OpenVPN with OpenSSL engine not working on fedora 28

ignaciox.jaureguiberry@...
 

Hi everyone!

We aren’t able to use OpenVPN with OpenSSL engine. When starting the OpenVPN client, we get:

$ openvpn --engine tpm2 --config client.conf
Wed Nov 14 16:46:14 2018 WARNING: file '/etc/openvpn/client/key_file' is group or others accessible
Wed Nov 14 16:46:14 2018 OpenVPN 2.5_git [git:tpm-patch-v4/849006bf17bba524+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov 13 2018
Wed Nov 14 16:46:14 2018 library versions: OpenSSL 1.0.2p 14 Aug 2018, LZO 2.08
Wed Nov 14 16:46:14 2018 Initializing OpenSSL support for engine 'tpm2'
Wed Nov 14 16:46:14 2018 OpenSSL: error:0906D06C:PEM routines:PEM_read_bio:no start line
Wed Nov 14 16:46:14 2018 OpenSSL: error:0906D06C:PEM routines:PEM_read_bio:no start line
Wed Nov 14 16:46:14 2018 PEM_read_bio failed, now trying engine method to load private key
Wed Nov 14 16:46:14 2018 OpenSSL: error:26096075:engine routines:ENGINE_load_private_key:not initialised
Wed Nov 14 16:46:14 2018 Engine could not load key file
Wed Nov 14 16:46:14 2018 Exiting due to fatal error

About our environment:
• Fedora 28
• openssl-1.0.2p
• ibmtss1119
• openssl_tpm2_engine-2.0.0
• openvpn (patched with https://patchwork.openvpn.net/patch/231/, over OpenVPN commit 849006bf17bba524e6f3344598adcbe41bedf450)

We’ve successfully executed all the required steps documented in the README of openssl_tpm2_engine, including launching an https server on port 4433.
Maybe the problem is the OpenVPN configuration? We pointed the *key* parameter to the “key_file” (the file generated by *create_tpm2_key*, that has *BEGIN TSS2 PRIVATE KEY* in the first line).

ca /etc/openvpn/client/ca.crt
cert /etc/openvpn/client/client.crt
cipher AES-256-CBC
client
dev tun
key /etc/openvpn/client/key_file
nobind
persist-key
persist-tun
proto udp
remote x.x.x.x 1194
remote-cert-tls server
resolv-retry infinite
tls-auth /etc/openvpn/client/ta.key 1
verb 3

Also, we can see using strace that *client.crt* and *key_file* are opened and read, and after that OpenVPN exits with error.
We’re feeling we’ve advanced a lot, and this is failing for some minor configuration detail. Can anyone give us some hint?

Thanks in advance

Join openssl-tpm2-engine@groups.io to automatically receive all group messages.