Opened 23 months ago

Last modified 14 months ago

#1468 new Bug / Defect

non-ascii utf8 character in verify-x509-name

Reported by: mischejo Owned by:
Priority: minor Milestone:
Component: Generic / unclassified Version: OpenVPN 2.5.6 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: utf8 verify-x509-name
Cc:

Description

Linux distribution: Ubuntu 20.04 Focal Fossa

OpenVPN 2.5.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jun 30 2022
library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10

I have a X509 DN name that contains the non-ASCII character "ß":

verify-x509-name "C=de, L=bugß, O=foo, CN=bar, emailAddress=me@email.com"

When I run openvpn with this configuration it prints

Thu Jun 30 15:22:51 2022 VERIFY OK: depth=1, C=de, L=bugÃ

and then freezes. The problem is that ß=\xc3\x9f is translated to \xc3\x83\xc2\x9f. \xc3\x83 is à and \xc2\x9f is invalid in utf8. Therefore printf (or something similar) hangs.

I tracked down the problem to x509_get_subject() in ssl_verify_openssl.c and found a workaround. When I remove ASN1_STRFLGS_UTF8_CONVERT from

X509_NAME_print_ex(subject_bio, X509_get_subject_name(cert),
                   0, XN_FLAG_SEP_CPLUS_SPC | XN_FLAG_FN_SN
                   |ASN1_STRFLGS_UTF8_CONVERT | ASN1_STRFLGS_ESC_CTRL);

the problem disapears and I get a VPN connection.

I have no clue if there are other implications by removing it, but in my case it solved the problem.

Change History (3)

comment:1 Changed 18 months ago by flichtenheld

Milestone: release 2.5.7

comment:2 Changed 18 months ago by tct

The problem appears to be resolved.

Tested ß:
Server: VERIFY OK: depth=0, C=00, ST=home, L=wiscii glaß, O=tct, OU=tct @ $&$, CN=c1
Client: VERIFY OK: depth=0, C=00, ST=home, L=wiscii glaß, O=tct, OU=tct @ $&$, CN=s1, emailAddress=me@example.net

Server log:

2022-11-30 20:51:24 us=26417 OpenVPN 2.5.8 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct 28 2022
2022-11-30 20:51:24 us=26434 library versions: OpenSSL 1.1.1f  31 Mar 2020, LZO 2.10
2022-11-30 20:51:24 us=27133 Diffie-Hellman initialized with 4096 bit key
2022-11-30 20:51:24 us=27551 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-11-30 20:51:24 us=27582 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-11-30 20:51:24 us=27601 TLS-Auth MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
2022-11-30 20:51:24 us=27711 ROUTE_GATEWAY 10.1.101.1/255.255.255.0 IFACE=enp5s0 HWADDR=24:b6:fd:31:bc:ca
2022-11-30 20:51:24 us=28063 TUN/TAP device tuns63110 opened
2022-11-30 20:51:24 us=28088 do_ifconfig, ipv4=1, ipv6=0
2022-11-30 20:51:24 us=28108 /sbin/ip link set dev tuns63110 up mtu 1500
2022-11-30 20:51:24 us=40524 /sbin/ip link set dev tuns63110 up
2022-11-30 20:51:24 us=42122 /sbin/ip addr add dev tuns63110 local 10.63.110.101 peer 10.63.110.102
2022-11-30 20:51:24 us=46150 /sbin/ip route add 10.63.110.0/24 via 10.63.110.102
2022-11-30 20:51:24 us=49322 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 AF:14/122 ]
2022-11-30 20:51:24 us=49362 Could not determine IPv4/IPv6 protocol. Using AF_INET
2022-11-30 20:51:24 us=49400 Socket Buffers: R=[212992->212992] S=[212992->212992]
2022-11-30 20:51:24 us=49439 UDPv4 link local (bound): [AF_INET]10.1.101.101:63110
2022-11-30 20:51:24 us=49457 UDPv4 link remote: [AF_UNSPEC]
2022-11-30 20:51:24 us=49482 MULTI: multi_init called, r=256 v=256
2022-11-30 20:51:24 us=49529 IFCONFIG POOL IPv4: base=10.63.110.120 size=5
2022-11-30 20:51:24 us=49583 Initialization Sequence Completed
2022-11-30 20:51:24 us=49641 MANAGEMENT: TCP Socket listening on [AF_INET]10.63.110.101:0
2022-11-30 20:51:35 us=751644 MULTI: multi_create_instance called
2022-11-30 20:51:35 us=751717 10.1.101.210:44757 Re-using SSL/TLS context
2022-11-30 20:51:35 us=751828 10.1.101.210:44757 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-11-30 20:51:35 us=751845 10.1.101.210:44757 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-11-30 20:51:35 us=751867 10.1.101.210:44757 LZ4 compression initializing
2022-11-30 20:51:35 us=751979 10.1.101.210:44757 Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
2022-11-30 20:51:35 us=752005 10.1.101.210:44757 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 AF:14/122 ]
2022-11-30 20:51:35 us=752045 10.1.101.210:44757 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
2022-11-30 20:51:35 us=752058 10.1.101.210:44757 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
2022-11-30 20:51:35 us=752096 10.1.101.210:44757 TLS: Initial packet from [AF_INET]10.1.101.210:44757, sid=f55f13fb c1c6918e
2022-11-30 20:51:35 us=768858 10.1.101.210:44757 VERIFY OK: depth=1, C=00, ST=home, L=wiscii glaß, O=tct, OU=tct @ $&$, CN=Easy-RSA CA, emailAddress=me@example.net
2022-11-30 20:51:35 us=769285 10.1.101.210:44757 VERIFY OK: depth=0, C=00, ST=home, L=wiscii glaß, O=tct, OU=tct @ $&$, CN=c1, emailAddress=me@example.net
2022-11-30 20:51:35 us=769651 10.1.101.210:44757 peer info: IV_VER=2.5.8
2022-11-30 20:51:35 us=769690 10.1.101.210:44757 peer info: IV_PLAT=linux
2022-11-30 20:51:35 us=769710 10.1.101.210:44757 peer info: IV_PROTO=6
2022-11-30 20:51:35 us=769724 10.1.101.210:44757 peer info: IV_NCP=2
2022-11-30 20:51:35 us=769751 10.1.101.210:44757 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM
2022-11-30 20:51:35 us=769763 10.1.101.210:44757 peer info: IV_LZ4=1
2022-11-30 20:51:35 us=769778 10.1.101.210:44757 peer info: IV_LZ4v2=1
2022-11-30 20:51:35 us=769791 10.1.101.210:44757 peer info: IV_LZO=1
2022-11-30 20:51:35 us=769805 10.1.101.210:44757 peer info: IV_COMP_STUB=1
2022-11-30 20:51:35 us=769944 10.1.101.210:44757 peer info: IV_COMP_STUBv2=1
2022-11-30 20:51:35 us=770036 10.1.101.210:44757 peer info: IV_TCPNL=1
2022-11-30 20:51:35 us=770158 10.1.101.210:44757 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1542', remote='link-mtu 1541'
2022-11-30 20:51:35 us=770254 10.1.101.210:44757 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
2022-11-30 20:51:35 us=772936 10.1.101.210:44757 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2022-11-30 20:51:35 us=772992 10.1.101.210:44757 [c1] Peer Connection Initiated with [AF_INET]10.1.101.210:44757
2022-11-30 20:51:35 us=773036 c1/10.1.101.210:44757 MULTI_sva: pool returned IPv4=10.63.110.122, IPv6=(Not enabled)
2022-11-30 20:51:35 us=773103 c1/10.1.101.210:44757 OPTIONS IMPORT: reading client specific options from: tuns_63110u/CCD_net30/c1
2022-11-30 20:51:35 us=773191 c1/10.1.101.210:44757 MULTI: Learn: 10.63.110.122 -> c1/10.1.101.210:44757
2022-11-30 20:51:35 us=773208 c1/10.1.101.210:44757 MULTI: primary virtual IP for c1/10.1.101.210:44757: 10.63.110.122
2022-11-30 20:51:35 us=773230 c1/10.1.101.210:44757 Data Channel: using negotiated cipher 'AES-256-GCM'
2022-11-30 20:51:35 us=773255 c1/10.1.101.210:44757 Data Channel MTU parms [ L:1550 D:1450 EF:50 EB:406 ET:0 EL:3 AF:14/122 ]
2022-11-30 20:51:35 us=773359 c1/10.1.101.210:44757 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2022-11-30 20:51:35 us=773378 c1/10.1.101.210:44757 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2022-11-30 20:51:35 us=773429 c1/10.1.101.210:44757 SENT CONTROL [c1]: 'PUSH_REPLY,topology net30,route 10.63.110.0   255.255.255.0,explicit-exit-notify 3,comp-lzo no,compress lz4,ping 10,ping-restart 60,ifconfig 10.63.110.122 10.63.110.121,peer-id 0,cipher AES-256-GCM' (status=1)

Client log:

2022-11-30 20:37:50 us=129875 OpenVPN 2.5.8 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct 28 2022
2022-11-30 20:37:50 us=130400 library versions: OpenSSL 1.1.1n  15 Mar 2022, LZO 2.10
2022-11-30 20:37:50 us=132130 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-11-30 20:37:50 us=132949 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-11-30 20:37:50 us=133809 Control Channel MTU parms [ L:1621 D:1184 EF:66 EB:0 ET:0 EL:3 ]
2022-11-30 20:37:50 us=134293 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 AF:14/121 ]
2022-11-30 20:37:50 us=134883 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,keydir 1,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
2022-11-30 20:37:50 us=135295 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,keydir 0,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
2022-11-30 20:37:50 us=135559 TCP/UDP: Preserving recently used remote address: [AF_INET]10.1.101.101:63110
2022-11-30 20:37:50 us=135625 Socket Buffers: R=[212992->212992] S=[212992->212992]
2022-11-30 20:37:50 us=135752 UDP link local: (not bound)
2022-11-30 20:37:50 us=136337 UDP link remote: [AF_INET]10.1.101.101:63110
2022-11-30 20:37:50 us=138205 TLS: Initial packet from [AF_INET]10.1.101.101:63110, sid=13d75391 c8c476d3
2022-11-30 20:37:50 us=144080 VERIFY OK: depth=1, C=00, ST=home, L=wiscii glaß, O=tct, OU=tct @ $&$, CN=Easy-RSA CA, emailAddress=me@example.net
2022-11-30 20:37:50 us=145675 VERIFY KU OK
2022-11-30 20:37:50 us=145944 Validating certificate extended key usage
2022-11-30 20:37:50 us=146096 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2022-11-30 20:37:50 us=146295 VERIFY EKU OK
2022-11-30 20:37:50 us=146488 VERIFY OK: depth=0, C=00, ST=home, L=wiscii glaß, O=tct, OU=tct @ $&$, CN=s1, emailAddress=me@example.net
2022-11-30 20:37:50 us=157005 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1542'
2022-11-30 20:37:50 us=157926 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
2022-11-30 20:37:50 us=158541 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2022-11-30 20:37:50 us=158753 [s1] Peer Connection Initiated with [AF_INET]10.1.101.101:63110
2022-11-30 20:37:50 us=159665 PUSH: Received control message: 'PUSH_REPLY,topology net30,route 10.63.110.0   255.255.255.0,explicit-exit-notify 3,comp-lzo no,compress lz4,ping 10,ping-restart 60,ifconfig 10.63.110.122 10.63.110.121,peer-id 0,cipher AES-256-GCM'
2022-11-30 20:37:50 us=160153 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2022-11-30 20:37:50 us=160806 OPTIONS IMPORT: timers and/or timeouts modified
2022-11-30 20:37:50 us=161251 OPTIONS IMPORT: explicit notify parm(s) modified
2022-11-30 20:37:50 us=161421 OPTIONS IMPORT: compression parms modified
2022-11-30 20:37:50 us=161799 LZ4 compression initializing
2022-11-30 20:37:50 us=162179 OPTIONS IMPORT: --ifconfig/up options modified
2022-11-30 20:37:50 us=162646 OPTIONS IMPORT: route options modified
2022-11-30 20:37:50 us=163007 OPTIONS IMPORT: peer-id set
2022-11-30 20:37:50 us=163370 OPTIONS IMPORT: adjusting link_mtu to 1624
2022-11-30 20:37:50 us=163709 OPTIONS IMPORT: data channel crypto options modified
2022-11-30 20:37:50 us=163870 Data Channel: using negotiated cipher 'AES-256-GCM'
2022-11-30 20:37:50 us=164072 Data Channel MTU parms [ L:1552 D:1450 EF:52 EB:406 ET:0 EL:3 AF:14/121 ]
2022-11-30 20:37:50 us=164363 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2022-11-30 20:37:50 us=164744 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2022-11-30 20:37:50 us=165112 ROUTE_GATEWAY 10.1.101.1/255.255.255.0 IFACE=enp0s3 HWADDR=08:00:27:a4:08:42
2022-11-30 20:37:50 us=166191 TUN/TAP device tun0 opened
2022-11-30 20:37:50 us=166423 do_ifconfig, ipv4=1, ipv6=0
2022-11-30 20:37:50 us=166584 /sbin/ip link set dev tun0 up mtu 1500
2022-11-30 20:37:50 us=644328 /sbin/ip link set dev tun0 up
2022-11-30 20:37:50 us=682628 /sbin/ip addr add dev tun0 local 10.63.110.122 peer 10.63.110.121
2022-11-30 20:37:50 us=686865 /sbin/ip route add 10.63.110.0/24 via 10.63.110.121
RTNETLINK answers: File exists
2022-11-30 20:37:50 us=694857 ERROR: Linux route add command failed: external program exited with error status: 2
2022-11-30 20:37:50 us=695181 Initialization Sequence Completed

comment:3 Changed 14 months ago by mischejo

I still can reproduce the bug with

OpenVPN 2.6.1 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] [DCO]
library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10

Are you using UTF-8 encoding (\xc3\x9f for ß) or a different encoding?

Note: See TracTickets for help on using tickets.