Opened 7 years ago
Closed 4 years ago
#798 closed Bug / Defect (notabug)
certificate for tap-windows driver is outdated
| Reported by: | hkocam | Owned by: | Samuli Seppänen |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | tap-windows | Version: | OpenVPN git master branch (Community Ed) |
| Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
| Cc: |
Description
Silent install on windows 10 fails/hangs as there is always the confirmation-dialog for the device-driver.
Output from Powershell:
PS C:\Users\Hakan.Kocaman> Get-AuthenticodeSignature "C:\Program Files (x86)\LANDesk\LDClient\sdmcache\swd\OpenVPN\tap-windows-9.21.2.exe"
Verzeichnis: C:\Program Files (x86)\LANDesk\LDClient\sdmcache\swd\OpenVPN
SignerCertificate Status Path
----------------- ------ ----
5E66E0CA2367757E800E65B770629026E131A7DC Valid tap-windows-9.21.2.exe
PS C:\Users\Hakan.Kocaman> Get-AuthenticodeSignature "C:\Program Files (x86)\LANDesk\LDClient\sdmcache\swd\OpenVPN\tap-windows-9.21.2.exe"|fl
SignerCertificate : [Subject]
CN="OpenVPN Technologies, Inc.", O="OpenVPN Technologies, Inc.", L=Pleasanton, S=California, C=US
[Issuer]
CN=DigiCert Assured ID Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US
[Serial Number]
04D54DC0A2016B263EEEB255D321056E
[Not Before]
13.08.2013 02:00:00
[Not After]
02.09.2016 14:00:00
[Thumbprint]
5E66E0CA2367757E800E65B770629026E131A7DC
TimeStamperCertificate :
Status : Valid
StatusMessage : Signatur wurde überprüft.
Path : C:\Program Files (x86)\LANDesk\LDClient\sdmcache\swd\OpenVPN\tap-windows-9.21.2.exe
SignatureType : Authenticode
IsOSBinary : False
PS C:\Users\Hakan.Kocaman> Get-AuthenticodeSignature "C:\Users\Hakan.Kocaman\Downloads\tap-windows-9.21.2\driver\tap0901.cat"
Verzeichnis: C:\Users\Hakan.Kocaman\Downloads\tap-windows-9.21.2\driver
SignerCertificate Status Path
----------------- ------ ----
5E66E0CA2367757E800E65B770629026E131A7DC Valid tap0901.cat
PS C:\Users\Hakan.Kocaman> Get-AuthenticodeSignature "C:\Users\Hakan.Kocaman\Downloads\tap-windows-9.21.2\driver\tap0901.cat"|fl
SignerCertificate : [Subject]
CN="OpenVPN Technologies, Inc.", O="OpenVPN Technologies, Inc.", L=Pleasanton, S=California, C=US
[Issuer]
CN=DigiCert Assured ID Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US
[Serial Number]
04D54DC0A2016B263EEEB255D321056E
[Not Before]
13.08.2013 02:00:00
[Not After]
02.09.2016 14:00:00
[Thumbprint]
5E66E0CA2367757E800E65B770629026E131A7DC
TimeStamperCertificate :
Status : Valid
StatusMessage : Signatur wurde überprüft.
Path : C:\Users\Hakan.Kocaman\Downloads\tap-windows-9.21.2\driver\tap0901.cat
SignatureType : Authenticode
IsOSBinary : False
Staus for the Certificate is valid, but it wss only valid till 2016-09-02.
Kind regards
hkocam
Attachments (2)
Change History (17)
comment:1 follow-up: 2 Changed 7 years ago by
Changed 7 years ago by
| Attachment: | computer_certificates_trusted_issuer.png added |
|---|
certificate store trusted issuers
comment:2 Changed 7 years ago by
Hi,
sorry for the delay
Replying to samuli:
The only way to get rid of the prompt would be to inject our publisher certificate into the Windows certificate store before running the tap-windows6 installer.
That's what i'm doing here too, see attachment 1,
when i monitor the process with process explorer, the process only sits there more or less idle.
we are running the installation using the system-account, maybe this
htis is the stacktrace i get while it sits there:
ntoskrnl.exe!KeSynchronizeExecution+0x3f26 ntoskrnl.exe!KeWaitForMultipleObjects+0x109c ntoskrnl.exe!KeWaitForMultipleObjects+0xb3f ntoskrnl.exe!KeWaitForSingleObject+0x377 ntoskrnl.exe!KeQuerySystemTimePrecise+0xd04 ntoskrnl.exe!MmUnlockPages+0x138a ntoskrnl.exe!KeWaitForMultipleObjects+0x1283 ntoskrnl.exe!KeWaitForMultipleObjects+0xb3f ntoskrnl.exe!KeWaitForMultipleObjects+0x4fe win32kfull.sys!xxxUpdateInputHangInfo+0x5a3 win32kfull.sys!xxxUpdateInputHangInfo+0x1b8 win32kfull.sys!CheckWinstaAttributeAccess+0x10b8 win32kfull.sys!NtUserWaitMessage+0x22 ntoskrnl.exe!setjmpex+0x3b03 wow64cpu.dll!TurboDispatchJumpAddressEnd+0x540 wow64cpu.dll!TurboDispatchJumpAddressEnd+0x503 wow64.dll!Wow64KiUserCallbackDispatcher+0x4151 wow64.dll!Wow64LdrpInitialize+0x120 ntdll.dll!EtwEventProviderEnabled+0x1cb1 ntdll.dll!memset+0x1c3f4 ntdll.dll!LdrInitializeThunk+0xe
This is the output of sigcheck https://technet.microsoft.com/en-us/sysinternals/bb897441.aspx:
c:\users\hakan.kocaman\downloads\tap-windows-9.21.2\driver\tap0901.cat: Verified: Signed File date: 13:00 21.04.2016 Signing date: 10:07 21.04.2016 Catalog: c:\users\hakan.kocaman\downloads\tap-windows-9.21.2\driver\tap0901.cat Signers: OpenVPN Technologies Cert Status: This certificate or one of the certificates in the certificate chain is not time valid. Valid Usage: Code Signing Cert Issuer: DigiCert Assured ID Code Signing CA-1 Serial Number: 04 D5 4D C0 A2 01 6B 26 3E EE B2 55 D3 21 05 6E Thumbprint: 5E66E0CA2367757E800E65B770629026E131A7DC Algorithm: sha1RSA Valid from: 01:00 13.08.2013 Valid to: 13:00 02.09.2016 DigiCert Assured ID Code Signing CA-1 Cert Status: Valid Valid Usage: Code Signing Cert Issuer: DigiCert Assured ID Root CA Serial Number: 0F A8 49 06 15 D7 00 A0 BE 21 76 FD C5 EC 6D BD Thumbprint: 409AA4A74A0CDA7C0FEE6BD0BB8823D16B5F1875 Algorithm: sha1RSA Valid from: 13:00 11.02.2011 Valid to: 13:00 10.02.2026 DigiCert Cert Status: Valid Valid Usage: Server Auth, Client Auth, Email Protection, Code Signing, Timestamp Signing Cert Issuer: DigiCert Assured ID Root CA Serial Number: 0C E7 E0 E5 17 D8 46 FE 8F E5 60 FC 1B F0 30 39 Thumbprint: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 Algorithm: sha1RSA Valid from: 01:00 10.11.2006 Valid to: 01:00 10.11.2031 Counter Signers: DigiCert Timestamp Responder Cert Status: Valid Valid Usage: Timestamp Signing Cert Issuer: DigiCert Assured ID CA-1 Serial Number: 03 01 9A 02 3A FF 58 B1 6B D6 D5 EA E6 17 F0 66 Thumbprint: 614D271D9102E30169822487FDE5DE00A352B01D Algorithm: sha1RSA Valid from: 01:00 22.10.2014 Valid to: 01:00 22.10.2024 DigiCert Assured ID CA-1 Cert Status: Valid Valid Usage: Server Auth, Client Auth, Code Signing, Email Protection, Timestamp Signing Cert Issuer: DigiCert Assured ID Root CA Serial Number: 06 FD F9 03 96 03 AD EA 00 0A EB 3F 27 BB BA 1B Thumbprint: 19A09B5A36F4DD99727DF783C17A51231A56C117 Algorithm: sha1RSA Valid from: 01:00 10.11.2006 Valid to: 01:00 10.11.2021 DigiCert Cert Status: Valid Valid Usage: Server Auth, Client Auth, Email Protection, Code Signing, Timestamp Signing Cert Issuer: DigiCert Assured ID Root CA Serial Number: 0C E7 E0 E5 17 D8 46 FE 8F E5 60 FC 1B F0 30 39 Thumbprint: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 Algorithm: sha1RSA Valid from: 01:00 10.11.2006 Valid to: 01:00 10.11.2031 Company: n/a Description: n/a Product: n/a Prod version: n/a File version: n/a MachineType: n/a
i'm still puzzled, why only the first signature is checked, while the second would be time-valid.
many thanks for your time and patience
hakan kocaman
comment:3 follow-up: 4 Changed 7 years ago by
I think the sigcheck tool checks each signature in series without looking at the whole chain. So, when it sees an expired certificate (=ours), it will complain about the signature not beving time-valid.
@hkocam: how do you inject the certificate to the certificate store? I've never tried doing that from within an NSI installer.
comment:4 Changed 7 years ago by
Replying to samuli:
I think the sigcheck tool checks each signature in series without looking at the whole chain. So, when it sees an expired certificate (=ours), it will complain about the signature not beving time-valid.
@hkocam: how do you inject the certificate to the certificate store? I've never tried doing that from within an NSI installer.
Hi,
we use a simple batch-file and use certutil :
call certutil -addstore "TrustedPublisher" "%programfiles(x86)%\LANDesk\LDClient\sdmcache\SWD\OpenVPN\DigiCert_SHA2_Timestamp_Responder.cer"
comment:5 follow-up: 6 Changed 7 years ago by
@hkocam: opened a GitHub issue about certificate injection.
comment:6 Changed 7 years ago by
Replying to samuli:
@hkocam: opened a GitHub issue about certificate injection.
Many thanks, but to clarify:
even if the cert is in the certstore, i get the prompt to trust the driver-issuer(see newest attachment)
Changed 7 years ago by
| Attachment: | windows_sec_trust_issuer_prompt.png added |
|---|
comment:7 follow-up: 8 Changed 7 years ago by
@hkocam: have you tried putting the certificate into other stores besides "Trusted publishers"?
comment:8 Changed 7 years ago by
Replying to samuli:
@hkocam: have you tried putting the certificate into other stores besides "Trusted publishers"?
i also tried "intermediate ca" and "trusted devices" with no luck
comment:9 follow-up: 10 Changed 7 years ago by
| Owner: | set to Samuli Seppänen |
|---|---|
| Status: | new → accepted |
I will do some testing to see if I can reproduce the problem, and to see what effect certificate injection has.
comment:10 Changed 7 years ago by
Replying to samuli:
I will do some testing to see if I can reproduce the problem, and to see what effect certificate injection has.
thanks , i realy appreciate this.
the build-instructions look complicated enough, that
i think i would mess it up anyway.
but if you are in the position to build the driver anew,
maybe you could build only with the sha2-cert ?
i would love to test this build then in our rollout-process.
kind regards
hkocam
comment:11 follow-up: 12 Changed 7 years ago by
We have both SHA1 and SHA2 signatures in the driver because Windows Vista, and possibly old Windows 7, can't understand SHA2 signatures at all. Recent Windows updates have, I believe, already dropped support for SHA1 signatures. So we need both for the release installers.
Now that I think of it, the problem might be that SHA1 and SHA2 signatures require separate publisher certificates, and if either is missing, Windows pops up a warning dialog. Once you've installed the driver manually, do you have one or two new publisher certificates in the certificate store?
comment:12 follow-up: 13 Changed 7 years ago by
Replying to samuli:
We have both SHA1 and SHA2 signatures in the driver because Windows Vista, and possibly old Windows 7, can't understand SHA2 signatures at all. Recent Windows updates have, I believe, already dropped support for SHA1 signatures. So we need both for the release installers.
i know that you as a project have to cater for legacy systems.
Now that I think of it, the problem might be that SHA1 and SHA2 signatures require separate publisher certificates, and if either is missing, Windows pops up a warning dialog. Once you've installed the driver manually, do you have one or two new publisher certificates in the certificate store?
i got only one openvpn-cert in trusted publishers, with
thumbprint : 5e 66 e0 ca 23 67 75 7e 80 0e 65 b7 70 62 90 26 e1 31 a7 dc
i also do have 3 root cert from digicert in thirdparty-root-ca:
DigiCert Assured ID Root CA : 05 63 b8 63 0d 62 d7 5a bb c8 ab 1e 4b df b5 a8 99 b2 4d 43 DigiCert Global Root CA : a8 98 5d 3a 65 e5 e5 c4 b2 d7 d6 6d 40 c6 dd 2f b1 9c 54 36 DigiCert High Assurance EV Root CA : 5f b7 ee 06 33 e2 59 db ad 0c 4c 9a e6 d3 8f 1a 61 c7 dc 25
comment:13 Changed 7 years ago by
Replying to hkocam:
Hi,
i got only one openvpn-cert in trusted publishers, with
thumbprint : 5e 66 e0 ca 23 67 75 7e 80 0e 65 b7 70 62 90 26 e1 31 a7 dc
got again time to investigate this and i'm really embarrassed:
the cert i used does not belong to the driver(tap-windows-9.21.2), after i compared the two.
i made a fresh export from the driver and imported this cert before the install ,
everythings worked as exspected.
sorry for the noise
comment:14 Changed 4 years ago by
@hkocam, OpenVPN 2.4.8 has new TAP driver and certs. Can you confirm that all the certs work for you and we can close this ticket ? Thanks.
comment:15 Changed 4 years ago by
| Resolution: | → notabug |
|---|---|
| Status: | accepted → closed |
Final conclusion: User error.
Closed due to inactivity.
The driver signature has been time-stamped, so it is valid. I think that you would get the same prompt even if "Not after" would be in the future. The only way to get rid of the prompt would be to inject our publisher certificate into the Windows certificate store before running the tap-windows6 installer. That is what we do in OpenVPN Connect afaik.