App does not ask for inline certificate password

[slaver7]

Hi,

our server needs 2 passwords, one for the user account, one for the embedded server certificate.

View Originalclient.ovpn

1

2

3

client

4

5

6

7

dev tun

8

9

remote server 1194

10

11

proto udp

12

13

14

15

resolv-retry infinite

16

17

auth-retry none

18

19

auth-user-pass

20

21

22

23

nobind

24

25

persist-key

26

27

persist-tun

28

29

30

31

ecdh-curve secp521r1

32

33

auth SHA512

34

35

cipher AES-256-GCM

36

37

tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384

38

39

remote-cert-tls server

40

41

42

43

mute-replay-warnings

44

45

explicit-exit-notify 1

46

47

48

49

verb 3

50

51

mute 20

52

53

54

55

reneg-sec 0

56

57

<ca>

58

--STRIPPED INLINE CA CERT--

59

</ca>

60

61

<tls-crypt>

62

63

#

64

65

# 2048 bit OpenVPN static key

66

67

#

68

69

-----BEGIN OpenVPN Static key V1-----

70

71

-----END OpenVPN Static key V1-----

72

73

</tls-crypt>

74

75

<key>

76

--STRIPPED INLINE KEY--

77

</key>

78

79

<cert>

80

--STRIPPED INLINE CERT--

81

</cert>

82

1

client

2

dev tun

3

remote server 1194

4

proto udp

5

resolv-retry infinite

6

auth-retry none

7

auth-user-pass

8

nobind

9

persist-key

10

persist-tun

11

ecdh-curve secp521r1

12

auth SHA512

13

cipher AES-256-GCM

14

tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384

15

remote-cert-tls server

16

mute-replay-warnings

17

explicit-exit-notify 1

18

verb 3

19

mute 20

20

reneg-sec 0

21

<ca>

22

--STRIPPED INLINE CA CERT--

23

</ca>

24

<tls-crypt>

25

-----BEGIN OpenVPN Static key V1-----

26

-----END OpenVPN Static key V1-----

27

</tls-crypt>

28

<key>

29

--STRIPPED INLINE KEY--

30

</key>

31

<cert>

32

--STRIPPED INLINE CERT--

33

</cert>

After importing the configuration via safari (and copy it to ovpn), use app will ask for a user and password. After that the connection throws an error like

Code: Select all

mbed TLS: error parsing config private key : PK - Given private key password does not allow for correct decryption [ERR]

Where I have to set the certificate passphrase?

[slaver7]

After reading

https://community.openvpn.net/openvpn/t ... um_hist=12

I convert my key to an pkcs8 file using

Code: Select all

openssl pkcs8 -topk8 -in "${VPN_USERNAME}.key" -passout pass:"${VPN_PASSWORD}"

The UI is now asking for an certificate password but I get the error

Code: Select all

mbed TLS: error parsing config private key PKCS5 - Requested encryption or digest alg not available

[slaver7]

Using

Code: Select all

openssl pkcs8 -topk8 -in "${VPN_USERNAME}.key" -passout pass:"${VPN_PASSWORD}" -v1 PBE-SHA1-3DES

resolves the "Requested encryption or digest alg not available error" but now I a new error:

Code: Select all

mbed TLS: error parsing config private key : PKCS12 - Bad input parameters to function

Edit:
It look like "-v2 des3 -v2prf hmacWithSHA1" is required. If i'm using

Code: Select all

openssl pkcs8 -topk8 -in "${VPN_USERNAME}.key" -passout pass:"${VPN_PASSWORD}" -v2 des3 -v2prf hmacWithSHA1

I the private key can used

[TinCanTech]

You may find it easier to generate your PKI with easy-rsa:
https://github.com/OpenVPN/easy-rsa/releases

[slaver7]

I'm already using easyrsa but the installed version can not protect the keys without interaction.

Thanks

[TinCanTech]

That is the point of having a password ..... interaction by an authorised entity.