www.zeroshell.org Forum Index www.zeroshell.org
Linux Distribution for server and embedded devices
 
 SearchSearch  RegisterRegister  UsergroupsUsergroups 
 ProfileProfile  Log inLog in  Log in to check your private messagesPrivate Message 

(Bug?) Zeroshell upgrade 3.6.0>3.7.0 OpenVPN X509+passwor

 
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> ZeroShell
View previous topic :: View next topic  
Author Message
ilNebbioso



Joined: 31 Mar 2009
Posts: 21

PostPosted: Mon Jan 16, 2017 10:17 am    Post subject: (Bug?) Zeroshell upgrade 3.6.0>3.7.0 OpenVPN X509+passwor Reply with quote

Ciao!
I think I've found a (little, but it made me crazy, I spent a lot of hours on it) bug after I upgraded a ZS 3.6.0 to ZS 3.7.0.

On this box I have configurated a "OpenVPN Host-to-LAN VPN with X.509, Kerberos 5 and Radius Authentication" with "X509+password" authentication in order to have RoadWarriors to connect to the LAN while out of office.

Please note:
- I used connecting from remote with ZS 3.6.0 configuration since months (also the day before upgrading!);
- I did not change anything before/during/after upgrade
- Upgrade process to ZS 3.7.0 process went fine without any error or issue.

But, once remotely after upgrading to ZS 3.7.0, I wasn't able to reconnect by OpenVPN GUI anymore with "Connection reset, restarting [0]", "TCP/UDP: Closing socket" and "SIGUSR1[soft,connection-reset] received, process restarting" messages into log file.

First I thought it was a certificat problem. So (by Remote Desktop from a local server) I renewed (only) users Certificates from Users > [username] > X509 > Revoke and then Renew (validity 3650). But this didn't fix the problem, also because users Certificates were still valid!

After a lot of test, I decided to compare a different 3.6.0 installation (another customer) with the upgraded to 3.7.0 one. They're completely identical regarding OpenVPN configuration.

I found a little difference in VPN > Section:
X.509 Configuration > Authentication button. The window is called "Allow the X.509 VPN access with the certificates signed by the following Trusted CAs".
On the 3.6.0 the only item, the local ZS CA, was checked/ticked, on the 3.7.0 it wasn't. I could bet it was checked too on (actual) ZS 3.7.0 box before upgrading.

So, I simply check it on ZS 3.7.0 and OpenVPN client started working again.

Next week I will upgrade also the other ZS 3.6.0 box, so I will verify if it is a bug while upgrading or I simply was unlucky with it. But I cannot do it before next week.

I hope this could help somebody else to save time.

Thank you for supporting us and to give me a feedback on it!
Back to top
View user's profile Send private message
beppuz



Joined: 03 Jan 2015
Posts: 6

PostPosted: Tue Jan 17, 2017 6:50 am    Post subject: Reply with quote

Indeed you saved my time: I also got this issue after upgrading from 3.6 to 3.7.
Fixed it ticking the authentication -> trusted CAs item.

Thankyou again!
Back to top
View user's profile Send private message
ilNebbioso



Joined: 31 Mar 2009
Posts: 21

PostPosted: Tue Jan 17, 2017 4:31 pm    Post subject: Reply with quote

WOW!

So, it's a bug. I hope Fulvio will fix asap.
Back to top
View user's profile Send private message
fulvio
Site Admin


Joined: 01 Nov 2006
Posts: 1070

PostPosted: Tue Jan 17, 2017 8:31 pm    Post subject: Reply with quote

Hi,
due to the way which the new OpenSSL create the hash of the certificates (MD5 -> SHA1) the Trusted CAs signing the certificates authorized to the X.509 access for VPN and captive portal services have to be flagged again.
Sorry for the inconvenient.
Regards
Fulvio
Back to top
View user's profile Send private message Send e-mail
ilNebbioso



Joined: 31 Mar 2009
Posts: 21

PostPosted: Wed Jan 25, 2017 9:15 am    Post subject: Reply with quote

Fulvio,
will we need to check the flag again after EACH upgrade (also from 3.7 to 3.7.1, for example) or this affected only passing to 3.7.0?
Back to top
View user's profile Send private message
beppuz



Joined: 03 Jan 2015
Posts: 6

PostPosted: Wed Jan 25, 2017 10:17 am    Post subject: Reply with quote

I upgraded 3.7.0 -> 3.7.1 and didn't need to flag again.
So I would say the issue only affects * -> 3.7.0 upgrade
Back to top
View user's profile Send private message
Montikore



Joined: 19 Jan 2016
Posts: 15

PostPosted: Fri Jan 27, 2017 5:18 pm    Post subject: Reply with quote

I got the same issue... but very strangely not for all my users...
migrating then to 3.7.1 and no issues
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> ZeroShell All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group