#913 closed Bug / Defect (notabug)
OpenVPN cannot use standard CA root file on FreeBSD
Reported by: | pirzyk | Owned by: | |
---|---|---|---|
Priority: | major | Milestone: | |
Component: | Certificates | Version: | OpenVPN 2.4.3 (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
Cc: | Steffan Karger, mandree, Eric Crist |
Description
When you use the default CA root file on FreeBSD (ca-root-nss.crt) it will fail to load with the error "Cannot load CA certificate file /usr/local/share/certs/ca-root-nss.crt (only 169 of 170 entries were valid X509 names)"
The problem was tracked down to having 2 certificates with the same Subject (but different serials). StartCom? Ltd. has 2 CA certs (one is SHA1, the other is SHA256):
Subject: C=IL, O=StartCom? Ltd., OU=Secure Digital Certificate Signing, CN=StartCom? Certification Authority
Removing one of them from the CA file allows OpenVPN to startup.
See also https://forums.freebsd.org/threads/60254/ for details.
Attachments (4)
Change History (6)
Changed 7 years ago by
Attachment: | openvpn.log added |
---|
comment:1 Changed 7 years ago by
Cc: | Steffan Karger mandree added |
---|---|
Resolution: | → notabug |
Status: | new → closed |
This is not something we're going to invest any amount of effort in.
Why? Because you are not supposed to trust 169 random entities for your VPN security, and this is why we're not using a default CA store for CA trust - you trust the CA cert that has issued your VPN certificates, and nobody else.
comment:2 Changed 7 years ago by
Cc: | Eric Crist added |
---|
Log file