How to use a client certificate?

[dmgeurts]

How can a client certificate be configured for a global protect connection? I've found inspections for openconnect on the cli, but need a way to preconfigure a user client certificate (Linux). The UI doesn't list any certificate options and the portal doesn't distribute it, so pre configuration is required.

[yuezk]

@dmgeurts

For the CLI, you can pass the certificate via the -c, --certificate parameter

  -c, --certificate <CERTIFICATE>
          Use SSL client certificate file in pkcs#8 (.pem) or pkcs#12 (.p12, .pfx) format
  -k, --sslkey <SSLKEY>
          Use SSL private key file in pkcs#8 (.pem) format
  -p, --key-password <KEY_PASSWORD>

For GUI, you can configure the certificate in the settings panel.

[dmgeurts]

@yuezk I don't see that option:

Checked the version and I was running v2.1.4 from the repo. I manually upgraded to v2.3.8 and now see this option.

[dmgeurts]

When adding the p12 certificate I now get this error:

builder error: error:0308010C:digital envelope
routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:342:Global
default library context, Algorithm (RC2-40-CBC : 0), Properties ()

[dmgeurts]

Connecting manually with openconnect works fine so it looks like gpgui isn't happy about something.

[yuezk]

Hi @dmgeurts, what the command do you use with openconnect?

[yuezk]

It looks like the algorithm is not supported. You can follow the following to see if it works for you.

Try edit ~/.config/gpgui/openssl.cnf and append the following content:

[default_sect]
activate = 1
[legacy_sect]
activate = 1

[provider_sect]
default = default_sect
legacy = legacy_sect

Then quit the client and restart it.

Reference: https://stackoverflow.com/questions/72859711/convert-an-old-style-p12-to-pem-unsupported-algorithm-rc2-40-cbc

[dmgeurts]

The openconnect command, no need to convert the pkcs certificate for openconnect. The certificate is generated on a Palo Alto firewall:

sudo openconnect --protocol=gp --server=vpn.domain.com -u user -c Documents/VPN/user_cert.p12 -p <pwd>

Editing the openssl.cnf file hasn't made a difference.

[dmgeurts]

The -legacy flag is indeed needed:

$ openssl pkcs12 -in Documents/VPN/user_cert.p12 -nodes
Enter Import Password:
Error outputting keys and certificates
2080E47329F60000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:386:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()

[dmgeurts]

I also tried adding this to the openssl.cnf file, but still no dice when trying to save the gpgui config with a legacy pkc12 file.

[openssl_init]
providers = provider_sect

[dmgeurts]

If I convert the legacy p12 to a current/normal pkcs12, the error disappears when saving the gpgui config.

[yuezk]

If I convert the legacy p12 to a current/normal pkcs12, the error disappears when saving the gpgui config.

Then can you connect the VPN in the gui client?

[dmgeurts]

Indeed, the VPN connects successfully when using the non-legacy pkcs12 certificate. Can gpgui be made to not throw an error for legacy pkcs12 certificates?

[yuezk]

If I convert the legacy p12 to a current/normal pkcs12, the error disappears when saving the gpgui config.

I will check. Can you post the command you use to convert the certificate?

[dmgeurts]

In a nutshell:

openssl pkcs12 -legacy -in legacy.p12 -out temp.pem -nodes -passin pass:<pass>
openssl pkcs12 -legacy -in legacy.p12 -nocerts -out temp.key -passin pass:<pass> -passout pass:<pass>
openssl pkcs12 -export -out new.p12 -inkey temp.key -in temp.pem -passin pass:<pass> -passout pass:<pass>

[dmgeurts]

Much appreciated.

If it was just me, converting the legacy pkcs would be fine, but I'd like to avoid the process of having to convert the certificate when detailing VPN agent deployment and configuration for others.

[yuezk]

I'll check if I'm able to process the legacy certificate in the code.

[yuezk]

Released in 2.3.9. You should remove the ~/.config/gpgui/openssl.cnf first and restart the client.

[dmgeurts]

I've updated to 2.3.9 but still get the same error, after deleting the openssl.cnf file, should it be regenerated?

[yuezk]

It will be regenerated automatically. If it doesn't regenerate, then you may not quit it entirely, because closing the close button won't quit it. You should click the quit menu from the hamburger menu.

[dmgeurts]

Hmmm, it's not regenerated. What's the content of this file meant to be? I should've just moved it instead of deleting it.

[dmgeurts]

Rebooted, quit using the hamburger and then reinstalled it. It still throws the same error when using a legacy format pkcs12 certificate and no openssl.cnf file generated.

[yuezk]

I forgot to mention that the Enable OpenSSL Legacy Mode should also be checked.