Opened 11 months ago

Last modified 8 months ago

#1414 assigned Bug / Defect

option_error: Invalid verify-x509-name type: ST=Berlin,

Reported by: hildeb Owned by: OpenVPN Inc.
Priority: major Milestone:
Component: OpenVPN Connect Version: OpenVPN Connect for Windows
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: OCWindows_3.3.0-2171
Cc:

Description

"platform": "win"
"version": "3.git::8975e733"
"gui_version": "OCWindows_3.3.0-2171"

One of our users cannot connect with our (otherwise working) config.

The error he's getting is:

option_error: Invalid verify-x509-name type: ST=Berlin,

(see attached screenshot)

Our config contains this line:

verify-x509-name 'C=DE, ST=Berlin, L=Berlin, O=Charite-VPN, OU=GB-IT, CN=openvpn.charite.de, emailAddress=vpn@charite.de' subject

which apparently is not being recognized by 3.3.0-2171 (but in earlier versions).

The openvpn man page even uses the same quoting style (') in it's example for verify-x509-name:

verify-x509-name 'C=KG, ST=NA, L=Bishkek, CN=Server-1'

Attachments (1)

Screenshot_2021-06-16_090058.png (16.0 KB) - added by hildeb 11 months ago.
Screenshot of the parsing error

Download all attachments as: .zip

Change History (11)

Changed 11 months ago by hildeb

Screenshot of the parsing error

comment:1 Changed 11 months ago by tct

Owner: changed from OpenVPN Inc. to tct
Status: newaccepted

Nice catch, there is an error in the manual example. v2.4 & 2.5

The example reads:

--verify-x509-name 'C=KG, ST=NA, L=Bishkek, CN=Server-1'

The correct example would be:

--verify-x509-name subject 'C=KG, ST=NA, L=Bishkek, CN=Server-1'

Correction:
--verify-x509-name 'C=KG, ST=NA, L=Bishkek, CN=Server-1' subject

The manual is correct, although difficult to read.

Last edited 11 months ago by tct (previous) (diff)

comment:2 Changed 11 months ago by hildeb

The man page says:

Valid syntax:
verify-x509 name type

But you say it's actually:

verify-x509 type name

This would invalidate all the examples in the man page, while

verify-x509-name 'C=DE, ST=Berlin, L=Berlin, O=Charite-VPN, OU=GB-IT, CN=openvpn.charite.de, emailAddress=vpn@charite.de' subject

used to work in all openconnect versions EXCEPT 3.3.0 (I'm seeing OCWindows_3.2.3-1851 and OCWindows_3.2.2-1455 clients at the moment, to name but a few)

comment:3 Changed 11 months ago by hildeb

For a test I changed the config accordingly and got (with OpenVPN 2.5.2):

Options error: unknown X.509 name type: C=DE, ST=Berlin, L=Berlin, O=Charite-VPN, OU=GB-IT, CN=openvpn.charite.de, emailAddress=vpn@charite.de

comment:4 Changed 11 months ago by tct

Sorry. my initial post was actually incorrect as well .. it is an awkward little option:

--verify-x509-name <DATA> <TYPE> options:

Correction: Default is the entire subject DN

  • No <TYPE> :- <DATA> Defaults to the entire subject DN
  • Type name :- <DATA> is set to RDN
  • Type name-prefix :- <Data> is a prefix portion of RDN
  • Type subject :- <DATA> is the entire subject DN

You want:
verify-x509-name 'C=DE, ST=Berlin, L=Berlin, O=Charite-VPN, OU=GB-IT, CN=openvpn.charite.de, emailAddress=vpn@charite.de' subject

Does that not work any longer ?

Last edited 11 months ago by tct (previous) (diff)

comment:5 Changed 11 months ago by tct

This is Openvpn-connect but you've probably been reading the manual for Openvpn FOSS. They are not the same.

Last edited 11 months ago by tct (previous) (diff)

comment:6 Changed 11 months ago by tct

Owner: tct deleted
Status: acceptedassigned

comment:7 Changed 11 months ago by hildeb

Regarding comment #4: Yes, that's what I want and it doesn't work any longer.

As you can see, the quoting of the first argument to verify-x509-name is being ignored and thus everything after the 2nd space is seen as TYPE.

comment:8 Changed 11 months ago by Gert Döring

Owner: set to OpenVPN Inc.

comment:9 Changed 9 months ago by egroeper

In my view with updating to OpenVPN 3 library 3.6.2 the OpenVPN-Connect-Client lost support for single quotes ('). Using double quotes (") it works as expected.
In the test suite for OpenVPN3 double quotes are used. In the manual single quotes are used instead.

Either OpenVPN3 should support single quotes again or the manual should be changed.

comment:10 Changed 8 months ago by max06

I've got the same issue with OpenVPN3 15~beta+focal.

Importing an ovpn profile works, establishing a session works. After rebooting the machine, I can no longer create a new session, with the error below.

2021-09-29 16:36:03 >> Connection, Client connecting
2021-09-29 16:36:03 Client -- ERROR --: Connection failed: option_error: Invalid verify-x509-name type: L=Eschborn,
Session closed

Almost forgot: Deleting the config and importing it again allows me to use it again until next reboot.

Last edited 8 months ago by max06 (previous) (diff)
Note: See TracTickets for help on using tickets.