Opened 13 years ago

Closed 13 years ago

#108 closed Bug / Defect (fixed)

openvpn 2.2rc2 does not like --client-cert-not-required

Reported by: JJK Owned by: David Sommerseth
Priority: blocker Milestone: release 2.2.0
Component: Certificates Version: OpenVPN 2.2-beta / 2.2-RC (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:


Reported by samenlia (, confirmed by me:

openvpn 2.2-rc2 does not like --client-cert-not-required; an identical server config which works with 2.1.4 does not work with 2.2-rc2. When a client connects which does not present a certificate the following message is logged:

Mar 30 11:16:30 2011 us=211229 TLS_ERROR: BIO read tls_read_plaintext error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
Wed Mar 30 11:16:30 2011 us=211292 TLS Error: TLS object -> incoming plaintext read error
Wed Mar 30 11:16:30 2011 us=211356 TLS Error: TLS handshake failed

the exact same client+server work with 2.1.4.

Attachments (2)

trac-108-server.conf (491 bytes) - added by JJK 13 years ago.
server configuration
trac-108-client.conf (187 bytes) - added by JJK 13 years ago.
client configuration

Download all attachments as: .zip

Change History (6)

Changed 13 years ago by JJK

Attachment: trac-108-server.conf added

server configuration

Changed 13 years ago by JJK

Attachment: trac-108-client.conf added

client configuration

comment:1 Changed 13 years ago by David Sommerseth

Owner: set to David Sommerseth
Status: newaccepted

I've bisected this issue and found the offending commit:

2e8337de248ef0b5b48cbb2964da0d5c3f28b15b is the first bad commit
commit 2e8337de248ef0b5b48cbb2964da0d5c3f28b15b
Author: Emilien Mantel <>
Date:   Thu Jun 17 21:38:59 2010 +0200

    Choose a different field in X509 to be username
    For my company, we use a PKI (linked to a LDAP) with OpenVPN. We can't use "CN" to be
    username (few people can have the same "CN"). In our case, we only use the UID.
    With my patch, you can choose another field to be username with a new option called
    --x509-username-field, the default value is "CN".
    Signed-off-by: Emilien Mantel <>
    Acked-by: David Sommerseth <>
    Signed-off-by: David Sommerseth <>

:100644 100644 8c5af91e22a5ca84b82833940feee642989b07a6 717c5d70de6b9e64ac9307dc09c27b2c1bfbc781 M	options.c
:100644 100644 52763f3b1b5e2d2af8016698ee661970f7f4c6d4 cb29d797d4a7c7cb0e6595d3f6256ddfec57d200 M	options.h
:100644 100644 cf4c7bf6096eac0317723abd2dbf2e86e391d73c e6285040fb9f20ed7ba809c6aacbf247c42241ae M	ssl.c
:100644 100644 19a85401bdb05b228fcde8d11c908a4be0a85514 8415d5555908ecbf9c7779106e6a452f082e488a M	ssl.h

Depending on how long time it will take to fix this, this commit together with the following commit are in risk to get reverted.

commit fbd18db6485e3d08d8d933263cff96ee60eddb39
Author: David Sommerseth <>
Date:   Wed Dec 15 10:53:04 2010 +0100

    Make the --x509-username-field feature an opt-in feature

comment:3 Changed 13 years ago by David Sommerseth

Component: Generic / unclassifiedCertificates
Milestone: release 2.2
Priority: majorblocker

comment:4 Changed 13 years ago by David Sommerseth

Resolution: fixed
Status: acceptedclosed

Proposed fix has been tested and ACKed by janjust, applied to the git tree.

commit 008a18e772bf1854f9a2102bef4b3d5b0a08a66b (master)
commit 272aef2f0fd6b8c81c397fc32a503776e2b4bef1 (beta2.2)
Author: David Sommerseth <>
Date:   Wed Mar 30 14:14:21 2011 +0200

    Fix the --client-cert-not-required feature
    Signed-off-by: David Sommerseth <>
    Acked-by: Jan Just Keijser <>
Note: See TracTickets for help on using tickets.