Opened 7 years ago

Closed 7 years ago

#108 closed Bug / Defect (fixed)

openvpn 2.2rc2 does not like --client-cert-not-required

Reported by: janjust Owned by: dazo
Priority: blocker Milestone: release 2.2.0
Component: Certificates Version: OpenVPN 2.2-beta / 2.2-RC (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

Reported by samenlia (https://forums.openvpn.net/topic7751.html), confirmed by me:

openvpn 2.2-rc2 does not like --client-cert-not-required; an identical server config which works with 2.1.4 does not work with 2.2-rc2. When a client connects which does not present a certificate the following message is logged:

Mar 30 11:16:30 2011 us=211229 194.171.96.28:50855 TLS_ERROR: BIO read tls_read_plaintext error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
Wed Mar 30 11:16:30 2011 us=211292 194.171.96.28:50855 TLS Error: TLS object -> incoming plaintext read error
Wed Mar 30 11:16:30 2011 us=211356 194.171.96.28:50855 TLS Error: TLS handshake failed

the exact same client+server work with 2.1.4.

Attachments (2)

trac-108-server.conf (491 bytes) - added by janjust 7 years ago.
server configuration
trac-108-client.conf (187 bytes) - added by janjust 7 years ago.
client configuration

Download all attachments as: .zip

Change History (6)

Changed 7 years ago by janjust

server configuration

Changed 7 years ago by janjust

client configuration

comment:1 Changed 7 years ago by dazo

  • Owner set to dazo
  • Status changed from new to accepted

I've bisected this issue and found the offending commit:

2e8337de248ef0b5b48cbb2964da0d5c3f28b15b is the first bad commit
commit 2e8337de248ef0b5b48cbb2964da0d5c3f28b15b
Author: Emilien Mantel <emilien.mantel@businessdecision.com>
Date:   Thu Jun 17 21:38:59 2010 +0200

    Choose a different field in X509 to be username
    
    For my company, we use a PKI (linked to a LDAP) with OpenVPN. We can't use "CN" to be
    username (few people can have the same "CN"). In our case, we only use the UID.
    
    With my patch, you can choose another field to be username with a new option called
    --x509-username-field, the default value is "CN".
    
    Signed-off-by: Emilien Mantel <emilien.mantel@businessdecision.com>
    Acked-by: David Sommerseth <dazo@users.sourceforge.net>
    Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>

:100644 100644 8c5af91e22a5ca84b82833940feee642989b07a6 717c5d70de6b9e64ac9307dc09c27b2c1bfbc781 M	options.c
:100644 100644 52763f3b1b5e2d2af8016698ee661970f7f4c6d4 cb29d797d4a7c7cb0e6595d3f6256ddfec57d200 M	options.h
:100644 100644 cf4c7bf6096eac0317723abd2dbf2e86e391d73c e6285040fb9f20ed7ba809c6aacbf247c42241ae M	ssl.c
:100644 100644 19a85401bdb05b228fcde8d11c908a4be0a85514 8415d5555908ecbf9c7779106e6a452f082e488a M	ssl.h

Depending on how long time it will take to fix this, this commit together with the following commit are in risk to get reverted.

commit fbd18db6485e3d08d8d933263cff96ee60eddb39
Author: David Sommerseth <davids@redhat.com>
Date:   Wed Dec 15 10:53:04 2010 +0100

    Make the --x509-username-field feature an opt-in feature

comment:3 Changed 7 years ago by dazo

  • Component changed from Generic / unclassified to Certificates
  • Milestone set to release 2.2
  • Priority changed from major to blocker

comment:4 Changed 7 years ago by dazo

  • Resolution set to fixed
  • Status changed from accepted to closed

Proposed fix has been tested and ACKed by janjust, applied to the git tree.

commit 008a18e772bf1854f9a2102bef4b3d5b0a08a66b (master)
commit 272aef2f0fd6b8c81c397fc32a503776e2b4bef1 (beta2.2)
Author: David Sommerseth <davids@redhat.com>
Date:   Wed Mar 30 14:14:21 2011 +0200

    Fix the --client-cert-not-required feature
    Report-URL: https://community.openvpn.net/openvpn/ticket/108
    Report-URL: https://forums.openvpn.net/topic7751.html
    Signed-off-by: David Sommerseth <davids@redhat.com>
    Acked-by: Jan Just Keijser <janjust@nikhef.nl>
Note: See TracTickets for help on using tickets.