OpenVPN 2.2.3 released with expired driver certificate.

[simplyadrian]

For the windows installer x86 and 64 bit in the 2.3.1 and 2.3.2 versions. The tap tun driver was released with a certificate that expired 08/21/2013. The driver will not install unless the driver signature enforcement is disabled.

[simplyadrian]

sorry the milestone should be release 2.3.2 not 2.2.3

[Gert Döring]

Thanks for letting us know. We had plans to re-spin the 2.3.2 windows package anyway, so we can fix the certificate right away.

Over to mattock who is the windows bundler.

[simplyadrian]

When can I expect a fix ?

[Samuli Seppänen]

I can confirm this issue on Windows 7 64-bit. It seems that the catalog file (tap0901.cat) is signed, but a signature timestamp is missing. It seems tap-windows buildsystem somehow manages to not timestamp that file, even though it seems to:

%SIGNTOOL%" sign /v /p "%CODESIGN_PASS%" /f "%CODESIGN_PKCS12% /t "%CODESIGN_TIMESTAMP%" /ac "%CODESIGN_CROSS%" <catalog-filename>

When constructing the above command-line manually a timestamped .cat file is produced. I will try to get tap-windows build fixed today and make an OpenVPN Windows installer release including the fix today or tomorrow at latest.

Thanks to hel and pekster for helping debug this!

[Samuli Seppänen]

The problem was that installer\build.bat did not construct the "%SIGNTOOL_CMD_DRIVERS%" variable properly due to cmd.exe behaving in an unexpected way. In practice, the /t (timestamp) parameter was left out, even though the script looked perfectly fine. The tap-windows installer package was signed using "%SIGNTOOL_CMD%", which did include /t, which thus obscured the issue further.

I will commit a fix to tap-windows and release a fixed OpenVPN 2.3.2 installer as soon as it passes basic smoketests.

[Samuli Seppänen]

Fixed installers released:

• ​http://openvpn.net/index.php/download/community-downloads.html