Download of openvpn unsecure client zip file doesn't worked

The download of the unsecure version never worked on my system (core 151) it’s saying:

Mac verify error: invalid password?
openssl error: 256 at /srv/web/ipfire/cgi-bin/ovpnmain.cgi line 2334.
[Thu Dec 10 12:42:56.130541 2020] [cgid:error] [pid 23967:tid 132057980180032] [client 192.168.*.***:10327] End of script output before headers: ovpnmain.cgi, referer: https://*****.*****.****:444/

Greetz

Here’s the block of code where the error occurs:

	# Extract the certificate
	system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12",
		'-clcerts', '-nokeys', '-nodes', '-out', "$file_crt" , '-passin', 'pass:');
	if ($?) {
		die "openssl error: $?";
	}

Hi,

could you please file a bug for this at https://bugzilla.ipfire.org/ (your login credentials work there as well)?

Thanks, and best regards,
Peter Müller

Good morning,
this bug is already filed --> https://bugzilla.ipfire.org/show_bug.cgi?id=11048 .

Best,

Erik

1 Like

Hi,

I see, thanks. :slight_smile:

Best regards,
Peter Müller

Your welcome Peter.
@odongarma
if you want a insecure version with inline ca, cert, key(s) you need to enter no password while client creation this should in any case work.

Nevertheless, there is a bug in WUI. If you have a regular client with password (secure) and you edit this client via the yellow pencil and save it again, this client get a second disk icon for a insecure download option which is a wrong since you´ve already entered a password so it ends up with a OpenSSL error message ‘Mac verify error: invalid password?’ if you want to download the insecure one .

@krasnal
Possibly the error is somewhere around here --> https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=html/cgi-bin/ovpnmain.cgi;h=68a70d14777f4d07711201e7f08b71c0d636eab6;hb=HEAD#l5429 ?

But am currently not sure about that.

Hope this helps for the first, more to come. Best,

Erik

Good to know. This should be written down in the wiki too.

Greetz

Great idea,
thanks for making this.

Best,

Erik

Unfortunately, the original post lacks any context. I’m not sure “good to know” can be taken as confirmation that the file is password protected. Perhaps @odongarma can confirm this point.

2 Likes

I just learned the intention of unsecure download. i never used this, but alway wondered why this breaks the httpd server.

I think this “feature” can safely be removed in further core’s…

Greetz

I think the insecure download needs to stay. This provides a .ovpn file that has the ca, cert and keys inline in the file.

If you have iOS based clients then often they require the ca, cert and keys to be inline in the .ovpn file and are not able to take in the separate certificate files and use them as needed.
You can take the basic .ovpn file and using openssl commands you can extract the required certificate information and place it in the .ovpn file but I think it is simpler to have that option provided by IPFire.

We just need to discover why the wui brings up the insecure icon when running with a secure setup with passwords.

2 Likes

Hi all,

if a client will be edited via the yellow pencil and new settings are configured, the ‘no-pass’ will be printed into the ovpnconfig. Seems that there is a check from here → git.ipfire.org Git - ipfire-2.x.git/blob - html/cgi-bin/ovpnmain.cgi to there → git.ipfire.org Git - ipfire-2.x.git/blob - html/cgi-bin/ovpnmain.cgi missing.

Best,

Erik

1 Like

Hi @ummeegge

I had a look at the code myself to see if I could find what was missing but my capabilities were definitely not good enough to find what was missing.

As you are very busy with all the OpenVPN-2.5.0 WUI work, I would be willing to have a go at implementing a fix, based on your input, and see how I get on.

Let me know if this would be of help to you.

2 Likes

Hello @bonnietwin,
that´s great, thanks.

Best,

Erik