nm-openvpn "Passwords with Certificate (TLS)" panel has wrong labels and inverts passwords

Bug #275608 reported by Crispin Flowerday
30
Affects Status Importance Assigned to Milestone
network-manager-openvpn (Ubuntu)
Fix Released
Medium
Unassigned
openvpn (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

I use a VPN to the office using the "Passwords with Certificate (TLS)" option in openvpn, I configured the following values:

CA: /etc/openvpn/ca.crt
Cert: /etc/openvpn/crispin-00.crt
Key: /etc/openvpn/crispin-00.key

This all used to work fine (in hardy), but in the latest version in intrepid (0.7~~svn20080908t183521a-0ubuntu2) NM fails with:

Cannot load private key file /etc/openvpn/crispin-00.key: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

I did some digging, and found that the openvpn commandline is:

openvpn .... --ca /etc/openvpn/crispin-00.crt --cert /etc/openvpn/ca.crt --key /etc/openvpn/crispin-00.key ...

note that the CA on the commandline is NOT what I configured above.

If I swap the CA and cert over in the configuration then all works fine - but I shouldn't need to do that, something is swapping over the CA and Cert between the UI and the openvpn commandline.

Revision history for this message
Thierry Carrez (ttx) wrote :

Can't reproduce with current intrepid (same version as you).

My VPN configuration dialog shows (top to bottom):
- User cert : selected client.crt
- CA cert : selected ca.crt
- User private key : selected client.key

Then the command line is :
/usr/sbin/openvpn --remote 192.168.122.41 --nobind --dev tun --proto udp --port 1194 --syslog nm-openvpn --script-security 2 --up /usr/lib/network-manager-openvpn/nm-openvpn-service-openvpn-helper --up-restart --persist-key --persist-tun --management 127.0.0.1 1194 --management-query-passwords --route-noexec --client --ca /home/koon/openvpn/ca.crt --cert /home/koon/openvpn/client.crt --key /home/koon/openvpn/client.key
...which is correct.

Could you please retry on a new configuration (not one imported from hardy ?)
It can also be a translation error where two labels might haven been swapped, so please confirm how the dialog box reads (top to bottom) and which language/locale you are using.

In all cases, that would be a network-manager-openvpn, bug and not an openvpn bug.

Changed in openvpn:
status: New → Invalid
Changed in network-manager-openvpn:
status: New → Incomplete
Revision history for this message
Crispin Flowerday (crispin-flowerday-deactivatedaccount) wrote :

I had to re-create the VPN from scratch - the config got lost over the upgrade ...

I am en_GB locale, and I see (in the Authentication bit).

Type: "Password with Certificate (TLS)"
User name: <myloginname>
CA Certificate: crispin-00.crt
User Certificate: ca.crt
Private Key: crispin-00.key

The problems does seem to be between the UI and gconf as gconf shows the correct information (in /system/networking/vpn_connections/<VPN name>/vpn_data)

If I run LANG=C /usr/bin/nm-connection-editor I still get the items in the UI in the same order.

Revision history for this message
Thierry Carrez (ttx) wrote :

OK I think I got it.

When using authentication type "Password with Certificate (TLS)", the two labels "CA certificate" and "User certificate" are swapped. If you click on the corresponding file selector, the file selector dialog window name correctly shows "Choose a Certificate Authority certificate..." and "Choose your personal certificate...". It is just the labels that are shown in the wrong order.

Reproduction:
Create a new VPN. Select authentication type "Certificate (TLS)". Select :
User Certificate: user.crt
CA Certificate: ca.crt
Private key: user.key
Switch to "authentication type "Password with certificate(TLS)". You get:
User name: <empty>
CA Certificate: user.crt
User Certificate: ca.crt
Private Key: user.key
Clicking on "user.crt" to correctly shows the file selector dialog box with title "Choose your personal certificate...".

Expected results:
When switching to "authentication type "Password with certificate(TLS)". You should get:
User name: <empty>
User Certificate: user.crt
CA Certificate: ca.crt
Private Key: user.key

Changed in network-manager-openvpn:
importance: Undecided → High
status: Incomplete → Confirmed
Revision history for this message
Thierry Carrez (ttx) wrote : Re: nm-openvpn swaps ca-cert and user-cert labels when using "Passwords with Certificate (TLS)" mode

Slightly-modified patch from the one Christoph Höger posted at:
http://mail.gnome.org/archives/networkmanager-list/2008-September/msg00287.html
Patch will need some refresh before being able to apply to pending release.

Changed in network-manager-openvpn:
importance: High → Medium
status: Confirmed → Triaged
Revision history for this message
Thierry Carrez (ttx) wrote :

0.7~~svn20080928t225540-0ubuntu1 revamped that panel. The issue still exists, the patch needs adaptation.

Reproduction:
Create a new VPN. Select authentication type "Certificate (TLS)". Select :
User Certificate: user.crt
Certificate password: (empty)
CA Certificate: ca.crt
Private key: user.key
Switch to "authentication type "Password with certificate(TLS)". You now get:
User name: (current user name)
Password: (empty)
CA Certificate: user.crt
User Certificate: ca.crt
Certificate password: (empty)
Private Key: user.key

Since a password box now appears just below "User certificate", inverting labels is confusing (the password box applies the user certificate, not the CA one). The proposed patch is to inverse file selectors rather than labels, resulting in :

User name: (current user name)
Password: (empty)
CA Certificate: ca.crt
User Certificate: user.crt
Certificate password: (empty)
Private Key: user.key

which is correct.

Revision history for this message
Thierry Carrez (ttx) wrote :

Proposed fix

--
network-manager-openvpn (0.7~~svn20080928t225540-0ubuntu2) intrepid; urgency=low

  * debian/patches/07_fileselectors_order.diff: Fix ordering of certificate
    file selectors in the "Passwords with certificates" case (LP: #275608)

 -- Thierry Carrez <thierry.carrez@xxx> Mon, 06 Oct 2008 11:38:50 +0200

Changed in network-manager-openvpn:
status: Triaged → Confirmed
Revision history for this message
James Westby (james-w) wrote :

Hi Thierry,

Thanks for working on this.

I tried your recipe to reproduce and it didn't really work for me, all the
certificates I had chosen disappeared as I changed the type, so I couldn't
really see what the problem was. Do I need to use real certificates rather
than empty files?

Does your patch just change the glade file so that the labels refer to a
different widget, and as the code shows and hides the widget the labels
are also shown?

Thanks,

James

Revision history for this message
Thierry Carrez (ttx) wrote :

James:
You will have to validate the "Certificate (TLS)" configuration, then when back to the list of VPNs you select and edit it, then switch to "Password with certificate(TLS)".

Without any file selected, you can still easily see that the label and the file selector are mismatched in the "Password with certificate(TLS)" panel by looking at the title of the fileselector dialog window : the one on the right of the "User Certificate" label shows "Please choose a CA Certificate" and the one on the right of the "CA Certificate" label shows "Please choose a user certificate".

The patch switches the ID of the two fileselectors widgets in the glade file so that their position in the panel are inversed. The rest of the code accesses the fileselectors by their IDs so it doesn't need to be changed.

I've tested that it results in an openvpn command line that reflects correctly what's on the configuration panel.

Revision history for this message
Thierry Carrez (ttx) wrote :

Bug 280265 is not really a duplicate, but since that touches the same panel it should probably be fixed at the same time. Will update title to reflect that.

The "Passwords with Certificates (TLS)" config panel not only inverts the labels/fileselectors, it also inverts the password fields when it saves them.

Reproduction:
Create a VPN in "Passwords with Certificates (TLS)" mode :
User name: foo
Password: foo
CA Certificate: ca.crt
User Certificate: user.crt
Certificate password: bar
Private Key: user.key
Click "Validate", close the panel

Reedit that connection, the panel now reads:
User name: foo
Password: bar
CA Certificate: ca.crt
User Certificate: user.crt
Certificate password: foo
Private Key: user.key

(NB: if you validate it again without changing anything and reopen it, it's back to what you originally typed :)

Revision history for this message
Thierry Carrez (ttx) wrote :

My patch just fixes the first issue, feel free to unsubscribe u-u-s to avoid noise while I work on the second issue.

Changed in network-manager-openvpn:
assignee: nobody → tcarrez
status: Confirmed → In Progress
Revision history for this message
James Westby (james-w) wrote :

Hi,

Un-subscribing the sponsors at your request. Please re-subscribe when ready.

Thanks,

James

Revision history for this message
Thierry Carrez (ttx) wrote :

Fix for both issues in the panel.

network-manager-openvpn (0.7~~svn20080928t225540-0ubuntu2) intrepid; urgency=low

  * debian/patches/07_fileselectors_order.diff: Fix ordering of certificate
    file selectors in the "Passwords with certificates" case (LP: #275608)
  * debian/patches/08_passwords_unswap.diff: Fix passwords swapping when
    reloading a "Passwords with certificates" configuration (same bug number)

Changed in network-manager-openvpn:
assignee: tcarrez → nobody
status: In Progress → Confirmed
Revision history for this message
James Westby (james-w) wrote :

Hey Thierry,

Thanks for the fixes. Have you posted these on the nm mailing list
or in a bug report.

I saw for the first problem you picked up the patch of the mailing list,
but it didn't seem to get any comment. I'd like to get some review
for these patches if possible.

Thanks,

James

Revision history for this message
Thierry Carrez (ttx) wrote :

The fixes were reported on upstream SVN. That said, upstream fixed one more issue with the openvpn panel (the "certificate password" that was asked for really was a "private key password"), so it's probably better to take the full rev4127 upstream patch.

http://svn.gnome.org/viewvc/NetworkManager?view=revision&revision=4127

The attached debdiff imports the full rev4127 patch (minus Changelog) as 07_panel_fixes.diff :

network-manager-openvpn (0.7~~svn20080928t225540-0ubuntu2) intrepid; urgency=low

  * Added debian/patches/07_panel_fixes.diff:
    - Extracted from upstream SVN (rev 4127)
    - Fixes ordering of certificate file selectors in the "Passwords with
      certificates" case (LP: #275608)
    - Fixes passwords swapping when reloading a "Passwords with certificates"
      configuration
    - Renames "Certificate password" to "Private key password", because that's
      what they really are

Revision history for this message
Alexander Sack (asac) wrote :

we dont need to patch this. we already have the NM snapshot that has the SVN change in the archive.

Someone should update the vpn packages accordingly.

Revision history for this message
Alexander Sack (asac) wrote :

13:10 < asac> james_w: we should produce a new orig.tar.gz from the current tree in the archive
13:10 < asac> james_w: feel free to do that ;)

Revision history for this message
Thierry Carrez (ttx) wrote :

I'm on it for network-manager-openvpn.

Changed in network-manager-openvpn:
assignee: nobody → tcarrez
status: Confirmed → In Progress
Revision history for this message
Thierry Carrez (ttx) wrote :

New upstream snapshot

Revision history for this message
Thierry Carrez (ttx) wrote :

New diff.gz

Revision history for this message
Thierry Carrez (ttx) wrote :

Interdiff between current version in intrepid and this one

network-manager-openvpn (0.7~~svn20081008t224042-0ubuntu1) intrepid; urgency=low

  * New upstream snapshot
  * debian/control: adjust network manager build-depends to >=
    0.7~~svn20081008
  * Fixes LP: #275608

Changed in network-manager-openvpn:
assignee: tcarrez → nobody
status: In Progress → Confirmed
Revision history for this message
Alexander Sack (asac) wrote :

This looks good. could you please do vpnc and pptp as well. we want to update all and doing them in a batch makes most sense.

Revision history for this message
Thierry Carrez (ttx) wrote :

Upstream snapshot for vpnc

Revision history for this message
Thierry Carrez (ttx) wrote :

diff.gz for vpnc

Revision history for this message
Thierry Carrez (ttx) wrote :

Interdiff between current version in intrepid and this one (for vpnc)

network-manager-vpnc (0.7~~svn20081008t224042-0ubuntu1) intrepid; urgency=low

  * New upstream snapshot
  * debian/control: adjust network manager build-depends to >= 0.7~~svn20081008

Revision history for this message
Thierry Carrez (ttx) wrote :

Upstream snapshot for pptp

Revision history for this message
Thierry Carrez (ttx) wrote :

diff.gz for pptp

Revision history for this message
Thierry Carrez (ttx) wrote :

Interdiff between current version in intrepid and this one (for pptp)

network-manager-pptp (0.7~~svn20081008t224042-0ubuntu1) intrepid; urgency=low

  * New upstream snapshot
  * debian/control: adjust network manager build-depends to >= 0.7~~svn20081008

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package network-manager-openvpn - 0.7~~svn20081008t224042-0ubuntu1

---------------
network-manager-openvpn (0.7~~svn20081008t224042-0ubuntu1) intrepid; urgency=low

  * New upstream snapshot, fixes
    - LP: #275608 - nm-openvpn "Passwords with Certificate (TLS)" panel has
      wrong labels and inverts passwords
  * debian/control: adjust network manager build-depends to >= 0.7~~svn20081008

 -- Thierry Carrez <email address hidden> Fri, 10 Oct 2008 16:08:23 +0200

Changed in network-manager-openvpn:
status: Confirmed → Fix Released
To post a comment you must log in.