The pfSense Store

Author Topic: HEADS UP: OpenSSL 1.0.1_4 (1.0.1c), OpenVPN, and ipsec-tools, and others.  (Read 13552 times)

0 Members and 1 Guest are viewing this topic.

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21404
  • Karma: +1437/-26
    • View Profile
To upgrade ipsec-tools to 0.8.1, we had to pull in OpenSSL 1.0.1_4 (1.0.1c) from the FreeBSD ports repository.

Because many aspects of the system rely on OpenSSL, such as IPsec, OpenVPN, Certificate Management, GUI access, Backup encryption, Vouchers, etc. There could be some unexpected fallout from changing OpenSSL.

I have already fixed a few issues on the current snapshot, notably OpenVPN using the padlock engine and Certificate generation.

If you find something else has suddenly broken with OpenVPN or IPsec, or another encryption-related area that had been working in snaps before the change, let us know.

There are more fixes coming in the next snapshot that should be available later this evening, so if you find something before then, wait until after the next new snapshot to test again and report it broken.

OpenSSL 1.0.x is also supposed to contain better support for AES-NI, so it may help those who had been trying to use it but not seeing any real performance gains.
Additionally there is a new engine in it called "rsax" that supposedly improves speed on amd64 for 1024-bit RSA operations. Not sure if we'll really find much use for that though these days.
« Last Edit: January 27, 2013, 04:38:27 pm by jimp »
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline dhatz

  • Hero Member
  • *****
  • Posts: 1000
  • Karma: +5/-0
    • View Profile
Re: HEADS UP: OpenSSL 1.0.4, OpenVPN, and ipsec-tools, and others.
« Reply #1 on: January 27, 2013, 04:36:17 pm »
I think you meant to say 1.0.1_4 from http://www.freshports.org/security/openssl/

There is no openssl 1.0.4 as far as I can tell from the openssl.org site, latest version is 1.0.1c (May-2012).

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21404
  • Karma: +1437/-26
    • View Profile
Re: HEADS UP: OpenSSL 1.0.4, OpenVPN, and ipsec-tools, and others.
« Reply #2 on: January 27, 2013, 04:38:00 pm »
I think you meant to say 1.0.1_4 from http://www.freshports.org/security/openssl/

There is no openssl 1.0.4 as far as I can tell from the openssl.org site, latest version is 1.0.1c (May-2012).

Yep, you're right.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 13398
  • Karma: +589/-7
    • View Profile
getting this while trying to create an internal CA.


2.1-BETA1 (amd64)
built on Fri Jan 25 17:45:36 EST 2013

The following input errors were detected:

openssl library returns: error:0E064002:configuration file routines:CONF_load:system lib

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21404
  • Karma: +1437/-26
    • View Profile
Old snap. Already fixed on current snaps.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 13398
  • Karma: +589/-7
    • View Profile
Old snap. Already fixed on current snaps.
 
I'll update it today, thank jimp!  :)

Offline alexh

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: HEADS UP: OpenSSL 1.0.1_4 (1.0.1c), OpenVPN, and ipsec-tools, and others.
« Reply #6 on: February 01, 2013, 03:17:43 pm »
2.1-BETA1 (i386)
built on Fri Feb 1 01:15:41 EST 2013
FreeBSD 8.3-RELEASE-p5

running on a Soekris 6501


-> Diagnostics: Execute command

$ /usr/bin/openssl version
OpenSSL 0.9.8q 2 Dec 2010

$ /usr/local/bin/openssl version
OpenSSL 1.0.1c 10 May 2012


I haven't fully tested but I have reason to believe that on my box Certs are still produced using old openssl 0.9.8q.
Since I assume that the goal is to completely replace 0.9.8 by 1.0.x the fact that both binaries are still around might be considered a problem and hence my post.

Regards
A.

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21404
  • Karma: +1437/-26
    • View Profile
Re: HEADS UP: OpenSSL 1.0.1_4 (1.0.1c), OpenVPN, and ipsec-tools, and others.
« Reply #7 on: February 01, 2013, 03:20:44 pm »
It is neigh impossible to completely replace the base system OpenSSL without breaking things like ssh or requiring a lot of hoop-jumping on the builder.

They will both stick around. They coexist peacefully.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline alexh

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: HEADS UP: OpenSSL 1.0.1_4 (1.0.1c), OpenVPN, and ipsec-tools, and others.
« Reply #8 on: February 01, 2013, 03:33:40 pm »
It is neigh impossible to completely replace the base system OpenSSL without breaking things like ssh or requiring a lot of hoop-jumping on the builder.

They will both stick around. They coexist peacefully.

ah, too bad, I thought that I would now finally be able to create an internal CA with validity > year 2038 on my i386 box :) Will have to do that on one of my amd64 debian machines then.

Thanks for clarifying.

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21404
  • Karma: +1437/-26
    • View Profile
Re: HEADS UP: OpenSSL 1.0.1_4 (1.0.1c), OpenVPN, and ipsec-tools, and others.
« Reply #9 on: February 01, 2013, 03:34:58 pm »
Why can't you? All our certificate code uses the ports version of OpenSSL (1.0.1c)

Only FreeBSD programs in the base FreeBSD OS (not to be confused with pfSense's "base install") would use the old OpenSSL.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline alexh

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: HEADS UP: OpenSSL 1.0.1_4 (1.0.1c), OpenVPN, and ipsec-tools, and others.
« Reply #10 on: February 01, 2013, 03:53:08 pm »
Whenever I create an internal CA with Lifetime 36500 and then test it on the pfsense box afterwards I get something like this:

/home/alex(3): /usr/local/bin/openssl x509 -in x.cert -noout -enddate
notAfter=Dec  2 14:44:37 1976 GMT

Since I'm using the 1.0.x binary to test I assume that something must have provoked the 2038 bug while creating the cert and that lead me to believe that openssl 0.9.8 was used for creation. I might completely overlook something here, since I'm not an expert with openssl and Certs...

php indeed uses OpenSSL 1.0.1c (see below) - which leaves at least the following options:
 - I'm doing something wrong
 - the year 2038 bug is still present in 1.0.1c on i386

I might come back to this at some point, but for now I'll just create my Certs on some other machine (which is a bit of a shame since the pfsense Cert Manager is one of the most comfortable tools I have seen when it comes to Certs)

/home/alex(64): php -i | grep OpenSSL
<tr><td class="e">SSL Version </td><td class="v">OpenSSL/1.0.1c </td></tr>
<tr><td class="e">OpenSSL support </td><td class="v">enabled </td></tr>
<tr><td class="e">OpenSSL Library Version </td><td class="v">OpenSSL 1.0.1c 10 May 2012 </td></tr>
<tr><td class="e">OpenSSL Header Version </td><td class="v">OpenSSL 1.0.1c 10 May 2012 </td></tr>
« Last Edit: February 01, 2013, 04:37:03 pm by alexh »

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21404
  • Karma: +1437/-26
    • View Profile
Re: HEADS UP: OpenSSL 1.0.1_4 (1.0.1c), OpenVPN, and ipsec-tools, and others.
« Reply #11 on: February 01, 2013, 09:01:53 pm »
There is a third option and that is that the 2038 bug is present in PHP's OpenSSL interface code.
(Or, fourth, somewhere in between those layers...)
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline alexh

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: HEADS UP: OpenSSL 1.0.1_4 (1.0.1c), OpenVPN, and ipsec-tools, and others.
« Reply #12 on: February 02, 2013, 08:58:55 am »
There is a third option and that is that the 2038 bug is present in PHP's OpenSSL interface code.
(Or, fourth, somewhere in between those layers...)

Seems that option three it is, from the php openssl library code:

/* {{{ proto resource openssl_csr_sign(mixed csr, mixed x509, mixed priv_key, long days [, array config_args [, long serial]])
   Signs a cert with another CERT */
PHP_FUNCTION(openssl_csr_sign)
{
   zval ** zcert = NULL, **zcsr, **zpkey, *args = NULL;
   long num_days;
......
       X509_gmtime_adj(X509_get_notAfter(new_cert), (long)60*60*24*num_days);
......


Assuming that "sizeof(long) = 4" on i386 and "sizeof(long) = 8" on amd64 (as it usually is, if I remember correctly) the experienced behavior would be explainable.

Thanks for pointing me into the right direction - and now on to a 64-bit environment :)
« Last Edit: February 02, 2013, 09:00:45 am by alexh »

Offline Mat Simon

  • Full Member
  • ***
  • Posts: 148
  • Karma: +9/-2
    • View Profile
Re: HEADS UP: OpenSSL 1.0.1_4 (1.0.1c), OpenVPN, and ipsec-tools, and others.
« Reply #13 on: February 08, 2013, 04:51:11 am »
I'm not completely sure if this is related to OpenSSL too, I have issues with LDAP*S* authentication after upgrading:

  • Updated from: Mon Jan 28 16:55:26 EST 2013, Last commit: b0059636a9ccba5708152cb9548633e2f44c38d1
  • Checking the commit dates I'm positive this was a build must have contained OpenSSL 1.0.1c (1.0.1c was merged on 25th,  but I wasn't able to check before updating.
  • Update to latest available snapshot: Thu Feb  7 18:03:44 EST 2013, last commit: dfac167caa70ca76dfee8101571eeedd0e034406, /usr/local/bin/openssl version says 1.0.1d

Issue:
  • Previously LDAP autentication (mainly used for admins) worked with and without SSL LDAP communication
  • When LDAP was unavailable I was able to fall back to local authentication
  • Now testing LDAP only works with plaintext LDAP communication (I had to viconfig the config.xm, and disable LDAP auth to break into the Web interface with local admin)l
  • It can bind with LDAP, but fails to fetch the OUs, previously this worked too
  • When LDAPS was enabled, local authentication on the Web-UI was not possible

We had to install a root certificate from our AD CA and have a certificate for the pfSense box issued from this CA. I'm positive that the certificates are fine since I tested it with pointing LDAP config to a CNAME of our DC and it failed since the certificate on the AD DC didn't contain it in its name (which BTW is well done guys since I know a couple of applications who just don't validate certificate data!)

While our AD/LDAP servers yet accept non-SSL LDAP communication, I'd consider it ugly to go back to non-SSL LDAP authentication (and I'm yet unsure if LDAP auth yet even works right now).
Can I provide you with some valuable debug data - is it even OpenSSL related, ?
« Last Edit: February 08, 2013, 04:56:03 am by MatSim »

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21404
  • Karma: +1437/-26
    • View Profile
Re: HEADS UP: OpenSSL 1.0.1_4 (1.0.1c), OpenVPN, and ipsec-tools, and others.
« Reply #14 on: February 08, 2013, 06:30:44 am »
I don't recall what handles that specifically, it may yet be openssl, or not. It should give some details/error in the system log though.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!