Page 1 of 1
fvdw-sl 15-1 and 15-2 : heartbleed bug openssl ISSUE
Posted:
Tue Apr 15, 2014 3:25 pmby spidercat
Hi,
after installation of the patch for heartbleed bug openssl, i'm not able to generate OpenVPN Certification files.
This is the error :
KEY_CONFIG (set by the ./vars script) is pointing to the wrong version of openssl.cnf
Maybe something else must done but i need help pls.
Regards
spider
Re: fvdw-sl 15-1 and 15-2 : heartbleed bug openssl ISSUE
Posted:
Tue Apr 15, 2014 9:17 pmby fvdw
I think I need to see if I can find the right file to be used. But as openvpn is compiled against openssl 0.9.8 I think we might have a problem here.
To get opnvpn working properly I will need to compile it against the new openssl version
Was it working ok with fvdw-sl 15-2 (15-1). This because in those version we already upgraded openssl to version 1.0.1
what you could try for the moment is doing the following
in the /etc/openvpn/easy-rsa folder there are several files one of them has the name openssl.cnf
rename th is one to openssl-old.conf
rename the file openssl-1.0.0.cnf to openssl.cnf
Seems latest version of easy-rsa still contains no new openssl.conf files for newer versions
Re: fvdw-sl 15-1 and 15-2 : heartbleed bug openssl ISSUE
Posted:
Tue Apr 15, 2014 10:22 pmby fvdw
attached a patch that will upgrade openvpn to version 2.3.3 and compiled against openssl-1.0.1g
This use openssl and crypto libs version 1.0.0 so I gues using openssl-1.0.0.cnf file for openssl.cnf will be correct
let us know if it works then we integrate it in the next firmware upgrade
To install the patch use the upload patch feature in the webinterface
To be able to use place the zip archive in the "fvdw" share (read the help text for the upload patch menu
Re: fvdw-sl 15-1 and 15-2 : heartbleed bug openssl ISSUE
Posted:
Wed Apr 16, 2014 7:36 amby spidercat
Thanks a lot for your help,
i've uploaded the patch via web browser but nothing changes.
it seems that /etc/openvpn/easy-rsa files are still "the same".
Even trying to rename openssl-1.0.0.cnf in openssl.cnf give me the same error :
# ./pkitool --initca
Using CA Common Name: COMMONNAME
grep: /etc/openvpn/easy-rsa/whichopensslcnf /etc/openvpn/easy-rsa: No such file or directory
pkitool: KEY_CONFIG (set by the ./vars script) is pointing to the wrong
version of openssl.cnf: /etc/openvpn/easy-rsa/whichopensslcnf /etc/openvpn/easy-rsa
The correct version should have a comment that says: easy-rsa version 2.x
any other suggestions please ?
Thanks a lot regards
d
Re: fvdw-sl 15-1 and 15-2 : heartbleed bug openssl ISSUE
Posted:
Wed Apr 16, 2014 2:26 pmby spidercat
Solved
Edited this line in file vars:
export KEY_CONFIG='$EASY_RSA/whichopensslcnf $EASY_RSA'
replaced it with:
export KEY_CONFIG=/etc/openvpn/easy-rsa/openssl.cnf
Thanks a lot
Bye
spider
Re: fvdw-sl 15-1 and 15-2 : heartbleed bug openssl ISSUE
Posted:
Wed Apr 16, 2014 7:25 pmby fvdw
greta to hear that you got it sorted, does the recompiled openvpn works ok ?
Re: fvdw-sl 15-1 and 15-2 : heartbleed bug openssl ISSUE
Posted:
Thu Apr 17, 2014 7:56 amby spidercat
Thanks ;-)
At now i only generated new keys but i need to try if it works.
Let me say that i'm quite sure that everything is ok now....
Thanks a lot again for your great work
Bye
s