iOS client 3.3.2 (5086) issue

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
dsd7150
OpenVpn Newbie
Posts: 3
Joined: Mon Sep 19, 2022 2:59 pm

iOS client 3.3.2 (5086) issue

Post by dsd7150 » Mon Sep 19, 2022 4:04 pm

Server:

Code: Select all

-> # uname -a
OpenBSD openvpn1 7.0 GENERIC.MP#232 amd64
-> # openvpn --version
OpenVPN 2.5.3 x86_64-unknown-openbsd7.0 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Sep 26 2021
library versions: LibreSSL 3.4.1, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2021 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_gtk_doc=no enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=no enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no enable_werror=no enable_win32_dll=yes enable_x509_alt_username=no with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=no with_mem_check=no with_sysroot=no
Client:

iPhone 8, IOS 15.5. After upgrading client from 3.2.3 (3760) to latest 3.3.2 (5086) I've got an error on client side:

Code: Select all

[Sep 19, 2022, 13:29:04] START CONNECTION

[Sep 19, 2022, 13:29:04] ----- OpenVPN Start -----
OpenVPN core 3.git::081bfebe ios arm64 64-bit

[Sep 19, 2022, 13:29:04] OpenVPN core 3.git::081bfebe ios arm64 64-bit

[Sep 19, 2022, 13:29:04] Frame=512/2048/512 mssfix-ctrl=1250

[Sep 19, 2022, 13:29:04] EVENT: CORE_THREAD_ERROR PKey::parse_pem: error in private key:: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt / error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error / error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe ... [ERR]

[Sep 19, 2022, 13:29:05] EVENT: CORE_THREAD_DONE

[Sep 19, 2022, 13:29:05] EVENT: DISCONNECT_PENDING

[Sep 19, 2022, 13:29:05] Raw stats on disconnect:


[Sep 19, 2022, 13:29:05] Performance stats on disconnect:
CPU usage (microseconds): 39064
Network bytes per CPU second: 0
Tunnel bytes per CPU second: 0
Client config:

Code: Select all

client
dev tun
proto udp4
remote X.X.X.X 1234
remote Y.Y.Y.Y 1234
remote-random
nobind
resolv-retry infinite
data-ciphers AES-128-GCM
auth SHA256
remote-cert-tls server
persist-key
persist-tun
verb 3
...
Server config has these parameters:

Code: Select all

auth SHA256
data-ciphers AES-128-GCM
data-ciphers-fallback AES-128-CBC

tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
What's the problem?

I will be glad for any help! There are many clients, only some of them have been updated and got a problem. I'm afraid there may be more such cases in the near future. It is not possible to roll back the application to a previous version.

Regard,
Denis.

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: iOS client 3.3.2 (5086) issue

Post by openvpn_inc » Mon Sep 19, 2022 5:04 pm

Hi Denis,

The client configuration you showed has no --key line.

The error you showed is:

Code: Select all

:parse_pem: error in private key:: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt / error:23077074:PKCS12 ...
Apparently openvpn thinks your key is in a PKCS #12 file, but your openssl is unable to decrypt/parse that file.

regards, rob0
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

dsd7150
OpenVpn Newbie
Posts: 3
Joined: Mon Sep 19, 2022 2:59 pm

Re: iOS client 3.3.2 (5086) issue

Post by dsd7150 » Mon Sep 19, 2022 5:37 pm

In fact, this parameter is inside the config. Such configurations worked fine with version 3.2.3 (3760). This is the complete client configuration with sensitive information stripped out:

Code: Select all

client
dev tun
proto udp4
remote X.X.X.X 1234
remote Y.Y.Y.Y 1234
remote-random
nobind
resolv-retry infinite
data-ciphers AES-128-GCM
auth SHA256
remote-cert-tls server
persist-key
persist-tun
verb 3
<ca>
-----BEGIN CERTIFICATE-----
MIIDNTCCAh2gAwIBAgIJAIeMapqkePPdMA0GCSqGSIb3DQEBCwUAMBYxFDASBgNV
....
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIIDSDCCAjCgAwIBAgIQFdLuea5Y7ioZvReRNVaDjzANBgkqhkiG9w0BAQsFADAW
MRQwEgYDVQQDDAtFYXN5LVJTQSBDQTAeFw0yMTExMDEwODI0NTVaFw0yNDAyMDQw
ODI0NTVaMBAxDjAMBgNVBAMMBWFkbWluMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
....
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
[Moderator removed]
....
-----END ENCRYPTED PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
12254d6ce2992a0200f5d93d3d04515a
c2caa11fc40bb63e5cde0554d4728588
65219155892b214129b04a5c975dcf2e
54ddc7a068a70aa9a9729d05a7f891e5
6b28e4fce54dcb144ca566d4962f1d5b
....
-----END OpenVPN Static key V1-----
</tls-auth>
How to solve this problem?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: iOS client 3.3.2 (5086) issue

Post by TinCanTech » Mon Sep 19, 2022 7:24 pm

dsd7150 wrote:
Mon Sep 19, 2022 5:37 pm
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
[Moderator removed]
....
-----END ENCRYPTED PRIVATE KEY-----
</key>
The config needs --askpass to ask for the encrypted key pass phrase.

dsd7150
OpenVpn Newbie
Posts: 3
Joined: Mon Sep 19, 2022 2:59 pm

Re: iOS client 3.3.2 (5086) issue

Post by dsd7150 » Tue Sep 20, 2022 1:58 pm

The problem was solved by re-importing the profile to OpenVPN. I forgot to say, the user saved the password so as not to re-enter it for x509 cert. Probably, after updating the program on iOS, the cache where the entered password is stored was cleared.

Thanks for helping!

Post Reply