Opened 11 years ago

Closed 11 years ago

#321 closed Bug / Defect (fixed)

OpenVPN 2.2.3 released with expired driver certificate.

Reported by: simplyadrian Owned by: Samuli Seppänen
Priority: blocker Milestone: release 2.2.3
Component: Certificates Version: OpenVPN 2.3.2 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: windows tap
Cc: Gert Döring

Description

For the windows installer x86 and 64 bit in the 2.3.1 and 2.3.2 versions. The tap tun driver was released with a certificate that expired 08/21/2013. The driver will not install unless the driver signature enforcement is disabled.

Change History (8)

comment:1 Changed 11 years ago by simplyadrian

sorry the milestone should be release 2.3.2 not 2.2.3

comment:2 Changed 11 years ago by Gert Döring

Cc: Gert Döring added
Owner: set to Samuli Seppänen
Status: newassigned

Thanks for letting us know. We had plans to re-spin the 2.3.2 windows package anyway, so we can fix the certificate right away.

Over to mattock who is the windows bundler.

comment:3 Changed 11 years ago by simplyadrian

When can I expect a fix ?

comment:4 Changed 11 years ago by Samuli Seppänen

I can confirm this issue on Windows 7 64-bit. It seems that the catalog file (tap0901.cat) is signed, but a signature timestamp is missing. It seems tap-windows buildsystem somehow manages to not timestamp that file, even though it seems to:

%SIGNTOOL%" sign /v /p "%CODESIGN_PASS%" /f "%CODESIGN_PKCS12% /t "%CODESIGN_TIMESTAMP%" /ac "%CODESIGN_CROSS%" <catalog-filename>

When constructing the above command-line manually a timestamped .cat file is produced. I will try to get tap-windows build fixed today and make an OpenVPN Windows installer release including the fix today or tomorrow at latest.

Thanks to hel and pekster for helping debug this!

Last edited 11 years ago by Samuli Seppänen (previous) (diff)

comment:5 Changed 11 years ago by Samuli Seppänen

Keywords: windows tap added

comment:6 Changed 11 years ago by Samuli Seppänen

The problem was that installer\build.bat did not construct the "%SIGNTOOL_CMD_DRIVERS%" variable properly due to cmd.exe behaving in an unexpected way. In practice, the /t (timestamp) parameter was left out, even though the script looked perfectly fine. The tap-windows installer was signed with "%SIGNTOOL_CMD%", which did include /t, and thus obscured the issue further.

I will commit a fix to tap-windows and release a fixed OpenVPN 2.3.2 installer as soon as it passes basic smoketests.

Version 0, edited 11 years ago by Samuli Seppänen (next)

comment:7 Changed 11 years ago by Samuli Seppänen

comment:8 Changed 11 years ago by Samuli Seppänen

Resolution: fixed
Status: assignedclosed
Note: See TracTickets for help on using tickets.