Opened 7 weeks ago

#1468 new Bug / Defect

non-ascii utf8 character in verify-x509-name

Reported by: mischejo Owned by:
Priority: minor Milestone: release 2.5.7
Component: Generic / unclassified Version: OpenVPN 2.5.6 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: utf8 verify-x509-name


Linux distribution: Ubuntu 20.04 Focal Fossa

OpenVPN 2.5.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jun 30 2022
library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10

I have a X509 DN name that contains the non-ASCII character "ß":

verify-x509-name "C=de, L=bugß, O=foo, CN=bar,"

When I run openvpn with this configuration it prints

Thu Jun 30 15:22:51 2022 VERIFY OK: depth=1, C=de, L=bugÃ

and then freezes. The problem is that ß=\xc3\x9f is translated to \xc3\x83\xc2\x9f. \xc3\x83 is à and \xc2\x9f is invalid in utf8. Therefore printf (or something similar) hangs.

I tracked down the problem to x509_get_subject() in ssl_verify_openssl.c and found a workaround. When I remove ASN1_STRFLGS_UTF8_CONVERT from

X509_NAME_print_ex(subject_bio, X509_get_subject_name(cert),
                   0, XN_FLAG_SEP_CPLUS_SPC | XN_FLAG_FN_SN

the problem disapears and I get a VPN connection.

I have no clue if there are other implications by removing it, but in my case it solved the problem.

Change History (0)

Note: See TracTickets for help on using tickets.