Opened 7 years ago

Closed 7 years ago

#321 closed Bug / Defect (fixed)

OpenVPN 2.2.3 released with expired driver certificate.

Reported by: simplyadrian Owned by: Samuli Seppänen
Priority: blocker Milestone: release 2.2.3
Component: Certificates Version: OpenVPN 2.3.2 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: windows tap
Cc: Gert Döring


For the windows installer x86 and 64 bit in the 2.3.1 and 2.3.2 versions. The tap tun driver was released with a certificate that expired 08/21/2013. The driver will not install unless the driver signature enforcement is disabled.

Change History (8)

comment:1 Changed 7 years ago by simplyadrian

sorry the milestone should be release 2.3.2 not 2.2.3

comment:2 Changed 7 years ago by Gert Döring

Cc: Gert Döring added
Owner: set to Samuli Seppänen
Status: newassigned

Thanks for letting us know. We had plans to re-spin the 2.3.2 windows package anyway, so we can fix the certificate right away.

Over to mattock who is the windows bundler.

comment:3 Changed 7 years ago by simplyadrian

When can I expect a fix ?

comment:4 Changed 7 years ago by Samuli Seppänen

I can confirm this issue on Windows 7 64-bit. It seems that the catalog file ( is signed, but a signature timestamp is missing. It seems tap-windows buildsystem somehow manages to not timestamp that file, even though it seems to:

%SIGNTOOL%" sign /v /p "%CODESIGN_PASS%" /f "%CODESIGN_PKCS12% /t "%CODESIGN_TIMESTAMP%" /ac "%CODESIGN_CROSS%" <catalog-filename>

When constructing the above command-line manually a timestamped .cat file is produced. I will try to get tap-windows build fixed today and make an OpenVPN Windows installer release including the fix today or tomorrow at latest.

Thanks to hel and pekster for helping debug this!

Last edited 7 years ago by Samuli Seppänen (previous) (diff)

comment:5 Changed 7 years ago by Samuli Seppänen

Keywords: windows tap added

comment:6 Changed 7 years ago by Samuli Seppänen

The problem was that installer\build.bat did not construct the "%SIGNTOOL_CMD_DRIVERS%" variable properly due to cmd.exe behaving in an unexpected way. In practice, the /t (timestamp) parameter was left out, even though the script looked perfectly fine. The tap-windows installer package was signed using "%SIGNTOOL_CMD%", which did include /t, which thus obscured the issue further.

I will commit a fix to tap-windows and release a fixed OpenVPN 2.3.2 installer as soon as it passes basic smoketests.

Last edited 7 years ago by Samuli Seppänen (previous) (diff)

comment:7 Changed 7 years ago by Samuli Seppänen

comment:8 Changed 7 years ago by Samuli Seppänen

Resolution: fixed
Status: assignedclosed
Note: See TracTickets for help on using tickets.