Tunnelblick 3.5.21 does not seem to fetch OpenVPN SA account and password from PPC Mac OS X 10.5.8 Keychain Access
78 views
Skip to first unread message
Peter_...@freenet.de
Jan 16, 2018, 6:09:29 PM1/16/18
to tunnelblick-discuss
Hello!
When I input account and password manually the connection is established. When I let Tunnelblick store this data the next time it seems to fail to retrieve them from Keychain Access, at least this is what I get effectively:
2018-01-16 12:19:26 OpenVPN 2.3.18 powerpc-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Jan 7 2018
2018-01-16 12:19:26 library versions: OpenSSL 1.0.2n 7 Dec 2017, LZO 2.08
2018-01-16 12:19:26 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1337
2018-01-16 12:19:26 Need hold release from management interface, waiting...
2018-01-16 12:19:14 *Tunnelblick: OS X 10.5.8; Tunnelblick 3.5.21 (build 4270.4981)
2018-01-16 12:19:18 *Tunnelblick: Attempting connection with int-client using shadow copy; Set nameserver = 1; monitoring connection
2018-01-16 12:19:18 *Tunnelblick: openvpnstart start int-client.tblk 1337 1 0 1 0 18737 -ptADGNWradsgnw 2.3.18
2018-01-16 12:19:29 *Tunnelblick: openvpnstart log:
Loading tun-20090913.kext
stdout from kextload: kextload: /Applications/Tunnelblick.app/Contents/Resources/tun-20090913.kext loaded successfully
OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line):
/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3.18/openvpn
--daemon
--log
/Library/Application Support/Tunnelblick/Logs/-SUsers-Spete-SLibrary-SApplication Support-STunnelblick-SConfigurations-Sint--client.tblk-SContents-SResources-Sconfig.ovpn.1_0_1_0_18737.1337.openvpn.log
--cd
/Library/Application Support/Tunnelblick/Users/pete/int-client.tblk/Contents/Resources
--config
/Library/Application Support/Tunnelblick/Users/pete/int-client.tblk/Contents/Resources/config.ovpn
--cd
/Library/Application Support/Tunnelblick/Users/pete/int-client.tblk/Contents/Resources
--management
127.0.0.1
1337
--mtu-test
--management-query-passwords
--management-hold
--script-security
2
--up
/Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -d -f -m -w -ptADGNWradsgnw
--down
/Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -d -f -m -w -ptADGNWradsgnw
2018-01-16 12:19:20 *Tunnelblick: openvpnstart starting OpenVPN
2018-01-16 12:19:31 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1337
2018-01-16 12:19:31 MANAGEMENT: CMD 'pid'
2018-01-16 12:19:31 MANAGEMENT: CMD 'state on'
2018-01-16 12:19:31 MANAGEMENT: CMD 'state'
2018-01-16 12:19:31 MANAGEMENT: CMD 'bytecount 1'
2018-01-16 12:19:31 MANAGEMENT: CMD 'hold release'
2018-01-16 12:19:32 *Tunnelblick: Established communication with OpenVPN
===> 2018-01-16 12:19:33 *Tunnelblick: Obtained VPN username and password from the Keychain
2018-01-16 12:19:33 *Tunnelblick: Disconnecting; user cancelled authorization
2018-01-16 12:19:33 *Tunnelblick: Disconnecting using 'kill'
2018-01-16 12:19:34 MANAGEMENT: Client disconnected
===> 2018-01-16 12:19:34 ERROR: could not read Auth username/password/ok/string from management interface
2018-01-16 12:19:34 Exiting due to fatal error
2018-01-16 12:19:42 *Tunnelblick: No 'post-disconnect.sh' script to execute
2018-01-16 12:19:42 *Tunnelblick: Expected disconnection occurred.
The OpenVPN Server Appliance lives in AWS EC2 (Amazon Web Services or Cloud).
I am not sending any kill signals or cancelling anything, just waiting that I can ssh into EC2 servers in AWS. The preferences are set as in https://tunnelblick.net/cBeforeYouPost.html, except that I have set some free DNS servers for my PowerBook that are not greyed out.
--
Greetings
Pete
P.S.: The "Copy Diagnostic Info to the Clipboard" button does not seem to work. Only Copy&Paste.
When I input account and password manually the connection is established. When I let Tunnelblick store this data the next time it seems to fail to retrieve them from Keychain Access, at least this is what I get effectively:
2018-01-16 12:19:26 OpenVPN 2.3.18 powerpc-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Jan 7 2018
2018-01-16 12:19:26 library versions: OpenSSL 1.0.2n 7 Dec 2017, LZO 2.08
2018-01-16 12:19:26 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1337
2018-01-16 12:19:26 Need hold release from management interface, waiting...
2018-01-16 12:19:14 *Tunnelblick: OS X 10.5.8; Tunnelblick 3.5.21 (build 4270.4981)
2018-01-16 12:19:18 *Tunnelblick: Attempting connection with int-client using shadow copy; Set nameserver = 1; monitoring connection
2018-01-16 12:19:18 *Tunnelblick: openvpnstart start int-client.tblk 1337 1 0 1 0 18737 -ptADGNWradsgnw 2.3.18
2018-01-16 12:19:29 *Tunnelblick: openvpnstart log:
Loading tun-20090913.kext
stdout from kextload: kextload: /Applications/Tunnelblick.app/Contents/Resources/tun-20090913.kext loaded successfully
OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line):
/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3.18/openvpn
--daemon
--log
/Library/Application Support/Tunnelblick/Logs/-SUsers-Spete-SLibrary-SApplication Support-STunnelblick-SConfigurations-Sint--client.tblk-SContents-SResources-Sconfig.ovpn.1_0_1_0_18737.1337.openvpn.log
--cd
/Library/Application Support/Tunnelblick/Users/pete/int-client.tblk/Contents/Resources
--config
/Library/Application Support/Tunnelblick/Users/pete/int-client.tblk/Contents/Resources/config.ovpn
--cd
/Library/Application Support/Tunnelblick/Users/pete/int-client.tblk/Contents/Resources
--management
127.0.0.1
1337
--mtu-test
--management-query-passwords
--management-hold
--script-security
2
--up
/Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -d -f -m -w -ptADGNWradsgnw
--down
/Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -d -f -m -w -ptADGNWradsgnw
2018-01-16 12:19:20 *Tunnelblick: openvpnstart starting OpenVPN
2018-01-16 12:19:31 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1337
2018-01-16 12:19:31 MANAGEMENT: CMD 'pid'
2018-01-16 12:19:31 MANAGEMENT: CMD 'state on'
2018-01-16 12:19:31 MANAGEMENT: CMD 'state'
2018-01-16 12:19:31 MANAGEMENT: CMD 'bytecount 1'
2018-01-16 12:19:31 MANAGEMENT: CMD 'hold release'
2018-01-16 12:19:32 *Tunnelblick: Established communication with OpenVPN
===> 2018-01-16 12:19:33 *Tunnelblick: Obtained VPN username and password from the Keychain
2018-01-16 12:19:33 *Tunnelblick: Disconnecting; user cancelled authorization
2018-01-16 12:19:33 *Tunnelblick: Disconnecting using 'kill'
2018-01-16 12:19:34 MANAGEMENT: Client disconnected
===> 2018-01-16 12:19:34 ERROR: could not read Auth username/password/ok/string from management interface
2018-01-16 12:19:34 Exiting due to fatal error
2018-01-16 12:19:42 *Tunnelblick: No 'post-disconnect.sh' script to execute
2018-01-16 12:19:42 *Tunnelblick: Expected disconnection occurred.
The OpenVPN Server Appliance lives in AWS EC2 (Amazon Web Services or Cloud).
I am not sending any kill signals or cancelling anything, just waiting that I can ssh into EC2 servers in AWS. The preferences are set as in https://tunnelblick.net/cBeforeYouPost.html, except that I have set some free DNS servers for my PowerBook that are not greyed out.
--
Greetings
Pete
P.S.: The "Copy Diagnostic Info to the Clipboard" button does not seem to work. Only Copy&Paste.
Tunnelblick developer
Jan 16, 2018, 7:34:07 PM1/16/18
to tunnelblick-discuss
Thanks for your report.
I can reproduce the username/password problem on my 10.5.8 PPC machine, but I have no trouble getting "Copy Diagnostic Info to the Clipboard" button to work. Note that it may take up to several seconds before the Clipboard is set.
I think the username/password problem is related to the complaint that Tunnelblick.app makes that it has been modified. If the code signature isn't correct, Keychain access will be blocked, and I think that's what's happening. I don't know why the signature check is failing but will look into that and report back here when I find something.
Not related, but you should probably un-check "Run MTU maximum size test after connecting" in the "Advanced" options unless you really want to run the test. It isn't usually necessary.
Peter_...@freenet.de
Jan 17, 2018, 6:01:32 PM1/17/18
to tunnelblick-discuss
I think already the "Tunnelblick_3.5.21_build_4270.4981.dmg" (https://github-production-release-asset-2e65be.s3.amazonaws.com/39261898/5e6fcc18-f3f7-11e7-88a8-193cf70dc1aa?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20180109%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20180109T220622Z&X-Amz-Expires=300&X-Amz-Signature=eaf0e3de013907ceee4d6be16396ab9f1f7b3b1ebfbfac75760cda89b940399e&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3DTunnelblick_3.5.21_build_4270.4981.dmg&response-content-type=application%2Foctet-stream) has incorrect hash values.
--
Pete
--
Pete
Tunnelblick developer
Jan 17, 2018, 6:29:25 PM1/17/18
to tunnelblick-discuss
The hash values are correct, as shown on the Deprecated Downloads page:
(Note: the links on the Tunnelblick download pages are to tunnelblick.net, which redirects them to GitHub, which redirects them to AWS. The AWS links "expire" when GitHub releases AWS server instances -- although that may not be the correct wording for what happens.)
SHA1: 68e5cd95966041c7c0c66c7bcd06933208788e94MD5: 1f56b8899e7e504c790c0ee67f243cdcSHA256: dba140dae81c0a78bc1cbee6c9f7b2ae6567863c96bed20a1cc9322b99e6a96f
If the hashes for the download match the above, the download is correct.
But neither the hashes, nor the GnuPG signature (nor the digital signature on updates, which is a completely different thing!), have anything to do with the Apple-required digital signature on the application. It's that signature that is the problem. The signature on 3.5.21 is a "version 2" signature. Early OS X versions recognize only a "version 1" signature. Recent versions recognize only a "version 2" signature.
I can, and probably will, put up a version 3.5.22 that has a "version 1" signature. That will work on OS X 10.9.5 and lower. If they are using OS X 10, they will be warned about an an invalid signature, but they should be able to update to the latest stable version of Tunnelblick, 3.7.4b.
I hope to do that, and make a release of 3.5.22, within the next 24 hours.
(Note: the links on the Tunnelblick download pages are to tunnelblick.net, which redirects them to GitHub, which redirects them to AWS. The AWS links "expire" when GitHub releases AWS server instances -- although that may not be the correct wording for what happens.)
Peter Dyballa
Jan 18, 2018, 7:32:19 AM1/18/18
to tunnelbli...@googlegroups.com
Am 18.01.2018 um 00:29 schrieb Tunnelblick developer:
> SHA1: 68e5cd95966041c7c0c66c7bcd06933208788e94
> MD5: 1f56b8899e7e504c790c0ee67f243cdc
> SHA256:
> dba140dae81c0a78bc1cbee6c9f7b2ae6567863c96bed20a1cc9322b99e6a96f
proceeded to install.
> I hope to do that, and make a release of 3.5.22, within the next 24
> hours.
need an old release.
--
Greetings
Pete
To drink without thirst and to make love all the time, madam, it is
only these which distinguish us from the other beasts.
– Beaumarchais
Tunnelblick developer
Jan 18, 2018, 4:18:52 PM1/18/18
to tunnelblick-discuss
Tunnelblick 3.5.22, a security update for old versions to be used only on OS X 10.4 - 10.7.4, Deprecated Downloads page.
It has digital signatures that work on OS X 10.8.5 and lower, and should fix the username/password problems.
Everyone using OS X 10.7.5 or higher should use the latest stable or beta release, available on the Downloads page.
Peter Dyballa
Jan 22, 2018, 7:52:13 AM1/22/18
to tunnelbli...@googlegroups.com
Am 18.01.2018 um 22:18 schrieb Tunnelblick developer:
> Tunnelblick 3.5.22, a security update for old versions to be used
> only on
> <https://tunnelblick.net/downloadsDeprecated.html>.
>
> It has digital signatures that work on OS X 10.8.5 and lower, and
> should
> fix the username/password problems.
This version works here on PPC Leopard, Mac OS X 10.5.8, quite well.
> It has digital signatures that work on OS X 10.8.5 and lower, and
> should
> fix the username/password problems.
Installation happened without warnings. Tomorrow I'll see whether it
can reuse data from Keychain Access.
--
Greetings
Pete
Es geht nix über eine elektrische Klobürste!
Peter Dyballa
Jan 23, 2018, 10:28:38 AM1/23/18
to tunnelbli...@googlegroups.com
Am 18.01.2018 um 22:18 schrieb Tunnelblick developer:
> Tunnelblick 3.5.22, a security update for old versions to be used
> only on
> only on
> OS X 10.4 - 10.7.4, *Deprecated Downloads page*
> <https://tunnelblick.net/downloadsDeprecated.html>.
>
> <https://tunnelblick.net/downloadsDeprecated.html>.
>
> It has digital signatures that work on OS X 10.8.5 and lower, and
> should
> fix the username/password problems.
This release has no flaw, it works. Thank you!
> should
> fix the username/password problems.
--
Greetings
Pete
Don't just do something, sit there.
Reply all
Reply to author
Forward
0 new messages