Opened 7 years ago

Closed 5 years ago

Last modified 5 years ago

#332 closed Bug / Defect (notabug)

OpenVPN iOS: PolarSSL fail to verify modern certificate chain

Reported by: lawless96 Owned by:
Priority: major Milestone:
Component: OpenVPN Connect Version:
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

Have a proper OpenVPN certificate that works fine
on a laptop with openvpn-2.1_rc15, but PolarSSL
rejects it as invalid. Figure it is due to
one or more of:

a) certs are RSA 4096-bit
b) signatures are sha512

Details in attachments.

Attachments (5)

openvpn_iphone_log.txt (2.1 KB) - added by lawless96 7 years ago.
FLM_geileis1_ca.txt (7.6 KB) - added by lawless96 7 years ago.
FLM_geileis_client_cert.pem (7.6 KB) - added by lawless96 7 years ago.
FLM_geileis1.ovpn (2.4 KB) - added by lawless96 7 years ago.
openvpnB_server_cert.pem (7.6 KB) - added by lawless96 7 years ago.
forgot server-side cert info

Download all attachments as: .zip

Change History (16)

comment:1 Changed 7 years ago by lawless96

Have valid CRL up and working. Good enough
for Windows Remote Desktop (mstsc), which is
very demanding about CRLs. No OCSP.

PolarSSL makes no attempt to download the CRL.

CA is in the keystore, both as an independent
certificate and included in the PKCS12 bundle
for the OpenVPN client certificate and key.

RSA private key is 4096 bit.

comment:2 Changed 7 years ago by lawless96

Thought for a minute that having password encryption on
the private key was causing the problem, but removing
encryption on the key made no difference.

comment:3 Changed 7 years ago by lawless96

And yes, 'openssl' likes the certs just fine:

$ openssl verify -CAfile FLM_geileis1_ca.pem FLM_geileis_client_cert.pem
FLM_geileis_client_cert.pem: OK

$ openssl verify -CAfile FLM_geileis1_ca.pem openvpnB_server_cert.pem
openvpnB_server_cert.pem: OK

comment:4 Changed 7 years ago by lawless96

Verizon iPhone 4
VZ iOS 6.1.3
client iOS OpenVPN 1.0.1
server openvpn-2.1_rc15
server openssl-0.9.8w

server kernel F9 2.6.27.25-78.2.56.fc9.x86_64
(old kernel, but so what)


Let me reiterate: Exact same certs work perfectly
fine on 32-bit XP laptop running 'openvpn-2.1_rc15'.

Changed 7 years ago by lawless96

Attachment: openvpn_iphone_log.txt added

Changed 7 years ago by lawless96

Attachment: FLM_geileis1_ca.txt added

Changed 7 years ago by lawless96

Attachment: FLM_geileis_client_cert.pem added

Changed 7 years ago by lawless96

Attachment: FLM_geileis1.ovpn added

Changed 7 years ago by lawless96

Attachment: openvpnB_server_cert.pem added

forgot server-side cert info

comment:5 Changed 7 years ago by lawless96

Paul at PolarSSL had determined that the exact
certificates included here and used in the
configuration verify correctly. So it
appears the bug is in OpenVPN. His
recommendation is

I don't know what the options are in OpenVPN.
Normally I would suggest: add a verify callback
(with ssl_set_verify()) and print out the flags
raised for the 'certificate in error'..

comment:6 Changed 7 years ago by lawless96

Big Goof. Had an old/stale version of the
CA cert lying around and inadvertently used
it in the .ovpn file. Not working yet
but the certificates now verify.

Don't see any way to close-out this ticket
in the web interface. Only action is
"leave as new". Please close.

comment:7 Changed 7 years ago by JoshC

Resolution: notabug
Status: newclosed

Closing as noted earlier.

comment:8 Changed 7 years ago by JoshC

Component: Generic / unclassifiedOpenVPN Connect

comment:9 Changed 6 years ago by timmytannehill1974@…

Resolution: notabug
Status: closedreopened

comment:10 Changed 5 years ago by Samuli Seppänen

Resolution: notabug
Status: reopenedclosed
Version: 2.2.2

Timmytannenhill1974: Please do not reopen bugs without explaining why you did so. The reporter of this bug clearly states he had made a configuration mistake, so this is clearly not a bug. If you're having a similar issue please file a new bug report.

comment:11 Changed 5 years ago by umesh

problem is following error is showing on Openvpn Connect

OpenVPN server certificate verification failed : PolarSSL:SSL read error:X509-Certificate verification Failed ,e.g CRL,CA or signature check failed


Note: See TracTickets for help on using tickets.