Opened 9 years ago

Closed 9 years ago

#321 closed Bug / Defect (fixed)

OpenVPN 2.2.3 released with expired driver certificate.

Reported by: simplyadrian Owned by: Samuli Seppänen
Priority: blocker Milestone: release 2.2.3
Component: Certificates Version: OpenVPN 2.3.2 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: windows tap
Cc: Gert Döring


For the windows installer x86 and 64 bit in the 2.3.1 and 2.3.2 versions. The tap tun driver was released with a certificate that expired 08/21/2013. The driver will not install unless the driver signature enforcement is disabled.

Change History (8)

comment:1 Changed 9 years ago by simplyadrian

sorry the milestone should be release 2.3.2 not 2.2.3

comment:2 Changed 9 years ago by Gert Döring

Cc: Gert Döring added
Owner: set to Samuli Seppänen
Status: newassigned

Thanks for letting us know. We had plans to re-spin the 2.3.2 windows package anyway, so we can fix the certificate right away.

Over to mattock who is the windows bundler.

comment:3 Changed 9 years ago by simplyadrian

When can I expect a fix ?

comment:4 Changed 9 years ago by Samuli Seppänen

I can confirm this issue on Windows 7 64-bit. It seems that the catalog file ( is signed, but a signature timestamp is missing. It seems tap-windows buildsystem somehow manages to not timestamp that file, even though it seems to:

%SIGNTOOL%" sign /v /p "%CODESIGN_PASS%" /f "%CODESIGN_PKCS12% /t "%CODESIGN_TIMESTAMP%" /ac "%CODESIGN_CROSS%" <catalog-filename>

When constructing the above command-line manually a timestamped .cat file is produced. I will try to get tap-windows build fixed today and make an OpenVPN Windows installer release including the fix today or tomorrow at latest.

Thanks to Hes and Pekster for helping debug this!

Version 0, edited 9 years ago by Samuli Seppänen (next)

comment:5 Changed 9 years ago by Samuli Seppänen

Keywords: windows tap added

comment:6 Changed 9 years ago by Samuli Seppänen

The problem was that installer\build.bat did not construct the "%SIGNTOOL_CMD_DRIVERS%" variable properly due to cmd.exe behaving in an unexpected way. In practice, the /t (timestamp) parameter was left out, even though the script looked perfectly fine. The tap-windows installer package was signed using "%SIGNTOOL_CMD%", which did include /t, which thus obscured the issue further.

I will commit a fix to tap-windows and release a fixed OpenVPN 2.3.2 installer as soon as it passes basic smoketests.

Last edited 9 years ago by Samuli Seppänen (previous) (diff)

comment:7 Changed 9 years ago by Samuli Seppänen

comment:8 Changed 9 years ago by Samuli Seppänen

Resolution: fixed
Status: assignedclosed
Note: See TracTickets for help on using tickets.