| Message ID | 20211019183127.614175-17-arne@rfc2549.org |
|---|---|
| State | Accepted |
| Headers | show |
| Series | OpenSSL 3.0 improvements for OpenVPN | expand |
Acked-by: Gert Doering <gert@greenie.muc.de> "That was an easy one" :-) - error reporting is always useful, and the code change is trivial enough. Tested with "wrong password" only, which now prints: 2021-10-21 08:24:01 OpenSSL: error:23076071:PKCS12 routines:PKCS12_parse:mac verify failure 2021-10-21 08:24:01 OpenSSL: error:23076071:PKCS12 routines:PKCS12_parse:mac verify failure 2021-10-21 08:24:01 Decoding PKCS12 failed. Probably wrong password or unsupported/legacy encryption 2021-10-21 08:24:01 SIGUSR1[soft,private-key-password-failure] received, process restarting Your patch has been applied to the master branch. commit 6ac4e63c577986ec11eae3519fe8516e8ca8ac0f Author: Arne Schwabe Date: Tue Oct 19 20:31:22 2021 +0200 Add message when decoding PKCS12 file fails. Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20211019183127.614175-17-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23017.html Signed-off-by: Gert Doering <gert@greenie.muc.de> -- kind regards, Gert Doering
Hi,
decided in the community meeting today that this should also be
cherry-picked to 2.5 - I have not actually tested with a pkcs12 file,
just run the basic compile/client test cycle (and the patch is
trivial enough).
commit 1f54811e92c89fe07d7cea8339e928980bfe0536 (HEAD -> release/2.5)
Author: Arne Schwabe <arne@rfc2549.org>
Date: Tue Oct 19 20:31:22 2021 +0200
Add message when decoding PKCS12 file fails.
gert
On Thu, Oct 21, 2021 at 08:24:46AM +0200, Gert Doering wrote:
> Acked-by: Gert Doering <gert@greenie.muc.de>
>
> "That was an easy one" :-) - error reporting is always useful, and
> the code change is trivial enough. Tested with "wrong password" only,
> which now prints:
>
> 2021-10-21 08:24:01 OpenSSL: error:23076071:PKCS12 routines:PKCS12_parse:mac verify failure
> 2021-10-21 08:24:01 OpenSSL: error:23076071:PKCS12 routines:PKCS12_parse:mac verify failure
> 2021-10-21 08:24:01 Decoding PKCS12 failed. Probably wrong password or unsupported/legacy encryption
> 2021-10-21 08:24:01 SIGUSR1[soft,private-key-password-failure] received, process restarting
>
> Your patch has been applied to the master branch.
>
> commit 6ac4e63c577986ec11eae3519fe8516e8ca8ac0f
> Author: Arne Schwabe
> Date: Tue Oct 19 20:31:22 2021 +0200
>
> Add message when decoding PKCS12 file fails.
>
> Signed-off-by: Arne Schwabe <arne@rfc2549.org>
> Acked-by: Gert Doering <gert@greenie.muc.de>
> Message-Id: <20211019183127.614175-17-arne@rfc2549.org>
> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23017.html
> Signed-off-by: Gert Doering <gert@greenie.muc.de>
>
>
> --
> kind regards,
>
> Gert Doering
>
>
>
> _______________________________________________
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 8ec96e66c..d93292700 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -831,6 +831,8 @@ tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, ca = NULL; if (!PKCS12_parse(p12, password, &pkey, &cert, &ca)) { + crypto_msg(M_WARN, "Decoding PKCS12 failed. Probably wrong password " + "or unsupported/legacy encryption"); #ifdef ENABLE_MANAGEMENT if (management && (ERR_GET_REASON(ERR_peek_error()) == PKCS12_R_MAC_VERIFY_FAILURE)) {
Currently we never display the OpenSSL error stack when decoding a PCKS12 file fails. With LibreSSL defaulting to RC2-40-CBC, the failure might not be a wrong password but can actually be an unsupported encoding, seeing the error stack is really helpful (example from OpenSSL 3.0): error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:346:Global default library context, Algorithm (RC2-40-CBC : 0), Properties () to pinpoint the issue Signed-off-by: Arne Schwabe <arne@rfc2549.org> --- src/openvpn/ssl_openssl.c | 2 ++ 1 file changed, 2 insertions(+)