|Summary:||>=net-misc/openvpn-2.3.7: passphrase for key is not requested|
|Product:||Gentoo Linux||Reporter:||Marcel Pennewiß <gentoo>|
|Component:||Current packages||Assignee:||Dirkjan Ochtman <djc>|
|Package list:||Runtime testing required:||---|
|Bug Depends on:|
Description Marcel Pennewiß 2015-07-14 18:36:05 UTC
openvpn from version 2.3.7 did not ask for the passphrase which is required for the key if started by init-script (openrc). Reproducible: Always Steps to Reproduce: 1. Update openvpn from 2.3.6 to 2.3.7 2. Use vpn-config with key which requires passphrase Actual Results: See openvpn starting via init-script: * Starting openvpn.vpn1... [ ok ] * WARNING: openvpn.vpn1 has started, but is inactive openvpn: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this openvpn: Error: private key password verification failed openvpn: Exiting due to fatal error Expected Results: Passphrase-request and working VPN-client OpenVPN seems to need "askpass" as option, but this did not work, while stdin is not available during init-sript: openvpn: Options error: --askpass fails with 'stdin': No such file or directory openvpn: Options error: Please correct these errors. The patch in https://community.openvpn.net/openvpn/ticket/248 http://thread.gmane.org/gmane.network.openvpn.devel/9918 did fix the stdin-error above, but did not allow to enter passphrase. Already tried to start openvpn with --daemon --askpass --config CONFIG-FILE results in the same issue. Maybe also related: http://sourceforge.net/p/openvpn/mailman/message/34294347/
Comment 1 Gert Doering 2015-07-19 13:14:24 UTC
Apologies, this is upstream breakage (specifically, --daemon with password-protected keys and/or --auth-user-pass is broken in 2.3.7). To fix, you want these patches from git release/2.3 branch: commit dda40aedfb87d77afcef52376cd3e4778ba0370b Author: Gert Doering <email@example.com> Document --daemon changes and consequences (--askpass, --auth-nocache). commit 4d093fff305a3054d88ae2c803665cf90d512c7e Author: James Geboski <firstname.lastname@example.org> Fix --askpass not allowing for password input via stdin commit b131c7b974d9d4d3f0a6ab3a81719af6f7ab2ad6 Author: Gert Doering <email@example.com> Produce a meaningful error message if --daemon gets in the way of asking for passwords. commit 7bde2e1b19e66af22c26c90e1187a4365c9087fc Author: Steffan Karger <firstname.lastname@example.org> fix regression: query password before becoming daemon *and* you need to run openvpn with the "--askpass" option - otherwise it won't know that it needs to ask for the pass phrase (more explanation is in the git commits). Again, apologies for the breakage - we had to swap crypto init and daemon() to ensure we never fork after initializing openssl - because that breaks FreeBSD's cryptodev (and makes pkcs#11 more complicated), and there is no other way to fix it. "Caught between a rock and a hard place".
Comment 2 Matthew Thode ( prometheanfire ) 2015-08-07 14:06:07 UTC
looks like 2.3.8 is available with all the fixes now.
Comment 3 Matthew Thode ( prometheanfire ) 2015-08-08 05:15:00 UTC
please test 2.3.8, just added to the tree (should have the fix)
Comment 4 Morton Pellung 2015-08-13 09:00:10 UTC
I upgraded from 2.3.6 to 2.3.7 and was not asked for password and got openvpn: ERROR: could not read Auth username from stdin openvpn: Exiting due to fatal error Upgraded one version further to 2.3.8 -> works again Please do not mark 2.3.7 as stable
Comment 5 Marcel Pennewiß 2015-08-13 09:44:19 UTC
openvpn-2.3.8 works as expected, but needs changing configfile (add askpass to config) if the key requires a passphrase. As openvpn fails if askpass is configured, but the key did not need any passphrase this could not be done "automatically" via init-script. Maybe we should add a post-message/news about this.
Comment 6 Morton Pellung 2015-08-13 13:23:48 UTC
mh... I see my description was not precise enough: /etc/init.d/openvpn.foobar start 2.3.6 and 2.3.8 ask for my credentials on console, meaning I type in user+pass 2.3.7 does not even try to ask for a username and silently fails, only log shows it got no username -- well, because it didn't even try and ask