Opened 6 years ago
Last modified 16 months ago
#1005 new Bug / Defect
Chain CA fails with 1.2.6
Reported by: | benjy | Owned by: | |
---|---|---|---|
Priority: | major | Milestone: | |
Component: | Crypto | Version: | OpenVPN 2.4.4 (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
Cc: | Steffan Karger, Antonio Quartulli |
Description
Hi,
Since 1.2.6 it seems the chain CA validation is broken.
Our infra is a bit particular as we have two differents CA
Server: CA1 -> subCA1 -> Sub-subCA1 -> server cert
Clients: CA2 -> subCA2 -> Sub-subCA2 -> client cert
The server includes CA2 in addition to the CA1 chain in its CA file to validate our clients.
The clients include CA1 in addition to the CA2 chain in its CA file as well.
All works for windows/linux/OSX/Android clients. But it fails for IOS since 1.2.6 (and maybe 1.2.5), it was working before though.
The server log shows that if fails to check the client chain:
VERIFY ERROR: depth=0, error=unable to get local issuer certificate: OU=OpenVPN-Mobile, CN=xxx
I tried different combination to include in the client CA but it never manages to get the local issuer.
There is a thread here: https://forums.openvpn.net/viewtopic.php?f=36&t=25674
With the help of ordex, we've identified that the problem comes from mbed TLS as the same issue occurs with mbed TLS on linux but not with openssl.
Thanks,
Ben
Change History (5)
comment:1 Changed 6 years ago by
comment:2 Changed 6 years ago by
Component: | OpenVPN Connect → Crypto |
---|---|
Version: | OpenVPN Connect for iOS v1.2.6 → OpenVPN 2.4.4 (Community Ed) |
switching the issue to OpenVPN community edition, so that a broader audience can consider it. (we verified it is not a problem in the iOS-only code)
comment:3 Changed 6 years ago by
OK, so to add a note, the issue comes from having two chains.
If I provide a certificate generated from Sub-subCA1 (SHA1) in my scenario (instead of Sub-subCA2) the client connects properly with mbedtls 2.6
comment:4 Changed 6 years ago by
Cc: | Steffan Karger added |
---|
comment:5 Changed 16 months ago by
Cc: | Antonio Quartulli added |
---|
so what shall we do about this? If nobody is interested on working on this, we might as well close it.
Thanks for the report.
It would be interesting to understand why mbedTLS is failing this case..there might be a reason behind (or might not). The error message points to something like "I can't find the CA to validate this client certificate". I wonder if by pushing multiple CAs mbedTLS is actually not storing them all...(just a rough and wild guess here).