Openssl-wolfssl

Hello!

I'm moving to the recent release of openwrt 22.03.0-rc4 and found that openvpn does not work!

2022-06-23 16:43:45 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2022-06-23 16:43:45 OpenVPN 2.5.5 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2022-06-23 16:43:45 library versions: wolfSSL 5.3.0
2022-06-23 16:43:45 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
2022-06-23 16:43:46 TCP/UDP: Preserving recently used remote address: [AF_INET]185.133.208.223:19000
2022-06-23 16:43:46 UDPv4 link local: (not bound)
2022-06-23 16:43:46 UDPv4 link remote: [AF_INET]XXXXXX:19000
2022-06-23 16:43:46 VERIFY ERROR: depth=1, could not extract X509 subject string from certificate
2022-06-23 16:43:46 OpenSSL: verify problem on certificate
2022-06-23 16:43:46 OpenSSL: verify problem on certificate
2022-06-23 16:43:46 OpenSSL: verify problem on certificate
2022-06-23 16:43:46 TLS_ERROR: BIO read tls_read_plaintext error
2022-06-23 16:43:46 TLS Error: TLS object -> incoming plaintext read error
2022-06-23 16:43:46 TLS Error: TLS handshake failed
2022-06-23 16:43:46 SIGUSR1[soft,tls-error] received, process restarting
2022-06-23 16:43:51 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
2022-06-23 16:43:51 TCP/UDP: Preserving recently used remote address: [AF_INET]185.133.208.223:19000
2022-06-23 16:43:51 UDPv4 link local: (not bound)
2022-06-23 16:43:51 UDPv4 link remote: [AF_INET]XXXXX:19000
2022-06-23 16:43:51 VERIFY ERROR: depth=1, could not extract X509 subject string from certificate
2022-06-23 16:43:51 OpenSSL: verify problem on certificate
2022-06-23 16:43:51 OpenSSL: verify problem on certificate
2022-06-23 16:43:51 OpenSSL: verify problem on certificate
2022-06-23 16:43:51 TLS_ERROR: BIO read tls_read_plaintext error
2022-06-23 16:43:51 TLS Error: TLS object -> incoming plaintext read error
2022-06-23 16:43:51 TLS Error: TLS handshake failed
2022-06-23 16:43:51 SIGUSR1[soft,tls-error] received, process restarting

client certificate looks just fine:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 175 (0xaf)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=IT, ST=MI, L=Milano, O=6project IPv6 Tunnel Broker, OU=M&M Networks, CN=6project IPv6 Tunnel Broker/name=6project/emailAddress=xxxxxx.org
        Validity
            Not Before: Mar 22 08:24:23 2022 GMT
            Not After : Mar 19 08:24:23 2032 GMT
        Subject: C=IT, ST=MI, L=Milano, O=6project IPv6 Tunnel Broker, OU=M&M Networks, CN=xxxxxxx/name=6project/emailAddress=XXXX.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:XXXXXXX
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                Easy-RSA Generated Certificate
            X509v3 Subject Key Identifier: 
                XXXX:6E
            X509v3 Authority Key Identifier: 
                keyid:XXXX:F3
                DirName:/C=IT/ST=MI/L=Milano/O=6project IPv6 Tunnel Broker/OU=M&M Networks/CN=6project IPv6 Tunnel Broker/name=6project/emailAddress=XXXX.org
                serial:XXXX:17

            X509v3 Extended Key Usage: 
                TLS Web Client Authentication
            X509v3 Key Usage: 
                Digital Signature
            X509v3 Subject Alternative Name: 
                DNS:kuznetsov
    Signature Algorithm: sha256WithRSAEncryption
         bb:XXXXX:fe:
-----BEGIN CERTIFICATE-----

Did you correct any of the warnings it displayed?

Yes you're using an old config file with some deprecated options. Newer OpenVPN versions don't have much backward compatibility, this is intentional to stop use of insecure old methods.

I think that certificate depth=1 means the CA, not the server or client certificate.

Yes I did. No changes:

2022-06-23 18:46:09 OpenVPN 2.5.5 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2022-06-23 18:46:09 library versions: wolfSSL 5.3.0
2022-06-23 18:46:09 TCP/UDP: Preserving recently used remote address: [AF_INET]185.133.208.223:19000
2022-06-23 18:46:09 UDPv4 link local: (not bound)
2022-06-23 18:46:09 UDPv4 link remote: [AF_INET]185.133.208.223:19000
2022-06-23 18:46:09 VERIFY ERROR: depth=1, could not extract X509 subject string from certificate
2022-06-23 18:46:09 OpenSSL: verify problem on certificate
2022-06-23 18:46:09 OpenSSL: verify problem on certificate
2022-06-23 18:46:09 OpenSSL: verify problem on certificate
2022-06-23 18:46:09 TLS_ERROR: BIO read tls_read_plaintext error

Are you sure?

(I'm unsure why users see words "error" and "problem" in the description of the log message, plus the exact problem...but say they fixed it. )

It seems your cert has an issue, clear as day.

Thank you for pointing me out. I'll try to figure out what wrong with cert. Yet it works fine with openwrt 21.03 and openvpn-openssl...

I sill have no solution yet. I unable to compile openvpn + wolfssl (missing deps) and test this cert file on a laptop. But I able to extract subject using openssl no problem. I guess this is wolfssl issue.

openssl x509 -noout -subject -in files/etc/openvpn/6project.ovpn
subject=C = IT, ST = MI, L = Milano, O = 6project IPv6 Tunnel Broker, OU = M&M Networks, CN = 6project IPv6 Tunnel Broker, name = 6project, emailAddress = support@6project.org

That is wolfssl bug. Please apply:

--- a/wolfssl/src/bio.c
+++ b/wolfssl/src/bio.c
@@ -2231,7 +2231,7 @@ int wolfSSL_BIO_flush(WOLFSSL_BIO* bio)
                 ret = b->eof;
                 break;
             default:
-                ret = wolfSSL_BIO_get_len(b) != 0;
+                ret = wolfSSL_BIO_get_len(b) == 0;
                 break;
         }

all credits to Juliusz Sosinowicz