OpenVPN client problem with RSA-1024 certificates

sergiozia · October 10, 2017, 5:57pm

Hi everybody

I'm a noob using OpenWRT and LEDE projects and I have a question about the openvpn client configuration using Luci.
My router is a TP-Link TL-WR841N v11 (no more than 4Mb flash) and I have installed the following release of LEDE : 17.01-SNAPSHOT r3218-bf53a83
I would like to configure an openVPN client using my 'SecurityKiss' VPN account.
All is clear for me about the configuration options but the VPN connection don't work probably because the SecurityKiss certificates are RSA-1024 certificates and mbedtls refuse those for security reasons. mbedtls requires at least RSA-2048 certificates (source : https://bugs.lede-project.org/index.php?do=details&task_id=405)

Here is my system log part about this :

Tue Oct 10 18:11:37 2017 daemon.notice openvpn(security_kiss)[1498]: TLS: Initial packet from [AF_INET]91.121.103.225:5353, sid=1b5928a4 8bcd9ff3
Tue Oct 10 18:11:38 2017 daemon.notice openvpn(security_kiss)[1498]: VERIFY OK: depth=1, C=IE, ST=IE, L=Dublin, O=GL, CN=GL CA
Tue Oct 10 18:11:38 2017 daemon.err openvpn(security_kiss)[1498]: VERIFY ERROR: depth=0, subject=C=IE, ST=IE, L=Dublin, O=GL, CN=server: The certificate is signed with an unacceptable key (eg bad curve, RSA too short).
Tue Oct 10 18:11:38 2017 daemon.err openvpn(security_kiss)[1498]: TLS_ERROR: read tls_read_plaintext error: X509 - Certificate verification failed, e.g. CRL, CA or signature check failed
Tue Oct 10 18:11:38 2017 daemon.err openvpn(security_kiss)[1498]: TLS Error: TLS object -> incoming plaintext read error
Tue Oct 10 18:11:38 2017 daemon.err openvpn(security_kiss)[1498]: TLS Error: TLS handshake failed

Is there a solution to this problem ? e.g. using openvpn-openssl instead of openvpn-mbedtls ?
Thanks in advance for your help.

ViperRU · October 11, 2017, 10:46am

The openvpn-openssl is working with RSA1024.

sergiozia · October 11, 2017, 11:04am

Thanks for your reply but I have no idea how to install and use openvpn-openssl instead of openvpn-mbedtls :-/
Also, I do not know if there is enough free flash space for this on my router.
Is there a tutorial or can someone help me with a procedure ?

demontefacto · October 13, 2017, 5:13pm

uninstall openvpn-mbedtls and install openvpn-openssl package

ViperRU · October 13, 2017, 7:26pm

# cp -a /etc/openvpn/ /etc/openvpn.bck
# opkg update
# opkg remove --autoremove openvpn-mbedtls
# opkg install openvpn-openssl
# /etc/init.d/openvpn enable
# /etc/init.d/openvpn start
If openvpn is working then
# rm -rf /etc/openvpn.bck

sergiozia · October 17, 2017, 5:29pm

Thanks for your reply. I will check this as soon as possible...

sergiozia · October 18, 2017, 2:21pm

Oups, I encouter a big problem ...

ok removing openvpn-mbedtls package

root@LEDE:/etc/opkg# opkg remove --autoremove openvpn-mbedtls
Removing package openvpn-mbedtls from root...
Not deleting modified conffile /etc/config/openvpn.

but fails when trying to add openvpn-openssl package

root@LEDE:/etc/opkg# opkg install openvpn-openssl
Collected errors:

pkg_hash_add_from_file: Failed to open /var/opkg-lists/reboot_routing: Out of memory.

and fails too when trying to re-install openvpn-mbedtls package

root@LEDE:/etc/opkg# opkg install openvpn-mbedtls
Collected errors:

pkg_hash_add_from_file: Failed to open /var/opkg-lists/reboot_routing: Out of memory.

Would there be anything more I could clean before installing a new package ?

tmomas · October 18, 2017, 5:07pm

If your device has only 4MB flash, you need to have the packages you want in the image you flash to the device.
Erasing packages which are included in the flashed firmware image does not free any space in flash.
Erasing packages you installed after flashing the firmware image however does free the space that you just uninstalled.

sergiozia · October 18, 2017, 5:45pm

OK I understand.
And so I guess I have to reinstall the firmware if I want to recover openvpn functionality ?
And after that, Is there really a way to replace the openvpn-mbedtls package by the openvpn-openssl package in order to use a RSA-1024 certificate, considering that my router only has 4MB flash ?

tmomas · October 18, 2017, 5:52pm

-> Build your own image with just the packages included that you need. The Imagebuilder is the easiest way to achieve this.

https://lede-project.org/docs/user-guide/imagebuilder
https://lede-project.org/faq/before_installation#which_packages_can_i_safely_remove_to_save_space

And as a general advice regarding devices with only 4MB flash / 32MB RAM:
https://lede-project.org/meta/infobox/432_warning

Ryu945 · October 18, 2017, 6:14pm

If possible, don't use RSA1024. It is highly likely that it is already cracked. Looking it up, I see tons of articles titled RSA 1024 cracked.

sergiozia · October 18, 2017, 7:39pm

Thanks for your informations. I will try to do that.

Ryu945 · October 18, 2017, 7:41pm

Use RSA 2048 or even better, 4096.

sergiozia · October 18, 2017, 7:45pm

I am aware that RSA-1024 is not a good encryption choice but in a first time, I do not really have the choice.
For my specific usage, it is not very critical to have strong encryption.