Opened 7 years ago

Closed 5 years ago

#285 closed Bug / Defect (fixed)

OpenVPN Connect path length issue

Reported by: gundalf Owned by:
Priority: major Milestone:
Component: OpenVPN Connect Version:
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: polarssl pathlen
Cc: james@…

Description

We are trying to connect to our OpenVPN server with OpenVPN Connect 1.0 build 47 (most recent version available in the App Store) from an iOS device. However the connection fails at the very beginning with a certificate error: PolarSSL fails to verify the certificate (see attached file client.log). Additionally the output of "openssl -in ca.crt -noout -text" is attached in file ca.txt (this is a dummy CA to investigate the problem).

We found out by trial and error that if we build a CA without "pathlen:0", then the verification succeeds.

To my understanding setting path length to 0 on a CA is perfectly valid and should not cause the verification to fail. OpenSSL accepts the certificate also without problems.
To me this looks like a bug in PolarSSL, unfortunately I don't know which version of PolarSSL is used on iOS.

Attachments (2)

client.log (1.1 KB) - added by gundalf 7 years ago.
OpenVPN Connect log
ca.txt (1.1 KB) - added by gundalf 7 years ago.
CA

Download all attachments as: .zip

Change History (9)

Changed 7 years ago by gundalf

Attachment: client.log added

OpenVPN Connect log

Changed 7 years ago by gundalf

Attachment: ca.txt added

CA

comment:1 Changed 7 years ago by Petri Koistinen

I believe I have same problem with WatchGuard_Technologies box that generates CA with pathlen:0

comment:2 Changed 7 years ago by JoshC

Component: Generic / unclassifiedOpenVPN Connect

comment:3 Changed 7 years ago by Samuli Seppänen

Cc: james@… added
Priority: criticalmajor

A bug in certain versions of PolarSSL included in older OpenVPN Connect versions prevented connections to servers that used OpenSSL and had the "TLS versioning" patch. In practice, the server had to be based on Git "master" sources. This does not look 100% the same, but I'm wondering if it related to PolarSSL versions.

Can you reproduce this on latest Git "master" OpenVPN server and latest OpenVPN Connect on Android/iOS? Also, what happens if the server is running OpenVPN 2.3.2?

comment:4 Changed 7 years ago by gundalf

The iOS client was not updated in the last 7 months, so there is nothing new to try there.
I set up a OpenVPN server 2.3.2 and tested again with OpenVPN Connect 1.0.1. I got the the same results as before:
If the CA has a path length of 0 the connection fails with the same error message as above, see the attached log file. When creating a new CA with no path length set then the connection succeeds.

If there are any step by step intructions on how to build a OpenVPN server from Git, then I can try this too. But I doubt that we will see anything new, because the error message clearly indicates that the PolarSSL library on the client fails to verify the certificate. This can only be solved by fixing/updating this in the OpenVPN Connect client.

comment:5 Changed 7 years ago by Gert Döring

iOS Connect has now been bumped to 1.0.3, which has a number of SSL and other crypto fixes (among others, it now connects to a git master with TLS version negotiation enabled).

Even if it sounds somewhat lame - gundalf, could you re-test, please?

comment:6 Changed 6 years ago by Gert Döring

By now, iOS Connect is at 1.0.4, ... gundalf, could you re-test? (My previous note might have been lost due to trac not always sending notifications, but this one should go out)

comment:7 Changed 5 years ago by Samuli Seppänen

Resolution: fixed
Status: newclosed

Jamesyonan claimed two years ago that the problem will get fixed in OpenVPN Connect 1.0.2. Current version in Google Play Store is 1.1.16 and iOS should not be much/at all behind.

I'll close this as "fixed". If the problem persists please reopen the ticket or file a new one.

Note: See TracTickets for help on using tickets.