plugout.net

[spidercat]

Hi,

after installation of the patch for heartbleed bug openssl, i'm not able to generate OpenVPN Certification files.
This is the error :
KEY_CONFIG (set by the ./vars script) is pointing to the wrong version of openssl.cnf

Maybe something else must done but i need help pls.

Regards
spider

[fvdw]

I think I need to see if I can find the right file to be used. But as openvpn is compiled against openssl 0.9.8 I think we might have a problem here.
To get opnvpn working properly I will need to compile it against the new openssl version

Was it working ok with fvdw-sl 15-2 (15-1). This because in those version we already upgraded openssl to version 1.0.1

what you could try for the moment is doing the following
in the /etc/openvpn/easy-rsa folder there are several files one of them has the name openssl.cnf
rename th is one to openssl-old.conf
rename the file openssl-1.0.0.cnf to openssl.cnf

Seems latest version of easy-rsa still contains no new openssl.conf files for newer versions

[fvdw]

attached a patch that will upgrade openvpn to version 2.3.3 and compiled against openssl-1.0.1g
This use openssl and crypto libs version 1.0.0 so I gues using openssl-1.0.0.cnf file for openssl.cnf will be correct

let us know if it works then we integrate it in the next firmware upgrade

To install the patch use the upload patch feature in the webinterface
To be able to use place the zip archive in the "fvdw" share (read the help text for the upload patch menu

[spidercat]

Thanks a lot for your help,

i've uploaded the patch via web browser but nothing changes.
it seems that /etc/openvpn/easy-rsa files are still "the same".
Even trying to rename openssl-1.0.0.cnf in openssl.cnf give me the same error :

# ./pkitool --initca
Using CA Common Name: COMMONNAME
grep: /etc/openvpn/easy-rsa/whichopensslcnf /etc/openvpn/easy-rsa: No such file or directory
pkitool: KEY_CONFIG (set by the ./vars script) is pointing to the wrong
version of openssl.cnf: /etc/openvpn/easy-rsa/whichopensslcnf /etc/openvpn/easy-rsa
The correct version should have a comment that says: easy-rsa version 2.x

any other suggestions please ?
Thanks a lot regards
d

[spidercat]

Solved

Edited this line in file vars:
export KEY_CONFIG='$EASY_RSA/whichopensslcnf $EASY_RSA'

replaced it with:
export KEY_CONFIG=/etc/openvpn/easy-rsa/openssl.cnf

Thanks a lot
Bye
spider

[fvdw]

greta to hear that you got it sorted, does the recompiled openvpn works ok ?

[spidercat]

Thanks ;-)

At now i only generated new keys but i need to try if it works.
Let me say that i'm quite sure that everything is ok now....
Thanks a lot again for your great work

Bye
s