Opened 6 years ago
Last modified 3 years ago
#957 assigned Bug / Defect
X509v3 Name Constraints cause issues with recent OpenVPN Connect versions
| Reported by: | sysadmin-htlleonding | Owned by: | OpenVPN Inc. |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | OpenVPN Connect | Version: | |
| Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
| Cc: |
Description
Since the recent OpenVPN Connect update our students are unable to connect to the OpenVPN server:
OpenVPN core error: mbed TLS: error parsing ca certificate: X509 - The extension tag or value is invalid: ASN1 - ASN1 tag was of an unexpected value.
Testing with mbedTLS 2.6.0 on a Linux computer with
mbedtls_cert_app ca_file=cacertwithdns.pem mode=file
shows
mbedtls_x509_crt_parse returned -0x2562
with a modified version you see that it finds an unknown critical extension and bails out.
It seems that it doesn't support X509v3 Name Constraints.
In my opinion OpenVPN Connect should use a modified version of mbedTLS which ignores the X509v3 Name Constraints extension as long as they aren't supported by mbedTLS (DNS checks should be handled by OpenVPN directly) and gives a warning to the user and then the option to decide whether he/she wants to connect anyway.
Probably you won't see many CAs with name constraints extensions in the wild, but they are useful when you want to create your own CA and protect your users and yourself from abuse (your own CA should only be able to create certificates for your domain and should not be misused for creating certificates for other domains).
Attachments (3)
Change History (10)
Changed 6 years ago by
comment:1 Changed 6 years ago by
The attachments ca.crt and cacert*.pem unfortunately aren't from the same CA (different public keys). But they can still be used for verifying the error codes of mbedTLS.
comment:2 Changed 6 years ago by
Hello and thank you for the bug report.
I am glad you already did most (if not all) of the analysis.
For what I am concerned you are the first user to report such problem, hence the reason why nobody has ever looked into patching the mbedTLS package we ship to support that.
Having x509v3 support in mbedTLS (upstream) would be the best solution, but it seems they are a bit reluctant of adding so much complexity for setups that are used by just few people.
I have found this forum thread where they talk a bit more about their policy about this problem: https://tls.mbed.org/discussions/feature-request/supported-for-x-509-name-constraints-extension
I will submit your request into our internal feature tracker, however, I have to be honest and say that the priority will still be somewhat low compared to other changes as this problem is not affecting a significant portion of our userbase.
Still, I agree that just ignoring the name constraint extension might be a quick workaround which might be implemented as first step.
comment:3 Changed 6 years ago by
| Owner: | set to Antonio Quartulli |
|---|---|
| Status: | new → accepted |
comment:5 Changed 6 years ago by
Replying to ordex:
Is this still a problem with the latest release?
actually it is, because mbedTLS hasn't changed anything about that.
comment:6 Changed 6 years ago by
@sysadmin-htlleonding Do you actually follow those name constraints? Could you provide your server certificate?
comment:7 Changed 3 years ago by
| Owner: | changed from Antonio Quartulli to OpenVPN Inc. |
|---|---|
| Status: | accepted → assigned |
Original CA file