Ubuntu
openssl-blacklist package

openssl-vulnkey crashed with IOError in get_bits()

Bug #230193 reported by Roi a Torkilsheyggi
264
Affects Status Importance Assigned to Milestone
openssl-blacklist (Ubuntu)
Fix Released
Undecided
Jamie Strandboge
Feisty
Fix Released
Undecided
Jamie Strandboge
Gutsy
Fix Released
Undecided
Jamie Strandboge
Hardy
Fix Released
Undecided
Jamie Strandboge

Bug Description

Binary package hint: openssl-blacklist

I'm using the OpenVPN module for NetworkManager with CA, Cert and key (converted from PKCS12).

network-manager 0.6.6-0ubuntu5
openvpn 2.1~rc7-1ubuntu3.1
network-manager-openvpn 0.3.2svn2342-1ubuntu4

Things work when removing openvpn-blacklist (which again downgrades openvpn to 2.1~rc7-1ubuntu3).

ProblemType: Crash
Architecture: i386
Date: Wed May 14 09:48:38 2008
DistroRelease: Ubuntu 8.04
ExecutablePath: /usr/sbin/openssl-vulnkey
InterpreterPath: /usr/bin/python2.5
NonfreeKernelModules: fglrx
Package: openssl-blacklist 0.1-0ubuntu0.8.04.1
PackageArchitecture: all
ProcCmdline: /usr/bin/python /usr/sbin/openssl-vulnkey -q /home/rto/.neoconsult/openvpn/rto1key.pem
ProcEnviron: PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
PythonArgs: ['/usr/sbin/openssl-vulnkey', '-q', '/home/rto/.neoconsult/openvpn/rto1key.pem']
SourcePackage: openssl-blacklist
Title: openssl-vulnkey crashed with IOError in get_bits()
Uname: Linux 2.6.24-16-generic i686
UserGroups:

Tags: apport-crash
Revision history for this message
Roi a Torkilsheyggi (roi) wrote :
Revision history for this message
Mathias Gug (mathiaz) wrote :

Hi,

What are the permissions of /home/rto/.neoconsult/openvpn/rto1key.pem ?

Do you see any error when you run the following command from a terminal ?
  openssl rsa -text -in /home/rto/.neoconsult/openvpn/rto1key.pem

Do *not* post the ouput of this command to the bug please.

Changed in openssl-blacklist:
status: New → Incomplete
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Marking In progress as the fix is known and upload pending.

Changed in openssl-blacklist:
status: Incomplete → In Progress
assignee: nobody → mathiaz
assignee: nobody → jdstrand
status: New → In Progress
assignee: nobody → jdstrand
status: New → In Progress
assignee: nobody → jdstrand
status: New → In Progress
Jamie Strandboge (jdstrand)
Changed in openssl-blacklist:
status: In Progress → Fix Committed
status: In Progress → Fix Committed
status: In Progress → Fix Committed
assignee: mathiaz → jdstrand
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssl-blacklist - 0.1-0ubuntu0.8.04.2

---------------
openssl-blacklist (0.1-0ubuntu0.8.04.2) hardy-security; urgency=low

  * openssl-vulnkey:
    - Don't exit if the key cannot be parsed.
    - Don't fail if stderr is not available. (LP: #230193)

 -- Mathias Gug <email address hidden> Wed, 14 May 2008 14:24:07 +0200

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssl-blacklist - 0.1-0ubuntu0.7.10.2

---------------
openssl-blacklist (0.1-0ubuntu0.7.10.2) gutsy-security; urgency=low

  * openssl-vulnkey:
    - Don't exit if the key cannot be parsed.
    - Don't fail if stderr is not available. (LP: #230193)

 -- Mathias Gug <email address hidden> Wed, 14 May 2008 14:43:47 +0200

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssl-blacklist - 0.1-0ubuntu0.7.04.2

---------------
openssl-blacklist (0.1-0ubuntu0.7.04.2) feisty-security; urgency=low

  * openssl-vulnkey:
    - Don't exit if the key cannot be parsed.
    - Don't fail if stderr is not available. (LP: #230193)

 -- Mathias Gug <email address hidden> Wed, 14 May 2008 14:57:32 +0200

Changed in openssl-blacklist:
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
Jamie Strandboge (jdstrand)
Changed in openssl-blacklist:
status: In Progress → Fix Committed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

The hardy package was copied to Intrepid.

Changed in openssl-blacklist:
status: Fix Committed → Fix Released
Revision history for this message
Roi a Torkilsheyggi (roi) wrote :

Hi,

Sorry for the late response - keeping busy :)

Permissions: Owner has read/write permissions, others have read (probably not smart).

I do *not* get any errors when running the "openssl rsa -text -in <filename>" command.

When running NetworkManager with --no-daemon I get the following when enabling the OpenVPN connection. The OpenVPN log does not show any activity.
-------------------
Enter pass phrase for /home/rto/xxxx/xxxxx/rto1key.pem:

** (process:8698): WARNING **: <WARNING> openvpn_watch_cb (): openvpn exited with error code 1

** (process:8698): WARNING **: <WARNING> nm_openvpn_socket_data_cb (): Password verification failed

NetworkManager: <WARN> nm_vpn_service_process_signal(): VPN failed for service 'org.freedesktop.NetworkManager.openvpn', signal 'ConnectFailed', with message 'The VPN login failed because the VPN program could not connect to the VPN server.'.
NetworkManager: <info> VPN service 'org.freedesktop.NetworkManager.openvpn' signaled state change 3 -> 6.
NetworkManager: <WARN> nm_vpn_service_process_signal(): VPN failed for service 'org.freedesktop.NetworkManager.openvpn', signal 'LoginFailed', with message 'The VPN login failed because the user name and password were not accepted or the certificate password was wrong.'.
NetworkManager: <WARN> nm_vpn_service_stop_connection(): (VPN Service org.freedesktop.NetworkManager.openvpn): could not stop connection 'NeoConsult' because service was 6.
-------------------

The setup procedure was as follows. The admins hand out PKCS#12 certs which I have to "convert" to use with the NM-OVPN module.
-------------------
First you need to extract the CA, certificate and key from your .p12 file (replace user1 with your initials and number).

    openssl pkcs12 -nocerts -in user1.p12 -out user1key.pem
    Supply Import Password.
    Type new PEM pass phrase.
    openssl pkcs12 -nokeys -clcerts -in user1.p12 -out user1cert.pem
    Supply Import Password.
    openssl pkcs12 -nokeys -cacerts -in user1.p12 -out user1ca.pem

Copy the files to a suitable place on your hard drive.

Install network-manager-openvpn. This is the OpenVPN plugin for NetworkManager.

    sudo apt-get install network-manager-openvpn

Now left-click on the NetworkManager icon, select VPN Connections -> Configure VPN and click the Add button. Type in a connection name and paste in the following appropriately:

    Gateway Address: xxx.xxx.xxx.xxx
    Gateway Port: 1194 (this is the default)
    Connection Type: X.509 Certificates (also default)
    CA file: (point to your user1ca.pem file)
    Certificate: (point to your user1cert.pem file)
    Key: (point to your user1key.pem file)

Now click the Optional tab and check the following boxes:

    Use LZO compression
    Use cipher: (select cipher)
    Use TLS auth: (point to your ta.key file)
    Direction: (select 1)
-------------------

This setup worked up until the openvpn/openssl updates two weeks ago.

Again, sorry for the late response - and thanks for the good work.

Rói

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.