#332 closed Bug / Defect (notabug)
OpenVPN iOS: PolarSSL fail to verify modern certificate chain
| Reported by: | lawless96 | Owned by: | |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | OpenVPN Connect | Version: | |
| Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
| Cc: |
Description
Have a proper OpenVPN certificate that works fine
on a laptop with openvpn-2.1_rc15, but PolarSSL
rejects it as invalid. Figure it is due to
one or more of:
a) certs are RSA 4096-bit
b) signatures are sha512
Details in attachments.
Attachments (5)
Change History (16)
comment:1 Changed 11 years ago by
comment:2 Changed 11 years ago by
Thought for a minute that having password encryption on
the private key was causing the problem, but removing
encryption on the key made no difference.
comment:3 Changed 11 years ago by
And yes, 'openssl' likes the certs just fine:
$ openssl verify -CAfile FLM_geileis1_ca.pem FLM_geileis_client_cert.pem
FLM_geileis_client_cert.pem: OK
$ openssl verify -CAfile FLM_geileis1_ca.pem openvpnB_server_cert.pem
openvpnB_server_cert.pem: OK
comment:4 Changed 11 years ago by
Verizon iPhone 4
VZ iOS 6.1.3
client iOS OpenVPN 1.0.1
server openvpn-2.1_rc15
server openssl-0.9.8w
server kernel F9 2.6.27.25-78.2.56.fc9.x86_64
(old kernel, but so what)
Let me reiterate: Exact same certs work perfectly
fine on 32-bit XP laptop running 'openvpn-2.1_rc15'.
Changed 11 years ago by
| Attachment: | openvpn_iphone_log.txt added |
|---|
Changed 11 years ago by
| Attachment: | FLM_geileis1_ca.txt added |
|---|
Changed 11 years ago by
| Attachment: | FLM_geileis_client_cert.pem added |
|---|
Changed 11 years ago by
| Attachment: | FLM_geileis1.ovpn added |
|---|
comment:5 Changed 11 years ago by
Paul at PolarSSL had determined that the exact
certificates included here and used in the
configuration verify correctly. So it
appears the bug is in OpenVPN. His
recommendation is
I don't know what the options are in OpenVPN.
Normally I would suggest: add a verify callback
(with ssl_set_verify()) and print out the flags
raised for the 'certificate in error'..
comment:6 Changed 11 years ago by
Big Goof. Had an old/stale version of the
CA cert lying around and inadvertently used
it in the .ovpn file. Not working yet
but the certificates now verify.
Don't see any way to close-out this ticket
in the web interface. Only action is
"leave as new". Please close.
comment:7 Changed 11 years ago by
| Resolution: | → notabug |
|---|---|
| Status: | new → closed |
Closing as noted earlier.
comment:8 Changed 11 years ago by
| Component: | Generic / unclassified → OpenVPN Connect |
|---|
comment:9 Changed 9 years ago by
| Resolution: | notabug |
|---|---|
| Status: | closed → reopened |
comment:10 Changed 9 years ago by
| Resolution: | → notabug |
|---|---|
| Status: | reopened → closed |
| Version: | 2.2.2 |
Timmytannenhill1974: Please do not reopen bugs without explaining why you did so. The reporter of this bug clearly states he had made a configuration mistake, so this is clearly not a bug. If you're having a similar issue please file a new bug report.
comment:11 Changed 9 years ago by
problem is following error is showing on Openvpn Connect
OpenVPN server certificate verification failed : PolarSSL:SSL read error:X509-Certificate verification Failed ,e.g CRL,CA or signature check failed
Have valid CRL up and working. Good enough
for Windows Remote Desktop (mstsc), which is
very demanding about CRLs. No OCSP.
PolarSSL makes no attempt to download the CRL.
CA is in the keystore, both as an independent
certificate and included in the PKCS12 bundle
for the OpenVPN client certificate and key.
RSA private key is 4096 bit.