Opened 13 years ago
Closed 13 years ago
#125 closed Bug / Defect (fixed)
Build CA is broken in Windows on version 2.2 release
Reported by: | Muot | Owned by: | Samuli Seppänen |
---|---|---|---|
Priority: | minor | Milestone: | release 2.2.1 |
Component: | Certificates | Version: | OpenVPN 2.2.0 (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | install |
Cc: |
Description
From Windows Command window, I did the following:
init-config - there is an error because "openssl.cnf.sample" is missing from 2.2 install package but since openssl.cnf existed so it still worked.
vars - after editing it of course
clean-all
build-ca.bat gives:
C:\Program Files\OpenVPN\easy-rsa>build-ca.bat
WARNING: can't open config file: c:\openssl/ssl/openssl.cnf error on line 150 of openssl.cnf 3940:error:0E065068:configuration file routines:STR_COPY:variable has no value:. \crypto\conf\conf_def.c:618:line 150
Change History (7)
comment:1 Changed 13 years ago by
Keywords: | install added |
---|---|
Milestone: | release 2.2 |
Owner: | set to Samuli Seppänen |
Priority: | major → minor |
Status: | new → assigned |
Version: | 2.2-beta / 2.2-RC → 2.2.0 |
comment:2 Changed 13 years ago by
Milestone: | → release 2.2.1 |
---|
comment:3 Changed 13 years ago by
openssl.cnf in version 2.2 for Windows contains two entries that fixed the error below when remote-cert-tls server is used in the client configuration file:
ERROR: "OpenVPN: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed"
If you decide to copy 2.0 version of openssl.cnf over, please don't loss these two entries below under the [ server ] :
extendedKeyUsage=serverAuth
keyUsage = digitalSignature, keyEncipherment
Thanks.
comment:4 Changed 13 years ago by
Dazo: agreed, it's pointless to move stuff around.
Mvuong: I'm fixing this bug for upcoming 2.2.1 release. Could you replace the openssl.cnf with this one and see what happens. It seemed to work fine in my limited testing.
comment:5 Changed 13 years ago by
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
ACK.
I have applied the following patches:
commit 663860ad04dd4190fddbee63e724d3fdceafd937 (master) commit 6989cbde616a00380acf3a390959987765a5325b (release/2.2) Author: Samuli Seppänen <samuli@openvpn.net> Date: Mon Jun 20 10:49:41 2011 +0300 Add new openssl.cnf to easy-rsa/Windows This is required for patch "Fix a build-ca issue on Windows" to work Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: David Sommerseth <davids@redhat.com> commit 38108434db7b2d574133dd645d01df03848532d6 (master) commit 09282a688bd16d1572a7cc4fd20d3785fb2b4c1e (release/2.2) Author: Samuli Seppänen <samuli@openvpn.net> Date: Fri Jun 17 12:18:02 2011 +0300 Fix a build-ca issue on Windows Fixes Trac ticket #125 Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
I see that 'extendedKeyUsage=serverAuth' is not set. I am not 100% sure if that is needed or not, or just "nice to have". So I'm accepting the openssl.cnf patch as it is now, and we can rather fix this later on if it is not enough.
comment:6 Changed 13 years ago by
Resolution: | fixed |
---|---|
Status: | closed → reopened |
Previous patches don't fix this issue -> reopening. A new patch is available here.
comment:7 Changed 13 years ago by
Resolution: | → fixed |
---|---|
Status: | reopened → closed |
Fixed in 2.2.1 release.
We should probably copy in the easy-rsa/2.0/openssl.cnf into the Windows package when wrapping it all together.
Also consider if we should do the copy of openssl.cnf.sample to openssl.cnf in init-config. Seems like a rather pointless operation.