Opened 3 years ago
Closed 2 years ago
#1414 closed Bug / Defect (wontfix)
option_error: Invalid verify-x509-name type: ST=Berlin,
Reported by: | hildeb | Owned by: | OpenVPN Inc. |
---|---|---|---|
Priority: | major | Milestone: | |
Component: | OpenVPN Connect | Version: | OpenVPN Connect for Windows |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | OCWindows_3.3.0-2171 |
Cc: |
Description
"platform": "win" "version": "3.git::8975e733" "gui_version": "OCWindows_3.3.0-2171"
One of our users cannot connect with our (otherwise working) config.
The error he's getting is:
option_error: Invalid verify-x509-name type: ST=Berlin,
(see attached screenshot)
Our config contains this line:
verify-x509-name 'C=DE, ST=Berlin, L=Berlin, O=Charite-VPN, OU=GB-IT, CN=openvpn.charite.de, emailAddress=vpn@charite.de' subject
which apparently is not being recognized by 3.3.0-2171 (but in earlier versions).
The openvpn man page even uses the same quoting style (') in it's example for verify-x509-name:
verify-x509-name 'C=KG, ST=NA, L=Bishkek, CN=Server-1'
Attachments (1)
Change History (12)
Changed 3 years ago by
Attachment: | Screenshot_2021-06-16_090058.png added |
---|
comment:1 Changed 3 years ago by
Owner: | changed from OpenVPN Inc. to tct |
---|---|
Status: | new → accepted |
Nice catch, there is an error in the manual example. v2.4 & 2.5
The example reads:
--verify-x509-name 'C=KG, ST=NA, L=Bishkek, CN=Server-1'
The correct example would be:
--verify-x509-name subject 'C=KG, ST=NA, L=Bishkek, CN=Server-1' Correction: --verify-x509-name 'C=KG, ST=NA, L=Bishkek, CN=Server-1' subject
The manual is correct, although difficult to read.
comment:2 Changed 3 years ago by
The man page says:
Valid syntax: verify-x509 name type
But you say it's actually:
verify-x509 type name
This would invalidate all the examples in the man page, while
verify-x509-name 'C=DE, ST=Berlin, L=Berlin, O=Charite-VPN, OU=GB-IT, CN=openvpn.charite.de, emailAddress=vpn@charite.de' subject
used to work in all openconnect versions EXCEPT 3.3.0 (I'm seeing OCWindows_3.2.3-1851 and OCWindows_3.2.2-1455 clients at the moment, to name but a few)
comment:3 Changed 3 years ago by
For a test I changed the config accordingly and got (with OpenVPN 2.5.2):
Options error: unknown X.509 name type: C=DE, ST=Berlin, L=Berlin, O=Charite-VPN, OU=GB-IT, CN=openvpn.charite.de, emailAddress=vpn@charite.de
comment:4 Changed 3 years ago by
Sorry. my initial post was actually incorrect as well .. it is an awkward little option:
--verify-x509-name <DATA> <TYPE>
options:
Correction: Default is the entire subject DN
- No
<TYPE>
:-<DATA>
Defaults to the entiresubject DN
- Type
name
:-<DATA>
is set toRDN
- Type
name-prefix
:- <Data> is a prefix portion ofRDN
- Type
subject
:- <DATA> is the entiresubject DN
You want:
verify-x509-name 'C=DE, ST=Berlin, L=Berlin, O=Charite-VPN, OU=GB-IT, CN=openvpn.charite.de, emailAddress=vpn@charite.de' subject
Does that not work any longer ?
comment:5 Changed 3 years ago by
This is Openvpn-connect
but you've probably been reading the manual for Openvpn FOSS
. They are not the same.
comment:6 Changed 3 years ago by
Owner: | tct deleted |
---|---|
Status: | accepted → assigned |
comment:7 Changed 3 years ago by
Regarding comment #4: Yes, that's what I want and it doesn't work any longer.
As you can see, the quoting of the first argument to verify-x509-name is being ignored and thus everything after the 2nd space is seen as TYPE.
comment:8 Changed 3 years ago by
Owner: | set to OpenVPN Inc. |
---|
comment:9 Changed 3 years ago by
In my view with updating to OpenVPN 3 library 3.6.2 the OpenVPN-Connect-Client lost support for single quotes ('). Using double quotes (") it works as expected.
In the test suite for OpenVPN3 double quotes are used. In the manual single quotes are used instead.
Either OpenVPN3 should support single quotes again or the manual should be changed.
comment:10 Changed 3 years ago by
I've got the same issue with OpenVPN3 15~beta+focal.
Importing an ovpn profile works, establishing a session works. After rebooting the machine, I can no longer create a new session, with the error below.
2021-09-29 16:36:03 >> Connection, Client connecting 2021-09-29 16:36:03 Client -- ERROR --: Connection failed: option_error: Invalid verify-x509-name type: L=Eschborn, Session closed
Almost forgot: Deleting the config and importing it again allows me to use it again until next reboot.
comment:11 Changed 2 years ago by
Resolution: | → wontfix |
---|---|
Status: | assigned → closed |
OpenVPN Inc does not want to receive any feedback for the "Connect"
OpenVPN clients via the community bug trackers (here and in GH issues).
Please resubmit - if still relevant - via https://support.openvpn.net/
Screenshot of the parsing error