GNOME Bugzilla – Bug 780251
network-manager-openvpn doesn't support inline pkcs12 certificates
Last modified: 2017-03-23 13:12:17 UTC
I have an ovpn configuration file that contains a pkcs12 key embedded in it, not as a separate file, and NetworkManager doesn't seem to handle this correctly. If I import this same ovpn file into Viscosity on my MacOS system it works perfectly. Also, with NetworkManager if I use the same ovpn configuration except with the key as a separate .p12 file, it also works perfectly. The key is embedded by first converting it into a base64 file via something like "openssl enc -base64 -in mycert.p12 -out mycert.p12.b64" Then you embed the resulting base64 file into your ovpn file so it looks something like this: client dev tun proto udp remote 1.1.1.1 1111 remote-cert-tls server auth-user-pass <pkcs12> MII.... ....... </pkcs12> When I import this to NetworkManager as an openvpn config file it seems to work: the import succeeds and I need to add a username, and when I try to connect to the VPN it asks me for a password. But then the connection attempt immediately fails. When I look at the error messages via journalctl (I'm on Ubuntu 16.10) I see this: OpenVPN 2.3.11 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 22 2016 library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts nm-openvpn[19522] <warn> openvpn[19535] exited with error code 1 OpenSSL: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag OpenSSL: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error Error reading PKCS#12 file /home/mydir/.cert/nm-openvpn/mycert-pkcs12.pem Exiting due to fatal error When I look at the content of the /home/mydir/.cert/nm-openvpn/mycert-pkcs12.pem file it's the base64 content, not the binary file. I don't know if this is expected or not, but something is not happy.
It looks like the missing part is indeed the base64 decode. If I do the decode by hand via: base64 -d < /home/mydir/.cert/nm-openvpn/mycert-pkcs12.pem > /home/mydir/.cert/nm-openvpn/mycert.dec mv /home/mydir/.cert/nm-openvpn/mycert.dec /home/mydir/.cert/nm-openvpn/mycert-pkcs12.pem then I am able to connect just fine.
Created attachment 348412 [details] [review] import: fix base64 encoded inline <pkcs12> blobs pkcs12 inline certificates are base64 encoded. Before writing them to file they must be decoded.
Created attachment 348414 [details] [review] import: fix base64 encoded inline <pkcs12> blobs pkcs12 inline certificates are base64 encoded. Before writing them to file they must be decoded.
merged to master: https://git.gnome.org/browse/network-manager-openvpn/commit/?id=f6c00d1e23cd5298dcf7e4e03f4d7543b4978c52
Thank you Thomas!!