Category: Networking

Open SSL Weak Certificate

I have a client’s VPN that was giving me a hard time. It was an Open VPN connection.

There was a comment in the Forum that I was reading about security. It sounds like it would be better to regenerate the certificates, but since I have no control over the server, I couldn’t do that.

Error Messages

There are the error messages that I was seeing in my log:

  • Cannot load certificate file <path removed>COTVPN.crt
  • OpenSSL: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak
  • Options error: Please correct these errors.

I checked my version:

$ openvpn --version
OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 10 2018
library versions: OpenSSL 1.1.0g  2 Nov 2017, LZO 2.08
Originally developed by James Yonan
Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=yes enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no

Solution

First, I edited the VPN’s configuration file:

 sudo vi /etc/NetworkManager/system-connections/COTVPN

As the last line under the [vpn] section, I added the line:

tls-cipher=DEFAULT:@SECLEVEL=0

Then, I ran this command to reload the configuration:

sudo nmcli connection reload

After that, it worked.

Missing Packages

Note: Earlier, I was getting these messages:

  • VPN plugin at /usr/lib/NetworkManager/nm-iodine-auth-dialog is not executable
  • VPN plugin at /usr/lib/NetworkManager/nm-vpnc-auth-dialog is not executable

I installed these two packages:

  • network-manager-iodine-gnome
  • network-manager-vpnc-gnome

Those two packages fixed those errors.

Resources

Troubleshooting Windows Networking

Ok, ok. What’s a Windows article doing on a Linux blog? Well, I wanted to help a friend with a networking issue, and I thought maybe someone else might find it helpful as well. Every Linux user will end out running into Windows at some point anyway either through a remote desktop or virtual machine, so maybe it’s not too far off topic.

If you see something that I missed or a different approach to the problem, please comment below.

Here’s the issue … a friend’s computer connects to the wireless at their house but doesn’t have Internet. Other devices in their house connect, so it leads me to believe that the router is working although it could be an issue with DHCP and the other devices don’t need to renew their IP address. But, the laptop doesn’t work at their friend’s house. That makes me think that the problem is mostly with the laptop itself.

Read More

Mediatek 7630 on Ubuntu

We are now proud owners of an ASUS TP500LA-AB52T laptop.  It is a new laptop to help my wife with her new teaching job.  I have installed Ubuntu on it so that it matches the rest of the computers in the house.

The first issue is that the wireless doesn’t work on first boot.  This is a major blow because the point of the laptop was so that she could catch up on her teaching plans anywhere.  Being tethered to the router in the back room kind of defeats the purpose.

Here’s the wireless card information:

$ lspci | grep -i wireless
03:00.0 Network controller: MEDIATEK Corp. MT7630e 802.11bgn Wireless Network Adapter

The fix was to just to manually install the wireless driver.  I found a bug post with fairly good instructions (Thank you keshara Dorakumbura).

Read More

LogMeIn VPN; PullMeHairOut on Ubuntu

You would think a stereotypical Linux user would not mind getting his hands dirty in the command-line trying to make a program work.  Well, either this user is not typical or that’s not true.  The LogMeIn Hamagi VPN solution seems to have some cool features, but the Linux client was painful to figure out.  Some documentation or instructions would be nice, but I think a nice basic user interface would also be helpful.  Command-line is cool, but I just need to get connected, and I don’t want to learn yet another networking tool to get where I need to go.

If you are attempting Hamachi, this blog post is your lifesaver:

Eric Lefevre-Ardant on Java & Agile: How to use LogMeIn under Linux

Next task is finding the Linux client.  They don’t have a production one, but they do have a beta version available.  Check out their beta page: LogMeIn Labs & Betas.  This part is awesome once you find it — choose your flavor, deb or rpm, they have it.  The Deb worked great for me on Ubuntu x64 10.04.

After installing, it was like nothing happened.  No new menu items show up in the menu.  Well, don’t worry, it installs a service and a command line program.  Here are the files shown in the package:

Files in the package

When the package installs, it starts the service.  You can see it running here:

Service Running

Now, you have it installed.  You need to use the command-line program to connect.  First, you simply need to connect to the LogMeIn server (everything goes through there server).  Note that you don’t need a user name or any credentials for this part (that will come later).  Here’s the command plain and simple:

sudo hamachi login

Now, if you have an account on LogMeIn, you need to “attach” to it.  If you are connecting to someone else’s network, you can skip this step.

sudo hamachi attach <email_address>

As far as I can tell, the next command just sets a name for your client.  This is the name that will appear in the administration pages online for LogMeIn Hamachi.

sudo hamachi   set-nick <name>

In my case, I set my nickname to “stephen”:

My Nickname Setup

Then, online it will show this name:

Nickname Used

Now, the final step is to connect to the network.  This is where it got really confusing for me.  It was not the command or how to do anything, but the problem was just determining what network ID to use.  So, let me walk you through how to figure out the ID.

The person with the account on LogMeIn who setup the network, will need to login and view the “My Networks” page.  Then, click on the edit link next to the network:

Viewing the Network Settings
Then, here’s where you see the network ID to use in the join command.

Finding the Network ID for the Join command

Once you know this ID, you can simply run the command:

sudo hamachi do-join "<network ID>"

It may ask you the password for the network.  The LogMeIn account holder can optionally setup the password.  If no password was setup, just hit enter, and it will proceed.  Here’s what the configuration looks like when you setup a network:

Network Password Setup

Now, you should be connected.  You should have a new network interface in your network settings:

ham0 network interface

If you need to connect to other machines in the Hamachi network by IP address, you will need the LogMeIn account holder to give you those IP addresses.  You talk to other machines via the IP address for the Hamachi network not the local network.

All in all, once you get it setup, it seems to work well.  I don’t like the fact that you have to run the program as administrator.  For my other VPNs, I don’t need super user access to configure or connect.  I also don’t like having an extra service running in the background.  Why can’t it just use the Network Manager Applet like the other VPNs?

Now, I would be amiss if I didn’t mention the GUI.  I found a Community Thread that points to a front-end called Haiguichi.  It has a Deb package that you can install, and that part worked fine.  It gives you a new menu item under Applications > Internet > Haiguichi.  I couldn’t get it to configure though, and I finally figured out the command-line, so I left it alone.

Feature Request: Refresh on Network Manager

I have been long wanting a refresh button on the Network Manager.  Apparently, I am not the only one who has thought that:

Ubuntu Brainstorm: Idea #17725: “Scan wireless networks” option in NetworkManager

Gnome Bugzilla: Bug 498887 – Refresh wireless network list

Here is the big argument against:

Bryan Clark: Refresh in reactive displays

So, here is the situation — I am working at home connected to my home router.  I pick up my laptop and leave it on while I drive to work.  When I get to work, it still shows my home wireless network in the list.  Then, at lunch, I pick up my laptop and take it to a restaurant that supports WiFi.  Again, it is does not recognize the restaurant’s network.  From what I read, it could take up to 6 minutes to rescan and see the new networks in those situations.

The solution might be to speed up the scan frequency so I don’t have to wait so long upon arriving at a new location.  But, from what I read, that might have power management implications.  If you scan too frequently it will never go into power saving mode?  I don’t know, but for one thing, why can’t I control the scan frequency?

On the other hand, if I had an option to rescan, I could tell it when to scan without having it scan needlessly too frequently.  Why should it scan every 15 seconds when I am at a restaurant that doesn’t have WiFi?  When my battery was dying and only lasted 20 minutes, I wanted every ounce of power I could get!  I understand making things automatic for the user, but sometimes it is better to let the user decide.  The laptop will never know when I change locations like that unless maybe you add a GPS device to it.

Just my thoughts; can I have my refresh button?