Openvpn client 3.2.0 fails to connect parser_cert_crl_error

[reetp]

Since the update to 3.2.0 which seems to have occurred over the weekend, all my iphone clients are now failing to connect to my server with this error, and no indication of what it actually means or how to fix it. They all worked perfectly on Friday, and not today.

Client error 3.2.0 (3253)
There was an error attempting to connect to the selected server
Error message: parser_cert_crl_error ca cert/crl content ended unexpectedly without end marker

Server

OpenVPN 2.4.8 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov 1 2019
library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.03

It seems the client makes no attempt to even connect to the server, so presumably it is unhappy about something to do with with configuration but no indication of what. No warning that updates make break things etc which is very disappointing.

I am not sure how you can release something that breaks stuff overnight, especially now in the middle of a pandemic when so many more people rely on VPNs for work.

I am wondering if this is connected:
​https://community.openvpn.net/openvpn/ticket/1290

[reetp]

Error

[reetp]

Version

[plaisthos]

We will need a profile that has at least the <ca>, <crl> and <cert> directive *NOT* redacted to look into this.

[reetp]

Let me know what you want and where you want it - obviously not going to paste a working configuration here.

Note that it worked perfectly Friday. It does not work today after the app updated over the weekend. Same on all iPhones. No configurations touched. Server not touched. The ONLY change was the app.

I have just noticed on an iPad the following notice pop up:

"MD5 signatures no longer supported as they are insecure."

So let me guess - you have just deprecated MD5 certificates, without any warning?

[reetp]

Realised I can remove the key.

# Config from phone
allow-recursive-routing
ifconfig-nowarn
client
verb 3
connect-retry 2 300
resolv-retry 60
dev tun
remote x.x.x.x 1194 udp
auth-user-pass
route 0.0.0.0 0.0.0.0 vpn_gateway
tun-mtu 1400
nobind
remote-cert-tls server
cipher AES-256-CBC
float
persist-tun
# persist-tun also enables pre resolving to avoid DNS resolve problem
preresolve
# Use system proxy setting
management-query-proxy

#mute-replay-warnings
<ca>

-----BEGIN CERTIFICATE-----

MIIEYjCCA8ugAwIBAgIJAOqjIi2jlTFbMA0GCSqGSIb3DQEBBQUAMIHVMQswCQYD
VQQGEwJVSzEOMAwGA1UECBMFRXNzZXgxGjAYBgNVBAcTEUJ1cm5oYW0tb24tQ3Jv
dWNoMSwwKgYDVQQKEyNTb3ZlcmVpZ24gSW5zaWduaWEgTHRkIHQvYSBJbXBhbWFy
azEeMBwGA1UECxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MScwJQYDVQQDEx5JbXBh
bWFyayBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxIzAhBgkqhkiG9w0BCQEWFGFkbWlu
QGltcGFtYXJrLmNvLnVrMB4XDTEzMTEyNjE3MjcxMloXDTIzMTEyNjE3MjcxMlow
gdUxCzAJBgNVBAYTAlVLMQ4wDAYDVQQIEwVFc3NleDEaMBgGA1UEBxMRQnVybmhh
bS1vbi1Dcm91Y2gxLDAqBgNVBAoTI1NvdmVyZWlnbiBJbnNpZ25pYSBMdGQgdC9h
IEltcGFtYXJrMR4wHAYDVQQLExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxJzAlBgNV
BAMTHkltcGFtYXJrIENlcnRpZmljYXRlIEF1dGhvcml0eTEjMCEGCSqGSIb3DQEJ
ARYUYWRtaW5AaW1wYW1hcmsuY28udWswgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBANBt5BORCM5Fh9A54NmYSxUHCwYSZ6vLGYRmGsIzHMoLUqVTNu1ZPgxAVp2m
/7FWlUBUBBbQyDAWXQly4NK0PyWeW2I06In37KJqzN161l0VB3aoGBts4uLIEeCF
8pXs5gA3pLVgkgXZYZPAFc+5GQzW5ICZaR/i5ij1PGJcVWWJAgMBAAGjggE2MIIB
MjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjARBglghkgBhvhCAQEEBAMCAAcw
HQYDVR0OBBYEFOjMj8mcthWmEjGR4k/4b3MrW6mQMB8GA1UdEQQYMBaBFGFkbWlu
QGltcGFtYXJrLmNvLnVrMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly93d3cuaW1w
YW1hcmsuY29tL3BocGtpL2luZGV4LnBocD9zdGFnZT1kbF9jcmwwQQYJYIZIAYb4
QgENBDQWMlBIUGtpL09wZW5TU0wgR2VuZXJhdGVkIFJvb3QgQ2VydGlmaWNhdGUg
QXV0aG9yaXR5MDgGCWCGSAGG+EIBCAQrFilodHRwOi8vd3d3LmltcGFtYXJrLmNv
bS9waHBraS9wb2xpY3kuaHRtbDANBgkqhkiG9w0BAQUFAAOBgQCV+mZ+V8FLVVtR
5JHtZA/Oj5qYV8aTSBLZc3QkoQPmYuwMCKtpWEHXFNa85MqOMMAhyOdFmjHQKLNF
urMMYupkdjBCmE1vv59oxixYDqW4vrH2Mpe+5kdWLA7Crqtdlt+duZaIDkYq5dj/
2i6twhwNtJtBdyKGUuZfO31k6YF06A==

-----END CERTIFICATE------

</ca>

<cert>

-----BEGIN CERTIFICATE-----

MIIGPjCCBaegAwIBAgIDEAAyMA0GCSqGSIb3DQEBBQUAMIHVMQswCQYDVQQGEwJV
SzEOMAwGA1UECBMFRXNzZXgxGjAYBgNVBAcTEUJ1cm5oYW0tb24tQ3JvdWNoMSww
KgYDVQQKEyNTb3ZlcmVpZ24gSW5zaWduaWEgTHRkIHQvYSBJbXBhbWFyazEeMBwG
A1UECxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MScwJQYDVQQDEx5JbXBhbWFyayBD
ZXJ0aWZpY2F0ZSBBdXRob3JpdHkxIzAhBgkqhkiG9w0BCQEWFGFkbWluQGltcGFt
YXJrLmNvLnVrMB4XDTIwMDUxOTA4MjkwNVoXDTI1MDUxOTA4MjkwNVowgb4xCzAJ
BgNVBAYTAlVLMQ4wDAYDVQQIEwVFc3NleDEaMBgGA1UEBxMRQnVybmhhbS1vbi1D
cm91Y2gxETAPBgNVBAoTCEltcGFtYXJrMSkwJwYDVQQKEyAyMTIzMmYyOTdhNTdh
NWE3NDM4OTRhMGU0YTgwMWZjMzELMAkGA1UECxMCSVQxFTATBgNVBAMTDElhbiBS
aWNoYXJkczEhMB8GCSqGSIb3DQEJARYSaWFuQGltcGFtYXJrLmNvLnVrMIICIjAN
BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxIVVDTW6F4WAkAPYvs7g72Tpz7P5
0nJXGNz4Hf2HcjMUszwf7ATzDYwQg9A7oPwL7QF1w7PobF79gLLrAb6q+kXA7iGW
c8fm3YJQSrfpgOCe0YCvAryeHrSr6nTheZA/fP/wwCEE7htkwK+VhcYbrXTGzErS
AO3ljU86IrZxCwmW2TdSUU8rcBjTYQ5zzwib5K4SGlLHwj/Z6VN3YLvzVwMVpnXE
ayyHHTf2fpH4rP40U8yKXuNiKJOQwvt66G+XX6ar9LgbjgIODfM7oLYDoU/eO1jy
0tn8+kppvtvhagJs5mlQJgmWqACLIK0UXkhEadATuFooyJrjfZrEI4o8CI06d4K8
w/isv3QcNOuiIVrI0wddAcVy712rLWaon4rhx0hvM2SKQjve94p7pb/gAdZcm0Sc
WcSzsRpqGnDjt9HY1hzfcrD/nQjeGRs3xYZyfx4wyd0Rt1jL10tdbPeV0kg2CE
CepdOfsSbONQ+GqdWGbdNhaQEMK2Iqvq0YdpWEbGJdbP4gQQYK09xAwdyA1iHmyQ
K7Pe8TIw4a30ANe9ORZ+phs2C6yv0cGDFhD6NsVoRlqZAdcUlm7taAkG8uKEag8I
I2exOTy+Y2mrDZOXCM85yOVjdHd895AxV6YQ0jpmxMd5p0xPw+wJXwRTM0dmP/gc
Kf5/ZfFxu7+srO0CAwEAAaOCAaswggGnMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/
BAQDAgeAMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMCMBQGCWCGSAGG+EIBAQEB/wQE
AwIHgDAdBgNVHQ4EFgQUUzbkDMkpN9pIvHxP3S9ORzEIeVEwggELBgNVHSMEggEC
MIH/gBTozI/JnLYVphIxkeJP+G9zK1upkKGB26SB2DCB1TELMAkGA1UEBhMCVUsx
DjAMBgNVBAgTBUVzc2V4MRowGAYDVQQHExFCdXJuaGFtLW9uLUNyb3VjaDEsMCoG
A1UEChMjU292ZXJlaWduIEluc2lnbmlhIEx0ZCB0L2EgSW1wYW1hcmsxHjAcBgNV
BAsTFUNlcnRpZmljYXRlIEF1dGhvcml0eTEnMCUGA1UEAxMeSW1wYW1hcmsgQ2Vy
dGlmaWNhdGUgQXV0aG9yaXR5MSMwIQYJKoZIhvcNAQkBFhRhZG1pbkBpbXBhbWFy
ay5jby51a4IJAOqjIi2jlTFbMCsGA1UdEQQkMCKCDElhbiBSaWNoYXJkc4ESaWFu
QGltcGFtYXJrLmNvLnVrMA0GCSqGSIb3DQEBBQUAA4GBALqWigcXlS5M3Ow5Gbpb
f4h3FZeUKecEF9JnNS0QbRTVr0wJCoiYCDf45kbok9pEyUs6Uf4TbWpoTkEKO7W4
APvcqIDOd92XSCYLYGHi5iIwx7Skwdo5IU/o/WwDaBQnrZGM5viH6xwOXVkbNZZT
LNl9X6qI3vRtiRWAEGOWelzQ

-----END CERTIFICATE-----

</cert>

[reetp]

For a test I installed the 3.1.1 (4581) app on an Android S10 and added this profile.

It connected immediately.

[plaisthos]

You have spaces before the -----BEGIN and -----END lines. That is - while accepted by the mbed TLS version in the older client - not valid.

[reetp]

No I did that so you could see them otherwise the formatting screws up like this.

See attached screenshot for the layout.

#mute-replay-warnings
<ca>

---

MIIEYjCCA8ugAwIBAgIJAOqjIi2jlTFbMA0GCSqGSIb3DQEBBQUAMIHVMQswCQYD
VQQGEwJVSzEOMAwGA1UECBMFRXNzZXgxGjAYBgNVBAcTEUJ1cm5oYW0tb24tQ3Jv
dWNoMSwwKgYDVQQKEyNTb3ZlcmVpZ24gSW5zaWduaWEgTHRkIHQvYSBJbXBhbWFy
azEeMBwGA1UECxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MScwJQYDVQQDEx5JbXBh
bWFyayBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxIzAhBgkqhkiG9w0BCQEWFGFkbWlu
QGltcGFtYXJrLmNvLnVrMB4XDTEzMTEyNjE3MjcxMloXDTIzMTEyNjE3MjcxMlow
gdUxCzAJBgNVBAYTAlVLMQ4wDAYDVQQIEwVFc3NleDEaMBgGA1UEBxMRQnVybmhh
bS1vbi1Dcm91Y2gxLDAqBgNVBAoTI1NvdmVyZWlnbiBJbnNpZ25pYSBMdGQgdC9h
IEltcGFtYXJrMR4wHAYDVQQLExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxJzAlBgNV
BAMTHkltcGFtYXJrIENlcnRpZmljYXRlIEF1dGhvcml0eTEjMCEGCSqGSIb3DQEJ
ARYUYWRtaW5AaW1wYW1hcmsuY28udWswgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBANBt5BORCM5Fh9A54NmYSxUHCwYSZ6vLGYRmGsIzHMoLUqVTNu1ZPgxAVp2m
/7FWlUBUBBbQyDAWXQly4NK0PyWeW2I06In37KJqzN161l0VB3aoGBts4uLIEeCF
8pXs5gA3pLVgkgXZYZPAFc+5GQzW5ICZaR/i5ij1PGJcVWWJAgMBAAGjggE2MIIB
MjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjARBglghkgBhvhCAQEEBAMCAAcw
HQYDVR0OBBYEFOjMj8mcthWmEjGR4k/4b3MrW6mQMB8GA1UdEQQYMBaBFGFkbWlu
QGltcGFtYXJrLmNvLnVrMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly93d3cuaW1w
YW1hcmsuY29tL3BocGtpL2luZGV4LnBocD9zdGFnZT1kbF9jcmwwQQYJYIZIAYb4
QgENBDQWMlBIUGtpL09wZW5TU0wgR2VuZXJhdGVkIFJvb3QgQ2VydGlmaWNhdGUg
QXV0aG9yaXR5MDgGCWCGSAGG+EIBCAQrFilodHRwOi8vd3d3LmltcGFtYXJrLmNv
bS9waHBraS9wb2xpY3kuaHRtbDANBgkqhkiG9w0BAQUFAAOBgQCV+mZ+V8FLVVtR
5JHtZA/Oj5qYV8aTSBLZc3QkoQPmYuwMCKtpWEHXFNa85MqOMMAhyOdFmjHQKLNF
urMMYupkdjBCmE1vv59oxixYDqW4vrH2Mpe+5kdWLA7Crqtdlt+duZaIDkYq5dj/
2i6twhwNtJtBdyKGUuZfO31k6YF06A==

---

</ca>

<cert>

---

MIIGPjCCBaegAwIBAgIDEAAyMA0GCSqGSIb3DQEBBQUAMIHVMQswCQYDVQQGEwJV
SzEOMAwGA1UECBMFRXNzZXgxGjAYBgNVBAcTEUJ1cm5oYW0tb24tQ3JvdWNoMSww
KgYDVQQKEyNTb3ZlcmVpZ24gSW5zaWduaWEgTHRkIHQvYSBJbXBhbWFyazEeMBwG

[reetp]

FWIW I took a working configuration and made sure all spaces were removed.

Send configuration to Android your app version 3.1.1 (4581). Works perfectly.

Send exact same configuration to an iPhone with v3.2.x client. Fails completely with original error.

Please re-open as there is clearly a bug here.

[reetp]

As a further follow up I just joined the Android Beta program, upgraded to 3.2.2 and IMMEDIATELY got the same issue as soon as I connected.

I look forward to you re-opening this bug and looking for an urgent resolution.

Thank you.

[reetp]

I have just run another test to a totally different test server I have setup which is using SHA1 certs, and Android 3.2.2 connects immediately with no warning.

So it looks like you have deprecated MD5 certificates with no warning and no route back.

Can you please confirm that this is the case and what you are going to do to restore connection?

Thank you.

[plaisthos]

MD5 warnings were in the apps for a *looong* time. But even then you get a different error when your certs have MD5.

For the ticket system messing up your config. Please add it as attachment instead.

[reetp]

Replying to plaisthos:

MD5 warnings were in the apps for a *looong* time. But even then you get a different error when your certs have MD5.

I am aware that it was going to be deprecated. Hence I helped rewrite the code generator we use for sha1. But a small pandemic has delayed things slightly. Makes it really difficult to deploy right now. Sorry about that.

As far as the error that's fine - just let me know where it is wrong. The odd thing is it works, you update the app, it doesn't work. Simple as that. Nothing changes, apart from the app.

New app, add SHA1 cert to a pretty well identically setup server, and it works.

So something tells me that configuration might not quite be the issue.

For the ticket system messing up your config. Please add it as attachment instead.

Coming.

[reetp]

ovpn file

[plaisthos]

Using SHA1 to replace MD5 is not a wise choice. OpenSSL 3.0 will deprecate/fail on SHA1 by default.
The end line

-----END CERTIFICATE------

should be

-----END CERTIFICATE-----

mbed TLS does not seem to care but this is not valid.

[reetp]

Replying to plaisthos:

Using SHA1 to replace MD5 is not a wise choice. OpenSSL 3.0 will deprecate/fail on SHA1 by default.

Thanks for that.

I should have said sha256 but it is some while since I did it and had forgotten. Losing my mind here!

The end line should be

-----END CERTIFICATE-----

mbed TLS does not seem to care but this is not valid.

Good lord....!

Many thanks. I have absolutely no idea how it got there.

Must be when the cert info got copied to the ovpn file.

One question.

Why doesn't the file parser give a sensible response? Surely it wouldn't be that difficult to do and would have saved an awful lot of hassle? Even a 'syntax error on line x' would have helped massively.

Thanks again.

[plaisthos]

The parser error is correct. It says it could find the end marker and it could not find it. An error messages that says "Could not find end marker but found markers look somewhat similar" would be nice and c compiler actually do that but I am not sure implementing such heuristic for openssl is a good idea.