Opened 6 years ago

Closed 3 years ago

#458 closed Feature Wish (wontfix)

Ability to get the server's certificate for debugging of certificate validation issues

Reported by: anarazel Owned by:
Priority: minor Milestone:
Component: Certificates Version: OpenVPN 2.2.2 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

Hi,

I just had a case where the server's certificate didn't validate against the CA certificate I was given. As I unfortunately do not have control over the server (including its certificate), debugging that required getting hold of the server's certificate.
Which doesn't seem possible with stock openvpn? Browsers et al. allow to do so easily. Unfortunately I don't know of a readymade tool (like openssl's s_client) that allows to download the certificate for openvpn.

To resolve the issue for the moment I added the below block to src/openvpn/ssl_verify_openssl.c

int
verify_callback (int preverify_ok, X509_STORE_CTX * ctx)
{
...
  {
	  X509 *rcert = X509_STORE_CTX_get_current_cert(ctx);
	  X509_print_fp(stderr, rcert);
	  PEM_write_X509(stderr, rcert);
  }

that allowed me get the certificate. And indeed helped me to resolve the issue.

But I don't think an operation like that should require patching openvpn - to many users/sysadmins won't be able to do that. So I propose that some feature allowing to debug issues around this will be built into openvpn.

One argument against might be that that'd allow careless users to simply use the server's certificate when having problems, allowing for mitm issues. But I don't think that's a particularly important consideration. If they're able to get the server certificate via some obscure openvpn option....

Change History (1)

comment:1 Changed 3 years ago by David Sommerseth

Resolution: wontfix
Status: newclosed

NAK to this feature. Such a feature is marginally useful for the vast majority of users. Those needing such a feature can rather do this patching themselves and do their own build.

Comparing features against what browsers can do is also quite moot, as they are to be used very differently - despite both building on the same TLS protocol. Server certificates for web servers are more useful as they're most commonly signed by a public CA. While OpenVPN should be built around your own private CA. So you also need access to the CA setup as well. If you're lacking that and do not have access to the needed files, you should contact your VPN admin instead.

And for all other cases, it is more the sake of debugging and hacking, so patching is to be expected.

Note: See TracTickets for help on using tickets.