Opened 9 years ago

Closed 15 months ago

#540 closed Bug / Defect (wontfix)

iOS: Incorrect processing of <ca></ca> contents in OpenVPN Connect

Reported by: fufel Owned by: OpenVPN Inc.
Priority: major Milestone:
Component: OpenVPN Connect Version: OpenVPN Connect for iOS v1.2.9
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: ios, ipad, iphone, OpenVPN Connect
Cc:

Description

OpenVPN Connect doesn't extract certificate chains in <ca></ca>. Unified form of configuration files is used.
We have this config:

remote my.domain.com 443
client
dev tun
proto tcp
persist-remote-ip
nobind
persist-key
persist-tun
cipher AES-256-CBC
remote-cert-tls server
redirect-gateway def1
tls-timeout 4
comp-lzo
verb 3
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
</tls-auth>
<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
..
-----END RSA PRIVATE KEY-----
</key>

When trying to connect with OpenVPN Connect on iOS and Android we have the following error on client side:

2015-12-12 23:23:23 TCP recv EOF
2015-12-12 23:23:23 Transport Error: Transport error on 'my.domain.com: NETWORK_EOF_ERROR

on server side:

2015-12-12 23:23:23 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: CN=2323
2015-12-12 23:23:23 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned

This config file work perfectly on OpenVPN GUI and OpenVPN for Android. If we issue client certificate without intermediate certificate, then OpenVPN Connect works fine.

Change History (11)

comment:1 Changed 9 years ago by Samuli Seppänen

Owner: set to jamesyonan
Status: newassigned

comment:2 Changed 9 years ago by Samuli Seppänen

Milestone: release 1.0.5

comment:3 Changed 7 years ago by lanopop

I have the exact same problem. I need to put the full certificate chain in the .opvn file, otherwise my vpn connection will not work. So this is the reason why there are multiple certs in the <ca> tag.

This works on windows with the OpenVPN GUI, just on Apple iOS it doesnt.

Sat Oct  1 07:11:57 2016 TLS: Initial packet from [AF_INET6]::ffff:1.1.1.1:62867, sid=xxx xxx
Sat Oct  1 07:11:58 2016 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: C=xxx, ST=xxx, O=xxx, CN=xxx
Sat Oct  1 07:11:58 2016 OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
Sat Oct  1 07:11:58 2016 TLS_ERROR: BIO read tls_read_plaintext error
Sat Oct  1 07:11:58 2016 TLS Error: TLS object -> incoming plaintext read error
Last edited 7 years ago by lanopop (previous) (diff)

comment:4 in reply to:  3 Changed 7 years ago by lanopop

Replying to lanopop:

I have the exact same problem. I need to put the full certificate chain in the .opvn file, otherwise my vpn connection will not work. So this is the reason why there are multiple certs in the <ca> tag.

This works on windows with the OpenVPN GUI, just on Apple iOS it doesnt.

Sat Oct  1 07:11:57 2016 TLS: Initial packet from [AF_INET6]::ffff:1.1.1.1:62867, sid=xxx xxx
Sat Oct  1 07:11:58 2016 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: C=xxx, ST=xxx, O=xxx, CN=xxx
Sat Oct  1 07:11:58 2016 OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
Sat Oct  1 07:11:58 2016 TLS_ERROR: BIO read tls_read_plaintext error
Sat Oct  1 07:11:58 2016 TLS Error: TLS object -> incoming plaintext read error

So forget what i wrote before, because i figured out what was the problem for me... You are not allowed to use the same OU Name for your root and intermediate certificate. Otherwise openvpn will tell you

Cannot load CA certificate file [[INLINE]] (entry 2 did not validate)
Cannot load CA certificate file [[INLINE]] (only 1 of 2 entries were valid X509 names)

comment:5 Changed 6 years ago by Antonio Quartulli

Owner: changed from jamesyonan to Antonio Quartulli

v1.2.6 has just been launched on AppStore??. Could you please test that version and let us know if the bug is still there?

comment:6 Changed 6 years ago by Antonio Quartulli

Resolution: worksforme
Status: assignedclosed

Please, reopen the bug if that's the case.
Thanks

comment:7 Changed 6 years ago by fufel

Resolution: worksforme
Status: closedreopened

The bug is still not fixed in the current version 1.2.9.

comment:8 Changed 6 years ago by Antonio Quartulli

Summary: Incorrect processing of <ca></ca> contents in OpenVPN Connect (iOS)iOS: Incorrect processing of <ca></ca> contents in OpenVPN Connect
Version: OpenVPN Connect for iOS v1.2.9

the OP said that he found a solution to this problem, therefore I guess that what you are seeing is something different? Could you please clarify and provide logs and configs?
Thanks!

comment:9 in reply to:  8 Changed 4 years ago by fufel

Replying to Antonio:

the OP said that he found a solution to this problem, therefore I guess that what you are seeing is something different? Could you please clarify and provide logs and configs?
Thanks!

This bug still exists and is not fixed. All the original data remains the same (logs and configs are the same, except iOS/iPadOS versions and OpenVPN Connect 3.1.2 version (3096)).

comment:10 Changed 3 years ago by Antonio Quartulli

Owner: changed from Antonio Quartulli to OpenVPN Inc.
Status: reopenedassigned

comment:11 Changed 15 months ago by Gert Döring

Resolution: wontfix
Status: assignedclosed

OpenVPN Inc does not want to receive any feedback for the "Connect"
OpenVPN clients via the community bug trackers (here and in GH issues).

Please resubmit - if still relevant - via https://support.openvpn.net/

Note: See TracTickets for help on using tickets.