th, 2010, 10:00 am

Re: Cryptographic warning & error in Core 123

Post by ummeegge » September 9th, 2018, 2:16 pm

Hi,
domsheldon1 wrote:
September 9th, 2018, 1:23 pm
All OpenVPN clients needs then to be renewed!
since there is the need that the peer certificate was signed with an explicit key usage and extended key usage based on RFC3280 TLS rules you will need to.
In here --> https://forum.ipfire.org/viewtopic.php?f=50&t=18852 you can find a little deeper discussion of the "--ns-cert-type is deprecated" problem and in here --> https://community.openvpn.net/openvpn/w ... -cert-type the OpenVPN announcement when the old option (which you currently use) will be removed (they remove it with OpenVPN-2.5 IPFire uses currently 2.4.6).

So there is time left until then (don´t know when this will be released) but better to be warned and be prepared that in the coming time the software won´t work with this kind of configuration.
domsheldon1 wrote:
September 9th, 2018, 1:41 pm
A quick fix, I have 20 professional users logged in everyday!

please!
I do not understand what that means ? If you mean a fix for this warning, it is already fixed but as described in the message, you will need to renew the certificates.

UE
Image
Image

edumax64
Posts: 4
Joined: May 30th, 2010, 9:51 am

Re: Cryptographic warning & error in Core 123

Post by edumax64 » September 11th, 2018, 3:20 pm

Cryptographic warning
Your host certificate is not RFC3280 compliant.
Please update to the latest IPFire version and generate as soon as possible a new root and host certificate.

All OpenVPN clients needs then to be renewed!


I'm updated to the latest version, what should I do? Thank you

User avatar
Arne.F
Core Developer
Core Developer
Posts: 8178
Joined: May 7th, 2006, 8:57 am
Location: BS <-> NDH
Contact:

Re: Cryptographic warning & error in Core 123

Post by Arne.F » September 12th, 2018, 7:30 am

@ummeegge
I do not understand what that means ? If you mean a fix for this warning, it is already fixed but as described in the message, you will need to renew the certificates.
This is not correct because your patch doesn't update the conf in the update.sh so all systems that was updated from an older version print this message and recreating the certs will not help. Please add a patch to the update.sh for core124 that fix this, also the backup restore script need the same changes...
Arne

Support the project on the donation!

Image

Image

Image
PS: I will not answer support questions via email and ignore IPFire related messages on my non IPFire.org mail addresses.

ummeegge
Community Developer
Community Developer
Posts: 4860
Joined: October 9th, 2010, 10:00 am

Re: Cryptographic warning & error in Core 123

Post by ummeegge » September 12th, 2018, 7:55 am

@Arne.F
Arne.F wrote:
September 12th, 2018, 7:30 am
This is not correct because your patch doesn't update the conf in the update.sh so all systems that was updated from an older version print this message and recreating the certs will not help.
this has already been implemented longer time ago --> https://patchwork.ipfire.org/patch/1441/ the CGI checks in the host certificate if the "TLS Web Server Authentication" string is presant. If it is "--remote-cert-tls server" will be used in client.ovpn. If not, the old "--ns-cert-type server" is used.

UE
Image
Image

edumax64
Posts: 4
Joined: May 30th, 2010, 9:51 am

Re: Cryptographic warning & error in Core 123

Post by edumax64 » September 12th, 2018, 9:01 am

Thanks for the reply. Could it be a solution to format and reinstall IPFIRE again?

ummeegge
Community Developer
Community Developer
Posts: 4860
Joined: October 9th, 2010, 10:00 am

Re: Cryptographic warning & error in Core 123

Post by ummeegge » September 12th, 2018, 9:20 am

Hi,
edumax64 wrote:
September 12th, 2018, 9:01 am
Thanks for the reply. Could it be a solution to format and reinstall IPFIRE again?
the only thing to prevent this "Warning" (it is no Error and OpenVPN do works also with this message) is to "Remove the X509" --> https://wiki.ipfire.org/configuration/s ... upload_gen <-- take a look at the last paragraph and to generate new Root and Host certificates --> https://wiki.ipfire.org/configuration/s ... onfig/cert . After that you can setup your clients again and the warning should disappear.

You can find all informations above, please read it and check also the provided links.

Best,

UE
Image
Image

fkienker
Posts: 104
Joined: March 3rd, 2011, 4:59 pm

Re: Cryptographic warning & error in Core 123

Post by fkienker » September 12th, 2018, 3:55 pm

ummeegge, will the updated ovpn.cnf file be included in the Core 124 update?

TIA,
Fred

ummeegge
Community Developer
Community Developer
Posts: 4860
Joined: October 9th, 2010, 10:00 am

Re: Cryptographic warning & error in Core 123

Post by ummeegge » September 12th, 2018, 5:07 pm

Image
Image

fkienker
Posts: 104
Joined: March 3rd, 2011, 4:59 pm

Re: Cryptographic warning & error in Core 123

Post by fkienker » September 12th, 2018, 6:33 pm

ummeegge - Odd! All of our updated systems still had the old file. Not sure if we did something wrong or if this is a known issue. I will go back and check our Core 123 test system to see what is installed there.

Best regards,
Fred

Post Reply