Opened 3 years ago

Closed 2 years ago

#1414 closed Bug / Defect (wontfix)

option_error: Invalid verify-x509-name type: ST=Berlin,

Reported by: hildeb Owned by: OpenVPN Inc.
Priority: major Milestone:
Component: OpenVPN Connect Version: OpenVPN Connect for Windows
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: OCWindows_3.3.0-2171
Cc:

Description

"platform": "win"
"version": "3.git::8975e733"
"gui_version": "OCWindows_3.3.0-2171"

One of our users cannot connect with our (otherwise working) config.

The error he's getting is:

option_error: Invalid verify-x509-name type: ST=Berlin,

(see attached screenshot)

Our config contains this line:

verify-x509-name 'C=DE, ST=Berlin, L=Berlin, O=Charite-VPN, OU=GB-IT, CN=openvpn.charite.de, emailAddress=vpn@charite.de' subject

which apparently is not being recognized by 3.3.0-2171 (but in earlier versions).

The openvpn man page even uses the same quoting style (') in it's example for verify-x509-name:

verify-x509-name 'C=KG, ST=NA, L=Bishkek, CN=Server-1'

Attachments (1)

Screenshot_2021-06-16_090058.png (16.0 KB) - added by hildeb 3 years ago.
Screenshot of the parsing error

Download all attachments as: .zip

Change History (12)

Changed 3 years ago by hildeb

Screenshot of the parsing error

comment:1 Changed 3 years ago by tct

Owner: changed from OpenVPN Inc. to tct
Status: newaccepted

Nice catch, there is an error in the manual example. v2.4 & 2.5

The example reads:

--verify-x509-name 'C=KG, ST=NA, L=Bishkek, CN=Server-1'

The correct example would be:

--verify-x509-name subject 'C=KG, ST=NA, L=Bishkek, CN=Server-1'

Correction:
--verify-x509-name 'C=KG, ST=NA, L=Bishkek, CN=Server-1' subject

The manual is correct, although difficult to read.

Last edited 3 years ago by tct (previous) (diff)

comment:2 Changed 3 years ago by hildeb

The man page says:

Valid syntax:
verify-x509 name type

But you say it's actually:

verify-x509 type name

This would invalidate all the examples in the man page, while

verify-x509-name 'C=DE, ST=Berlin, L=Berlin, O=Charite-VPN, OU=GB-IT, CN=openvpn.charite.de, emailAddress=vpn@charite.de' subject

used to work in all openconnect versions EXCEPT 3.3.0 (I'm seeing OCWindows_3.2.3-1851 and OCWindows_3.2.2-1455 clients at the moment, to name but a few)

comment:3 Changed 3 years ago by hildeb

For a test I changed the config accordingly and got (with OpenVPN 2.5.2):

Options error: unknown X.509 name type: C=DE, ST=Berlin, L=Berlin, O=Charite-VPN, OU=GB-IT, CN=openvpn.charite.de, emailAddress=vpn@charite.de

comment:4 Changed 3 years ago by tct

Sorry. my initial post was actually incorrect as well .. it is an awkward little option:

--verify-x509-name <DATA> <TYPE> options:

Correction: Default is the entire subject DN

  • No <TYPE> :- <DATA> Defaults to the entire subject DN
  • Type name :- <DATA> is set to RDN
  • Type name-prefix :- <Data> is a prefix portion of RDN
  • Type subject :- <DATA> is the entire subject DN

You want:
verify-x509-name 'C=DE, ST=Berlin, L=Berlin, O=Charite-VPN, OU=GB-IT, CN=openvpn.charite.de, emailAddress=vpn@charite.de' subject

Does that not work any longer ?

Last edited 3 years ago by tct (previous) (diff)

comment:5 Changed 3 years ago by tct

This is Openvpn-connect but you've probably been reading the manual for Openvpn FOSS. They are not the same.

Last edited 3 years ago by tct (previous) (diff)

comment:6 Changed 3 years ago by tct

Owner: tct deleted
Status: acceptedassigned

comment:7 Changed 3 years ago by hildeb

Regarding comment #4: Yes, that's what I want and it doesn't work any longer.

As you can see, the quoting of the first argument to verify-x509-name is being ignored and thus everything after the 2nd space is seen as TYPE.

comment:8 Changed 3 years ago by Gert Döring

Owner: set to OpenVPN Inc.

comment:9 Changed 3 years ago by egroeper

In my view with updating to OpenVPN 3 library 3.6.2 the OpenVPN-Connect-Client lost support for single quotes ('). Using double quotes (") it works as expected.
In the test suite for OpenVPN3 double quotes are used. In the manual single quotes are used instead.

Either OpenVPN3 should support single quotes again or the manual should be changed.

comment:10 Changed 3 years ago by max06

I've got the same issue with OpenVPN3 15~beta+focal.

Importing an ovpn profile works, establishing a session works. After rebooting the machine, I can no longer create a new session, with the error below.

2021-09-29 16:36:03 >> Connection, Client connecting
2021-09-29 16:36:03 Client -- ERROR --: Connection failed: option_error: Invalid verify-x509-name type: L=Eschborn,
Session closed

Almost forgot: Deleting the config and importing it again allows me to use it again until next reboot.

Last edited 3 years ago by max06 (previous) (diff)

comment:11 Changed 2 years ago by Gert Döring

Resolution: wontfix
Status: assignedclosed

OpenVPN Inc does not want to receive any feedback for the "Connect"
OpenVPN clients via the community bug trackers (here and in GH issues).

Please resubmit - if still relevant - via https://support.openvpn.net/

Note: See TracTickets for help on using tickets.