Opened 23 months ago

Closed 7 weeks ago

Last modified 7 weeks ago

#1299 closed Bug / Defect (invalid)

Android and IOS Client are not sending User Cert Chain

Reported by: mitch-geht-ab Owned by: OpenVPN Inc.
Priority: critical Milestone:
Component: OpenVPN Connect Version: OpenVPN Connect for Android
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

Hi,

I'm using OVPN on my Samsung S8, Android 9, OpenVPN Connect Ver. 3.2.2 (5027).
Today I notice that I can't connect with my OVPN Server (2.4.7).

Message on server side:

Jul  5 22:07:37 orion ovpn-road-server[4311]: 192.168.2.61:56866 TLS: Initial packet from [AF_INET]192.168.2.61:56866 (via [AF_INET]192.168.2.254%br1), sid=f48ece9a bc988215
Jul  5 22:07:37 orion ovpn-road-server[4311]: 192.168.2.61:56866 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: C=DE, O=xxxxxx, CN=thomas
Jul  5 22:07:37 orion ovpn-road-server[4311]: 192.168.2.61:56866 OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
Jul  5 22:07:37 orion ovpn-road-server[4311]: 192.168.2.61:56866 TLS_ERROR: BIO read tls_read_plaintext error
Jul  5 22:07:37 orion ovpn-road-server[4311]: 192.168.2.61:56866 TLS Error: TLS object -> incoming plaintext read error
Jul  5 22:07:37 orion ovpn-road-server[4311]: 192.168.2.61:56866 TLS Error: TLS handshake failed
Jul  5 22:07:37 orion ovpn-road-server[4311]: 192.168.2.61:56866 SIGUSR1[soft,tls-error] received, client-instance restarting

Same with both, IOS and Android client.
It was working few weeks ago.
With my windows client (win10, openvpn binary 2.4.6), the same client .ovpn config is working.

Server config for "ca" links to the root-ca cert file.

In my client config I use embedded ca and cert section.

<ca> section contains the root-ca.
<cert> section contains client-cert + intermediate-ca.

As mentioned above, same config file, working on win10 but isn't working on IOS and Android.

After switching on server side from root-ca-only to ca-chain (signing + root) it works.
I think there was an update on Android and IOS side and mobile clients aren't sending the full user chain now.

BR
Mitch

Change History (8)

comment:1 Changed 21 months ago by Gert Döring

Component: CertificatesOpenVPN Connect
Owner: set to yuriy
Version: OpenVPN Connect for Android

comment:2 Changed 17 months ago by Gert Döring

Owner: changed from yuriy to denys
Status: newassigned

comment:3 Changed 13 months ago by raffikrikorian

hello - i want to +1 on this bug report as i'm having precisely the same issue. my <cert> section contains the entire chain. my ovpn file works on my mac client, but, in ios, i get precisely the same error on my server.

comment:4 Changed 13 months ago by Antonio Quartulli

Owner: changed from denys to OpenVPN Inc.

comment:5 Changed 9 months ago by mitch-geht-ab

Hi,
I would kindly ask, if there is any progress with this bug?
BR Thomas

comment:6 Changed 7 weeks ago by OpenVPN Inc.

Hello everyone on this ticket,

I have reviewed this situation. And I believe the issue is caused by placing an intermediate CA certificate into the client certificate section, which is the wrong place. Intermediate CA and root CA certificates must be placed into the CA section in the OpenVPN configuration.

Example with client cert, intermediate CA, and root CA:
<cert>
client cert here
</cert>
<ca>
intermediate ca here
root ca here
</ca>

While it may be working on some version of OpenVPN2 when you place the intermediate CA somewhere else, this may simply be accidental. As far as I can determine the solution would be moving the intermediate CA cert to the CA section in the OpenVPN connection profile, where it belongs. In any case I don't think we'll be looking into supporting the intermediate CA certificate inside of the client certificate section.

Kind regards,
Johan

comment:7 Changed 7 weeks ago by OpenVPN Inc.

Resolution: invalid
Status: assignedclosed

comment:8 Changed 7 weeks ago by OpenVPN Inc.

Update;

Got some more information on why it may work in OpenVPN2 - there is code in OpenVPN2 that deals with CA certs being in client cert section, but in OpenVPN3 that behavior is not there, and OpenVPN3 is used in OpenVPN Connect v3.

Kind regards,
Johan

Note: See TracTickets for help on using tickets.