Ubuntu

openssl-vulnkey crashed with IOError in get_bits()

Reported by Roi a Torkilsheyggi on 2008-05-14
264
Affects Status Importance Assigned to Milestone
openssl-blacklist (Ubuntu)
Undecided
Jamie Strandboge
Feisty
Undecided
Jamie Strandboge
Gutsy
Undecided
Jamie Strandboge
Hardy
Undecided
Jamie Strandboge

Bug Description

Binary package hint: openssl-blacklist

I'm using the OpenVPN module for NetworkManager with CA, Cert and key (converted from PKCS12).

network-manager 0.6.6-0ubuntu5
openvpn 2.1~rc7-1ubuntu3.1
network-manager-openvpn 0.3.2svn2342-1ubuntu4

Things work when removing openvpn-blacklist (which again downgrades openvpn to 2.1~rc7-1ubuntu3).

ProblemType: Crash
Architecture: i386
Date: Wed May 14 09:48:38 2008
DistroRelease: Ubuntu 8.04
ExecutablePath: /usr/sbin/openssl-vulnkey
InterpreterPath: /usr/bin/python2.5
NonfreeKernelModules: fglrx
Package: openssl-blacklist 0.1-0ubuntu0.8.04.1
PackageArchitecture: all
ProcCmdline: /usr/bin/python /usr/sbin/openssl-vulnkey -q /home/rto/.neoconsult/openvpn/rto1key.pem
ProcEnviron: PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
PythonArgs: ['/usr/sbin/openssl-vulnkey', '-q', '/home/rto/.neoconsult/openvpn/rto1key.pem']
SourcePackage: openssl-blacklist
Title: openssl-vulnkey crashed with IOError in get_bits()
Uname: Linux 2.6.24-16-generic i686
UserGroups:

Roi a Torkilsheyggi (roi) wrote :
Mathias Gug (mathiaz) wrote :

Hi,

What are the permissions of /home/rto/.neoconsult/openvpn/rto1key.pem ?

Do you see any error when you run the following command from a terminal ?
  openssl rsa -text -in /home/rto/.neoconsult/openvpn/rto1key.pem

Do *not* post the ouput of this command to the bug please.

Changed in openssl-blacklist:
status: New → Incomplete
Jamie Strandboge (jdstrand) wrote :

Marking In progress as the fix is known and upload pending.

Changed in openssl-blacklist:
status: Incomplete → In Progress
assignee: nobody → mathiaz
assignee: nobody → jdstrand
status: New → In Progress
assignee: nobody → jdstrand
status: New → In Progress
assignee: nobody → jdstrand
status: New → In Progress
Changed in openssl-blacklist:
status: In Progress → Fix Committed
status: In Progress → Fix Committed
status: In Progress → Fix Committed
assignee: mathiaz → jdstrand
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssl-blacklist - 0.1-0ubuntu0.8.04.2

---------------
openssl-blacklist (0.1-0ubuntu0.8.04.2) hardy-security; urgency=low

  * openssl-vulnkey:
    - Don't exit if the key cannot be parsed.
    - Don't fail if stderr is not available. (LP: #230193)

 -- Mathias Gug <email address hidden> Wed, 14 May 2008 14:24:07 +0200

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssl-blacklist - 0.1-0ubuntu0.7.10.2

---------------
openssl-blacklist (0.1-0ubuntu0.7.10.2) gutsy-security; urgency=low

  * openssl-vulnkey:
    - Don't exit if the key cannot be parsed.
    - Don't fail if stderr is not available. (LP: #230193)

 -- Mathias Gug <email address hidden> Wed, 14 May 2008 14:43:47 +0200

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssl-blacklist - 0.1-0ubuntu0.7.04.2

---------------
openssl-blacklist (0.1-0ubuntu0.7.04.2) feisty-security; urgency=low

  * openssl-vulnkey:
    - Don't exit if the key cannot be parsed.
    - Don't fail if stderr is not available. (LP: #230193)

 -- Mathias Gug <email address hidden> Wed, 14 May 2008 14:57:32 +0200

Changed in openssl-blacklist:
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
Changed in openssl-blacklist:
status: In Progress → Fix Committed
Jamie Strandboge (jdstrand) wrote :

The hardy package was copied to Intrepid.

Changed in openssl-blacklist:
status: Fix Committed → Fix Released
Roi a Torkilsheyggi (roi) wrote :

Hi,

Sorry for the late response - keeping busy :)

Permissions: Owner has read/write permissions, others have read (probably not smart).

I do *not* get any errors when running the "openssl rsa -text -in <filename>" command.

When running NetworkManager with --no-daemon I get the following when enabling the OpenVPN connection. The OpenVPN log does not show any activity.
-------------------
Enter pass phrase for /home/rto/xxxx/xxxxx/rto1key.pem:

** (process:8698): WARNING **: <WARNING> openvpn_watch_cb (): openvpn exited with error code 1

** (process:8698): WARNING **: <WARNING> nm_openvpn_socket_data_cb (): Password verification failed

NetworkManager: <WARN> nm_vpn_service_process_signal(): VPN failed for service 'org.freedesktop.NetworkManager.openvpn', signal 'ConnectFailed', with message 'The VPN login failed because the VPN program could not connect to the VPN server.'.
NetworkManager: <info> VPN service 'org.freedesktop.NetworkManager.openvpn' signaled state change 3 -> 6.
NetworkManager: <WARN> nm_vpn_service_process_signal(): VPN failed for service 'org.freedesktop.NetworkManager.openvpn', signal 'LoginFailed', with message 'The VPN login failed because the user name and password were not accepted or the certificate password was wrong.'.
NetworkManager: <WARN> nm_vpn_service_stop_connection(): (VPN Service org.freedesktop.NetworkManager.openvpn): could not stop connection 'NeoConsult' because service was 6.
-------------------

The setup procedure was as follows. The admins hand out PKCS#12 certs which I have to "convert" to use with the NM-OVPN module.
-------------------
First you need to extract the CA, certificate and key from your .p12 file (replace user1 with your initials and number).

    openssl pkcs12 -nocerts -in user1.p12 -out user1key.pem
    Supply Import Password.
    Type new PEM pass phrase.
    openssl pkcs12 -nokeys -clcerts -in user1.p12 -out user1cert.pem
    Supply Import Password.
    openssl pkcs12 -nokeys -cacerts -in user1.p12 -out user1ca.pem

Copy the files to a suitable place on your hard drive.

Install network-manager-openvpn. This is the OpenVPN plugin for NetworkManager.

    sudo apt-get install network-manager-openvpn

Now left-click on the NetworkManager icon, select VPN Connections -> Configure VPN and click the Add button. Type in a connection name and paste in the following appropriately:

    Gateway Address: xxx.xxx.xxx.xxx
    Gateway Port: 1194 (this is the default)
    Connection Type: X.509 Certificates (also default)
    CA file: (point to your user1ca.pem file)
    Certificate: (point to your user1cert.pem file)
    Key: (point to your user1key.pem file)

Now click the Optional tab and check the following boxes:

    Use LZO compression
    Use cipher: (select cipher)
    Use TLS auth: (point to your ta.key file)
    Direction: (select 1)
-------------------

This setup worked up until the openvpn/openssl updates two weeks ago.

Again, sorry for the late response - and thanks for the good work.

Rói

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers