Opened 7 weeks ago

Last modified 7 weeks ago

#1414 assigned Bug / Defect

option_error: Invalid verify-x509-name type: ST=Berlin,

Reported by: hildeb Owned by: OpenVPN Inc.
Priority: major Milestone:
Component: OpenVPN Connect Version: OpenVPN Connect for Windows
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: OCWindows_3.3.0-2171
Cc:

Description

"platform": "win"
"version": "3.git::8975e733"
"gui_version": "OCWindows_3.3.0-2171"

One of our users cannot connect with our (otherwise working) config.

The error he's getting is:

option_error: Invalid verify-x509-name type: ST=Berlin,

(see attached screenshot)

Our config contains this line:

verify-x509-name 'C=DE, ST=Berlin, L=Berlin, O=Charite-VPN, OU=GB-IT, CN=openvpn.charite.de, emailAddress=vpn@charite.de' subject

which apparently is not being recognized by 3.3.0-2171 (but in earlier versions).

The openvpn man page even uses the same quoting style (') in it's example for verify-x509-name:

verify-x509-name 'C=KG, ST=NA, L=Bishkek, CN=Server-1'

Attachments (1)

Screenshot_2021-06-16_090058.png (16.0 KB) - added by hildeb 7 weeks ago.
Screenshot of the parsing error

Download all attachments as: .zip

Change History (9)

Changed 7 weeks ago by hildeb

Screenshot of the parsing error

comment:1 Changed 7 weeks ago by tct

Owner: changed from OpenVPN Inc. to tct
Status: newaccepted

Nice catch, there is an error in the manual example. v2.4 & 2.5

The example reads:

--verify-x509-name 'C=KG, ST=NA, L=Bishkek, CN=Server-1'

The correct example would be:

--verify-x509-name subject 'C=KG, ST=NA, L=Bishkek, CN=Server-1'

Correction:
--verify-x509-name 'C=KG, ST=NA, L=Bishkek, CN=Server-1' subject

The manual is correct, although difficult to read.

Last edited 7 weeks ago by tct (previous) (diff)

comment:2 Changed 7 weeks ago by hildeb

The man page says:

Valid syntax:
verify-x509 name type

But you say it's actually:

verify-x509 type name

This would invalidate all the examples in the man page, while

verify-x509-name 'C=DE, ST=Berlin, L=Berlin, O=Charite-VPN, OU=GB-IT, CN=openvpn.charite.de, emailAddress=vpn@charite.de' subject

used to work in all openconnect versions EXCEPT 3.3.0 (I'm seeing OCWindows_3.2.3-1851 and OCWindows_3.2.2-1455 clients at the moment, to name but a few)

comment:3 Changed 7 weeks ago by hildeb

For a test I changed the config accordingly and got (with OpenVPN 2.5.2):

Options error: unknown X.509 name type: C=DE, ST=Berlin, L=Berlin, O=Charite-VPN, OU=GB-IT, CN=openvpn.charite.de, emailAddress=vpn@charite.de

comment:4 Changed 7 weeks ago by tct

Sorry. my initial post was actually incorrect as well .. it is an awkward little option:

--verify-x509-name <DATA> <TYPE> options:

Correction: Default is the entire subject DN

  • No <TYPE> :- <DATA> Defaults to the entire subject DN
  • Type name :- <DATA> is set to RDN
  • Type name-prefix :- <Data> is a prefix portion of RDN
  • Type subject :- <DATA> is the entire subject DN

You want:
verify-x509-name 'C=DE, ST=Berlin, L=Berlin, O=Charite-VPN, OU=GB-IT, CN=openvpn.charite.de, emailAddress=vpn@charite.de' subject

Does that not work any longer ?

Last edited 7 weeks ago by tct (previous) (diff)

comment:5 Changed 7 weeks ago by tct

This is Openvpn-connect but you've probably been reading the manual for Openvpn FOSS. They are not the same.

Last edited 7 weeks ago by tct (previous) (diff)

comment:6 Changed 7 weeks ago by tct

Owner: tct deleted
Status: acceptedassigned

comment:7 Changed 7 weeks ago by hildeb

Regarding comment #4: Yes, that's what I want and it doesn't work any longer.

As you can see, the quoting of the first argument to verify-x509-name is being ignored and thus everything after the 2nd space is seen as TYPE.

comment:8 Changed 7 weeks ago by Gert Döring

Owner: set to OpenVPN Inc.
Note: See TracTickets for help on using tickets.