After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 780251 - network-manager-openvpn doesn't support inline pkcs12 certificates
network-manager-openvpn doesn't support inline pkcs12 certificates
Status: RESOLVED FIXED
Product: NetworkManager
Classification: Platform
Component: VPN: openvpn
1.2.x
Other Linux
: Normal normal
: ---
Assigned To: NetworkManager maintainer(s)
NetworkManager maintainer(s)
Depends on:
Blocks:
 
 
Reported: 2017-03-18 21:38 UTC by Paul Smith
Modified: 2017-03-23 13:12 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
import: fix base64 encoded inline <pkcs12> blobs (2.06 KB, patch)
2017-03-21 13:32 UTC, Thomas Haller
none Details | Review
import: fix base64 encoded inline <pkcs12> blobs (2.02 KB, patch)
2017-03-21 13:50 UTC, Thomas Haller
none Details | Review

Description Paul Smith 2017-03-18 21:38:08 UTC
I have an ovpn configuration file that contains a pkcs12 key embedded in it, not as a separate file, and NetworkManager doesn't seem to handle this correctly.

If I import this same ovpn file into Viscosity on my MacOS system it works perfectly.  Also, with NetworkManager if I use the same ovpn configuration except with the key as a separate .p12 file, it also works perfectly.

The key is embedded by first converting it into a base64 file via something like "openssl enc -base64 -in mycert.p12 -out mycert.p12.b64"

Then you embed the resulting base64 file into your ovpn file so it looks something like this:

  client
  dev tun
  proto udp
  remote 1.1.1.1 1111
  remote-cert-tls server
  auth-user-pass
  <pkcs12>
  MII....
  .......
  </pkcs12>

When I import this to NetworkManager as an openvpn config file it seems to work: the import succeeds and I need to add a username, and when I try to connect to the VPN it asks me for a password.  But then the connection attempt immediately fails.  When I look at the error messages via journalctl (I'm on Ubuntu 16.10) I see this:

OpenVPN 2.3.11 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 22 2016
library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
nm-openvpn[19522] <warn>  openvpn[19535] exited with error code 1
OpenSSL: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
OpenSSL: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
Error reading PKCS#12 file /home/mydir/.cert/nm-openvpn/mycert-pkcs12.pem
Exiting due to fatal error

When I look at the content of the /home/mydir/.cert/nm-openvpn/mycert-pkcs12.pem file it's the base64 content, not the binary file.  I don't know if this is expected or not, but something is not happy.
Comment 1 Paul Smith 2017-03-18 21:43:25 UTC
It looks like the missing part is indeed the base64 decode.  If I do the decode by hand via:

  base64 -d < /home/mydir/.cert/nm-openvpn/mycert-pkcs12.pem > /home/mydir/.cert/nm-openvpn/mycert.dec
  mv /home/mydir/.cert/nm-openvpn/mycert.dec /home/mydir/.cert/nm-openvpn/mycert-pkcs12.pem

then I am able to connect just fine.
Comment 2 Thomas Haller 2017-03-21 13:32:59 UTC
Created attachment 348412 [details] [review]
import: fix base64 encoded inline <pkcs12> blobs

pkcs12 inline certificates are base64 encoded. Before writing
them to file they must be decoded.
Comment 3 Thomas Haller 2017-03-21 13:50:20 UTC
Created attachment 348414 [details] [review]
import: fix base64 encoded inline <pkcs12> blobs

pkcs12 inline certificates are base64 encoded. Before writing
them to file they must be decoded.
Comment 5 Paul Smith 2017-03-23 13:12:17 UTC
Thank you Thomas!!