Opened 2 years ago
Last modified 18 months ago
#1468 new Bug / Defect
non-ascii utf8 character in verify-x509-name
Reported by: | mischejo | Owned by: | |
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | Generic / unclassified | Version: | OpenVPN 2.5.6 (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | utf8 verify-x509-name |
Cc: |
Description
Linux distribution: Ubuntu 20.04 Focal Fossa
OpenVPN 2.5.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jun 30 2022
library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10
I have a X509 DN name that contains the non-ASCII character "ß":
verify-x509-name "C=de, L=bugß, O=foo, CN=bar, emailAddress=me@email.com"
When I run openvpn with this configuration it prints
Thu Jun 30 15:22:51 2022 VERIFY OK: depth=1, C=de, L=bugÃ
and then freezes. The problem is that ß=\xc3\x9f is translated to \xc3\x83\xc2\x9f. \xc3\x83 is à and \xc2\x9f is invalid in utf8. Therefore printf (or something similar) hangs.
I tracked down the problem to x509_get_subject()
in ssl_verify_openssl.c
and found a workaround. When I remove ASN1_STRFLGS_UTF8_CONVERT
from
X509_NAME_print_ex(subject_bio, X509_get_subject_name(cert), 0, XN_FLAG_SEP_CPLUS_SPC | XN_FLAG_FN_SN |ASN1_STRFLGS_UTF8_CONVERT | ASN1_STRFLGS_ESC_CTRL);
the problem disapears and I get a VPN connection.
I have no clue if there are other implications by removing it, but in my case it solved the problem.
Change History (3)
comment:1 Changed 22 months ago by
Milestone: | release 2.5.7 |
---|
comment:2 Changed 22 months ago by
comment:3 Changed 18 months ago by
I still can reproduce the bug with
OpenVPN 2.6.1 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] [DCO]
library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
Are you using UTF-8 encoding (\xc3\x9f for ß) or a different encoding?
The problem appears to be resolved.
Tested
ß
:Server:
VERIFY OK: depth=0, C=00, ST=home, L=wiscii glaß, O=tct, OU=tct @ $&$, CN=c1
Client:
VERIFY OK: depth=0, C=00, ST=home, L=wiscii glaß, O=tct, OU=tct @ $&$, CN=s1, emailAddress=me@example.net
Server log:
Client log: