Opened 11 years ago
Closed 9 years ago
#285 closed Bug / Defect (fixed)
OpenVPN Connect path length issue
| Reported by: | gundalf | Owned by: | |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | OpenVPN Connect | Version: | |
| Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | polarssl pathlen |
| Cc: | james@… |
Description
We are trying to connect to our OpenVPN server with OpenVPN Connect 1.0 build 47 (most recent version available in the App Store) from an iOS device. However the connection fails at the very beginning with a certificate error: PolarSSL fails to verify the certificate (see attached file client.log). Additionally the output of "openssl -in ca.crt -noout -text" is attached in file ca.txt (this is a dummy CA to investigate the problem).
We found out by trial and error that if we build a CA without "pathlen:0", then the verification succeeds.
To my understanding setting path length to 0 on a CA is perfectly valid and should not cause the verification to fail. OpenSSL accepts the certificate also without problems.
To me this looks like a bug in PolarSSL, unfortunately I don't know which version of PolarSSL is used on iOS.
Attachments (2)
Change History (9)
Changed 11 years ago by
| Attachment: | client.log added |
|---|
comment:1 Changed 11 years ago by
I believe I have same problem with WatchGuard_Technologies box that generates CA with pathlen:0
comment:2 Changed 11 years ago by
| Component: | Generic / unclassified → OpenVPN Connect |
|---|
comment:3 Changed 10 years ago by
| Cc: | james@… added |
|---|---|
| Priority: | critical → major |
A bug in certain versions of PolarSSL included in older OpenVPN Connect versions prevented connections to servers that used OpenSSL and had the "TLS versioning" patch. In practice, the server had to be based on Git "master" sources. This does not look 100% the same, but I'm wondering if it related to PolarSSL versions.
Can you reproduce this on latest Git "master" OpenVPN server and latest OpenVPN Connect on Android/iOS? Also, what happens if the server is running OpenVPN 2.3.2?
comment:4 Changed 10 years ago by
The iOS client was not updated in the last 7 months, so there is nothing new to try there.
I set up a OpenVPN server 2.3.2 and tested again with OpenVPN Connect 1.0.1. I got the the same results as before:
If the CA has a path length of 0 the connection fails with the same error message as above, see the attached log file. When creating a new CA with no path length set then the connection succeeds.
If there are any step by step intructions on how to build a OpenVPN server from Git, then I can try this too. But I doubt that we will see anything new, because the error message clearly indicates that the PolarSSL library on the client fails to verify the certificate. This can only be solved by fixing/updating this in the OpenVPN Connect client.
comment:5 Changed 10 years ago by
iOS Connect has now been bumped to 1.0.3, which has a number of SSL and other crypto fixes (among others, it now connects to a git master with TLS version negotiation enabled).
Even if it sounds somewhat lame - gundalf, could you re-test, please?
comment:6 Changed 10 years ago by
By now, iOS Connect is at 1.0.4, ... gundalf, could you re-test? (My previous note might have been lost due to trac not always sending notifications, but this one should go out)
comment:7 Changed 9 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Jamesyonan claimed two years ago that the problem will get fixed in OpenVPN Connect 1.0.2. Current version in Google Play Store is 1.1.16 and iOS should not be much/at all behind.
I'll close this as "fixed". If the problem persists please reopen the ticket or file a new one.
OpenVPN Connect log