Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 554908 - >=net-misc/openvpn-2.3.7: passphrase for key is not requested
Summary: >=net-misc/openvpn-2.3.7: passphrase for key is not requested
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal with 1 vote (vote)
Assignee: Dirkjan Ochtman (RETIRED)
Depends on:
Blocks: 556874
  Show dependency tree
Reported: 2015-07-14 18:36 UTC by Marcel Pennewiß
Modified: 2015-08-13 13:23 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Marcel Pennewiß 2015-07-14 18:36:05 UTC
openvpn from version 2.3.7 did not ask for the passphrase which is required for the key if started by init-script (openrc).

Reproducible: Always

Steps to Reproduce:
1. Update openvpn from 2.3.6 to 2.3.7
2. Use vpn-config with key which requires passphrase

Actual Results:  
See openvpn starting via init-script:

* Starting openvpn.vpn1... [ ok ]
* WARNING: openvpn.vpn1 has started, but is inactive

openvpn[26264]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
openvpn[26264]: Error: private key password verification failed
openvpn[26264]: Exiting due to fatal error

Expected Results:  
Passphrase-request and working VPN-client

OpenVPN seems to need "askpass" as option, but this did not work, while stdin is not available during init-sript:

openvpn[26561]: Options error: --askpass fails with 'stdin': No such file or directory
openvpn[26561]: Options error: Please correct these errors.

The patch in

did fix the stdin-error above, but did not allow to enter passphrase. Already tried to start openvpn with --daemon --askpass --config CONFIG-FILE results in the same issue.

Maybe also related:
Comment 1 Gert Doering 2015-07-19 13:14:24 UTC
Apologies, this is upstream breakage (specifically, --daemon with password-protected keys and/or --auth-user-pass is broken in 2.3.7).

To fix, you want these patches from git release/2.3 branch:

commit dda40aedfb87d77afcef52376cd3e4778ba0370b
Author: Gert Doering <>

    Document --daemon changes and consequences (--askpass, --auth-nocache).

commit 4d093fff305a3054d88ae2c803665cf90d512c7e
Author: James Geboski <>

    Fix --askpass not allowing for password input via stdin

commit b131c7b974d9d4d3f0a6ab3a81719af6f7ab2ad6
Author: Gert Doering <>

    Produce a meaningful error message if --daemon gets in the way of asking for passwords.

commit 7bde2e1b19e66af22c26c90e1187a4365c9087fc
Author: Steffan Karger <>

    fix regression: query password before becoming daemon

*and* you need to run openvpn with the "--askpass" option - otherwise it won't know that it needs to ask for the pass phrase (more explanation is in the git commits).

Again, apologies for the breakage - we had to swap crypto init and daemon() to ensure we never fork after initializing openssl - because that breaks FreeBSD's cryptodev (and makes pkcs#11 more complicated), and there is no other way to fix it.  "Caught between a rock and a hard place".
Comment 2 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2015-08-07 14:06:07 UTC
looks like 2.3.8 is available with all the fixes now.
Comment 3 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2015-08-08 05:15:00 UTC
please test 2.3.8, just added to the tree (should have the fix)
Comment 4 Morton Pellung 2015-08-13 09:00:10 UTC
I upgraded from 2.3.6 to 2.3.7 and was not asked for password and got
openvpn[11087]: ERROR: could not read Auth username from stdin
openvpn[11087]: Exiting due to fatal error

Upgraded one version further to 2.3.8 -> works again

Please do not mark 2.3.7 as stable
Comment 5 Marcel Pennewiß 2015-08-13 09:44:19 UTC
openvpn-2.3.8 works as expected, but needs changing configfile (add askpass to config) if the key requires a passphrase. As openvpn fails if askpass is configured, but the key did not need any passphrase this could not be done "automatically" via init-script.

Maybe we should add a post-message/news about this.
Comment 6 Morton Pellung 2015-08-13 13:23:48 UTC
mh... I see my description was not precise enough:

/etc/init.d/openvpn.foobar start

2.3.6 and 2.3.8 ask for my credentials on console, meaning I type in user+pass
2.3.7 does not even try to ask for a username and silently fails, only log shows it got no username -- well, because it didn't even try and ask