Re: OpenVPN with OpenSSL engine not working on fedora 28

James Bottomley
 

On Thu, 2018-11-15 at 12:51 -0800, ignaciox.jaureguiberry@...
wrote:
Hi everyone!

We aren’t able to use OpenVPN with OpenSSL engine. When starting the
OpenVPN client, we get:

$ openvpn --engine tpm2 --config client.conf
Wed Nov 14 16:46:14 2018 WARNING: file '/etc/openvpn/client/key_file'
is group or others accessible
Wed Nov 14 16:46:14 2018 OpenVPN 2.5_git [git:tpm-patch-
v4/849006bf17bba524+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4]
[EPOLL] [MH/PKTINFO] [AEAD] built on Nov 13 2018
Wed Nov 14 16:46:14 2018 library versions: OpenSSL 1.0.2p 14 Aug
2018, LZO 2.08
Wed Nov 14 16:46:14 2018 Initializing OpenSSL support for engine
'tpm2'
Wed Nov 14 16:46:14 2018 OpenSSL: error:0906D06C:PEM
routines:PEM_read_bio:no start line
Wed Nov 14 16:46:14 2018 OpenSSL: error:0906D06C:PEM
routines:PEM_read_bio:no start line
Wed Nov 14 16:46:14 2018 PEM_read_bio failed, now trying engine
method to load private key
Wed Nov 14 16:46:14 2018 OpenSSL: error:26096075:engine
routines:ENGINE_load_private_key:not initialised
Wed Nov 14 16:46:14 2018 Engine could not load key file
Wed Nov 14 16:46:14 2018 Exiting due to fatal error
You're using my patch, I think? It has a bug in that it doesn't call
ENGINE_init() ENGINE_finish(). You can either add that or add an
initialisation line in openssl.cnf like this

[openssl_init]
engines = engines_section

[engines_section]
tpm2 = tpm2_section

[tpm2_section]
init = 1

I'll take an action to re-roll and resubmit that patch.

James

Join openssl-tpm2-engine@groups.io to automatically receive all group messages.