# OpenVPN and MD5.

## mgnut57

Is there any way to override the ban on MD5 certificates in OpenVPN? 

Redhat/CentOS provide a couple of mechanisms for this. They don't seem to work under Gentoo. 

I know that the real solution is to re-build the certificates, but while doing that, I would like to be able to update OpenVPN to the latest version.

----------

## eccerr0r

Usually, it's time to just do it and get rid of the md5...

Assuming you mean your openvpn server here too, if you're talking about client, it's a bit different.  Anyway, I see that the CentOS/RHEL way is a hack to systemd files, so did you port them to openrc?  Supposedly these are just environment variables that need to be set.  I'm not sure if /etc/conf.d/* get exported, so probably safest to hack the init script: 

(I haven't tested, this is only a test)

Edit your /etc/init.d/openvpn, search for:

```
        start-stop-daemon --start --exec /usr/sbin/openvpn --pidfile "${VPNPID}" \

                -- --config "${VPNCONF}" --writepid "${VPNPID}" --daemon \

                --setenv SVCNAME "${SVCNAME}" ${args}

```

Add this before start-stop-daemon:

```
export OPENSSL_ENABLE_MD5_VERIFY=1

export NSS_HASH_ALG_SUPPORT=+MD5
```

Theoretically you should be able to edit conf.d but not entirely sure if those get exported or not....

Again, I don't know if this actually works since I use regular certificates for my openvpn, perhaps this feature was dropped in our version of openssl...do the versions match?

----------

## mgnut57

 *eccerr0r wrote:*   

> 
> 
> ```
> export OPENSSL_ENABLE_MD5_VERIFY=1
> 
> ...

 

I did try setting those. They don't seem to work: I think that they must be a RHEL/CentOS hack for backwards compatibility.

----------

## eccerr0r

What version of openssl are you using now with openvpn?

Seems that even a few versions of openssl prior to 1.1 has this disabled.

But yes it looks like RHEL probably took initiative and hacked this in before all the other distros fell into this upgrade trap... Oh well.  Time to swipe their patches and add it in...

This is stolen from Fedora rawhide which I backported to 1.0.2k.

Try adding this to /etc/portage/patches/dev-libs/openssl/md5-hack.patch and remerge openssl-1.0.2k assuming this is what you're using (1.0.2k appears to be the stable version in portage right now):

```
diff -ur openssl-1.0.2k/crypto/asn1/a_verify.c openssl-1.0.2k-patch/crypto/asn1/a_verify.c

--- openssl-1.0.2k/crypto/asn1/a_verify.c   2017-01-26 06:22:03.000000000 -0700

+++ openssl-1.0.2k-patch/crypto/asn1/a_verify.c   2017-05-31 05:27:34.690556605 -0600

@@ -56,6 +56,9 @@

  * [including the GNU Public Licence.]

  */

 

+/* for secure_getenv */

+#define _GNU_SOURCE

+ 

 #include <stdio.h>

 #include <time.h>

 

@@ -174,6 +177,11 @@

         if (ret != 2)

             goto err;

         ret = -1;

+    } else if (mdnid == NID_md5

+               && secure_getenv("OPENSSL_ENABLE_MD5_VERIFY") == NULL) {

+        ASN1err(ASN1_F_ASN1_ITEM_VERIFY,

+                ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);

+        goto err;

     } else {

         const EVP_MD *type;

         type = EVP_get_digestbynid(mdnid);

```

Note I did not test (sorry, I don't use md5 certificates) and you also need the environment variable like for RHEL/CentOS as this patch was from RH after all.

----------

## mgnut57

 *Quote:*   

> What version of openssl are you using now with openvpn? 

 

```
# equery list openssl

 * Searching for openssl ...

[IP-] [  ] dev-libs/openssl-0.9.8z_p8:0.9.8

[IP-] [  ] dev-libs/openssl-1.0.2k:0

```

----------

## eccerr0r

$ ldd /usr/sbin/openvpn

	linux-gate.so.1 (0xb77af000)

	liblzo2.so.2 => /lib/liblzo2.so.2 (0xb7769000)

	libssl.so.1.0.0 => /usr/lib/libssl.so.1.0.0 (0xb76fd000)

	libcrypto.so.1.0.0 => /usr/lib/libcrypto.so.1.0.0 (0xb7526000)

	libdl.so.2 => /lib/libdl.so.2 (0xb7521000)

	libc.so.6 => /lib/libc.so.6 (0xb737a000)

	libz.so.1 => /lib/libz.so.1 (0xb7360000)

	/lib/ld-linux.so.2 (0xb77b0000)

If it looks like this, try the patch.

----------

## mgnut57

```
# ldd /usr/sbin/openvpn 

   linux-vdso.so.1 (0x00007ffd3cd8d000)

   liblzo2.so.2 => /lib64/liblzo2.so.2 (0x00007f0bab502000)

   libcrypto.so.1.0.0 => /usr/lib64/libcrypto.so.1.0.0 (0x00007f0bab0ce000)

   libssl.so.1.0.0 => /usr/lib64/libssl.so.1.0.0 (0x00007f0baae61000)

   libdl.so.2 => /lib64/libdl.so.2 (0x00007f0baac5e000)

   libc.so.6 => /lib64/libc.so.6 (0x00007f0baa8d0000)

   libz.so.1 => /lib64/libz.so.1 (0x00007f0baa6b9000)

   /lib64/ld-linux-x86-64.so.2 (0x00007f0bab724000)
```

 *eccerr0r wrote:*   

> 
> 
> ```
> diff -ur openssl-1.0.2k/crypto/asn1/a_verify.c openssl-1.0.2k-patch/crypto/asn1/a_verify.c
> 
> ...

 

I tried this. It did not work. 

```
export OPENSSL_ENABLE_MD5_VERIFY=1

export NSS_HASH_ALG_SUPPORT=+MD5

/usr/sbin/openvpn --config /etc/openvpn/ukvps.conf 

Wed May 31 20:52:23 2017 OpenVPN 2.4.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH/PKTINFO] [AEAD] built on May 28 2017

Wed May 31 20:52:23 2017 library versions: OpenSSL 1.0.2k  26 Jan 2017, LZO 2.09

Wed May 31 20:52:23 2017 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.

Wed May 31 20:52:23 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]X.X.X.X:1194

Wed May 31 20:52:23 2017 Socket Buffers: R=[212992->212992] S=[212992->212992]

Wed May 31 20:52:23 2017 UDP link local: (not bound)

Wed May 31 20:52:23 2017 UDP link remote: [AF_INET]X.X.X.X:1194

Wed May 31 20:52:23 2017 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay

Wed May 31 20:52:29 2017 TLS: Initial packet from [AF_INET]X.X.X.X:1194, sid=1e4f6ec1 3bbb9dc3

Wed May 31 20:52:29 2017 VERIFY ERROR: depth=0, error=CRL has expired: C=US, ST=CA, L=SanFrancisco, O= , OU=matthews-family, CN=matthews-family.org.uk, emailAddress=simon

Wed May 31 20:52:29 2017 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed

Wed May 31 20:52:29 2017 TLS_ERROR: BIO read tls_read_plaintext error

Wed May 31 20:52:29 2017 TLS Error: TLS object -> incoming plaintext read error

Wed May 31 20:52:29 2017 TLS Error: TLS handshake failed

Wed May 31 20:52:29 2017 SIGUSR1[soft,tls-error] received, process restarting

Wed May 31 20:52:29 2017 Restart pause, 5 second(s)

Wed May 31 20:52:34 2017 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.

Wed May 31 20:52:34 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]X.X.X.X:1194

Wed May 31 20:52:34 2017 Socket Buffers: R=[212992->212992] S=[212992->212992]

Wed May 31 20:52:34 2017 UDP link local: (not bound)

Wed May 31 20:52:34 2017 UDP link remote: [AF_INET]X.X.X.X:1194

^CWed May 31 20:52:34 2017 event_wait : Interrupted system call (code=4)

Wed May 31 20:52:34 2017 SIGINT[hard,] received, process exiting

```

Note: real IP address of remote server replaced by X.X.X.X

The error message associated with the MD5 issue is: "TLS Error: TLS object -> incoming plaintext read error" although I am wondering if the crl issue may also be causing problems.

----------

## eccerr0r

Weird, is the error same as before? 

This supposedly is an MD5 signature error example taken from another site...

```
Sat Aug 30 10:52:03 2014 OpenVPN 2.3.2 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Feb 14 2014

Sat Aug 30 10:52:06 2014 VERIFY OK: depth=1, C=XX, ST=XX, L=MYTOWN, O=OpenVPN-Myprovider, CN=vpn.server.com, emailAddress=admin@vpn.server.com

Sat Aug 30 10:52:06 2014 VERIFY ERROR: depth=0, error=certificate signature failure: C=XX, ST=MYTOWN, O=OpenVPN-Myprovider, CN=vpn.server.com, emailAddress=admin@vpn.server.com

Sat Aug 30 10:52:06 2014 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Sat Aug 30 10:52:06 2014 TLS Error: TLS object -> incoming plaintext read error

Sat Aug 30 10:52:06 2014 TLS Error: TLS handshake failed
```

BTW, did the emerge log say the patch got taken cleanly?

In any case, the verify error now says it indeed your certificate revocation list expired, but you weren't using certificates?

Confusing indeed...

----------

## mgnut57

I think that the patch got taken cleanly: I didn't see anything on the screen as it did the patch. 

```
# strings /usr/lib64/libcrypto.so.1.0.0 | grep OPENSSL_ENABLE_MD5_VERIFY

OPENSSL_ENABLE_MD5_VERIFY
```

----------

