Opened 13 years ago
Closed 13 years ago
#108 closed Bug / Defect (fixed)
openvpn 2.2rc2 does not like --client-cert-not-required
| Reported by: | JJK | Owned by: | David Sommerseth |
|---|---|---|---|
| Priority: | blocker | Milestone: | release 2.2.0 |
| Component: | Certificates | Version: | OpenVPN 2.2-beta / 2.2-RC (Community Ed) |
| Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
| Cc: |
Description
Reported by samenlia (https://forums.openvpn.net/topic7751.html), confirmed by me:
openvpn 2.2-rc2 does not like --client-cert-not-required; an identical server config which works with 2.1.4 does not work with 2.2-rc2. When a client connects which does not present a certificate the following message is logged:
Mar 30 11:16:30 2011 us=211229 194.171.96.28:50855 TLS_ERROR: BIO read tls_read_plaintext error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
Wed Mar 30 11:16:30 2011 us=211292 194.171.96.28:50855 TLS Error: TLS object -> incoming plaintext read error
Wed Mar 30 11:16:30 2011 us=211356 194.171.96.28:50855 TLS Error: TLS handshake failed
the exact same client+server work with 2.1.4.
Attachments (2)
Change History (6)
Changed 13 years ago by
| Attachment: | trac-108-server.conf added |
|---|
comment:1 Changed 13 years ago by
| Owner: | set to David Sommerseth |
|---|---|
| Status: | new → accepted |
I've bisected this issue and found the offending commit:
2e8337de248ef0b5b48cbb2964da0d5c3f28b15b is the first bad commit
commit 2e8337de248ef0b5b48cbb2964da0d5c3f28b15b
Author: Emilien Mantel <emilien.mantel@businessdecision.com>
Date: Thu Jun 17 21:38:59 2010 +0200
Choose a different field in X509 to be username
For my company, we use a PKI (linked to a LDAP) with OpenVPN. We can't use "CN" to be
username (few people can have the same "CN"). In our case, we only use the UID.
With my patch, you can choose another field to be username with a new option called
--x509-username-field, the default value is "CN".
Signed-off-by: Emilien Mantel <emilien.mantel@businessdecision.com>
Acked-by: David Sommerseth <dazo@users.sourceforge.net>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
:100644 100644 8c5af91e22a5ca84b82833940feee642989b07a6 717c5d70de6b9e64ac9307dc09c27b2c1bfbc781 M options.c
:100644 100644 52763f3b1b5e2d2af8016698ee661970f7f4c6d4 cb29d797d4a7c7cb0e6595d3f6256ddfec57d200 M options.h
:100644 100644 cf4c7bf6096eac0317723abd2dbf2e86e391d73c e6285040fb9f20ed7ba809c6aacbf247c42241ae M ssl.c
:100644 100644 19a85401bdb05b228fcde8d11c908a4be0a85514 8415d5555908ecbf9c7779106e6a452f082e488a M ssl.h
Depending on how long time it will take to fix this, this commit together with the following commit are in risk to get reverted.
commit fbd18db6485e3d08d8d933263cff96ee60eddb39
Author: David Sommerseth <davids@redhat.com>
Date: Wed Dec 15 10:53:04 2010 +0100
Make the --x509-username-field feature an opt-in feature
comment:2 Changed 13 years ago by
Proposed patch: http://thread.gmane.org/gmane.network.openvpn.devel/4555
comment:3 Changed 13 years ago by
| Component: | Generic / unclassified → Certificates |
|---|---|
| Milestone: | → release 2.2 |
| Priority: | major → blocker |
comment:4 Changed 13 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | accepted → closed |
Proposed fix has been tested and ACKed by janjust, applied to the git tree.
commit 008a18e772bf1854f9a2102bef4b3d5b0a08a66b (master)
commit 272aef2f0fd6b8c81c397fc32a503776e2b4bef1 (beta2.2)
Author: David Sommerseth <davids@redhat.com>
Date: Wed Mar 30 14:14:21 2011 +0200
Fix the --client-cert-not-required feature
Report-URL: https://community.openvpn.net/openvpn/ticket/108
Report-URL: https://forums.openvpn.net/topic7751.html
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Jan Just Keijser <janjust@nikhef.nl>
server configuration