Opened 9 years ago
Closed 21 months ago
#540 closed Bug / Defect (wontfix)
iOS: Incorrect processing of <ca></ca> contents in OpenVPN Connect
Reported by: | fufel | Owned by: | OpenVPN Inc. |
---|---|---|---|
Priority: | major | Milestone: | |
Component: | OpenVPN Connect | Version: | OpenVPN Connect for iOS v1.2.9 |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | ios, ipad, iphone, OpenVPN Connect |
Cc: |
Description
OpenVPN Connect doesn't extract certificate chains in <ca></ca>. Unified form of configuration files is used.
We have this config:
remote my.domain.com 443 client dev tun proto tcp persist-remote-ip nobind persist-key persist-tun cipher AES-256-CBC remote-cert-tls server redirect-gateway def1 tls-timeout 4 comp-lzo verb 3 key-direction 1 <tls-auth> -----BEGIN OpenVPN Static key V1----- ... -----END OpenVPN Static key V1----- </tls-auth> <ca> -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- </cert> <key> -----BEGIN RSA PRIVATE KEY----- .. -----END RSA PRIVATE KEY----- </key>
When trying to connect with OpenVPN Connect on iOS and Android we have the following error on client side:
2015-12-12 23:23:23 TCP recv EOF 2015-12-12 23:23:23 Transport Error: Transport error on 'my.domain.com: NETWORK_EOF_ERROR
on server side:
2015-12-12 23:23:23 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: CN=2323 2015-12-12 23:23:23 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
This config file work perfectly on OpenVPN GUI and OpenVPN for Android. If we issue client certificate without intermediate certificate, then OpenVPN Connect works fine.
Change History (11)
comment:1 Changed 9 years ago by
Owner: | set to jamesyonan |
---|---|
Status: | new → assigned |
comment:2 Changed 9 years ago by
Milestone: | release 1.0.5 |
---|
comment:4 Changed 8 years ago by
Replying to lanopop:
I have the exact same problem. I need to put the full certificate chain in the .opvn file, otherwise my vpn connection will not work. So this is the reason why there are multiple certs in the <ca> tag.
This works on windows with the OpenVPN GUI, just on Apple iOS it doesnt.
Sat Oct 1 07:11:57 2016 TLS: Initial packet from [AF_INET6]::ffff:1.1.1.1:62867, sid=xxx xxx Sat Oct 1 07:11:58 2016 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: C=xxx, ST=xxx, O=xxx, CN=xxx Sat Oct 1 07:11:58 2016 OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed Sat Oct 1 07:11:58 2016 TLS_ERROR: BIO read tls_read_plaintext error Sat Oct 1 07:11:58 2016 TLS Error: TLS object -> incoming plaintext read error
So forget what i wrote before, because i figured out what was the problem for me... You are not allowed to use the same OU Name for your root and intermediate certificate. Otherwise openvpn will tell you
Cannot load CA certificate file [[INLINE]] (entry 2 did not validate) Cannot load CA certificate file [[INLINE]] (only 1 of 2 entries were valid X509 names)
comment:5 Changed 7 years ago by
Owner: | changed from jamesyonan to Antonio Quartulli |
---|
v1.2.6 has just been launched on AppStore??. Could you please test that version and let us know if the bug is still there?
comment:6 Changed 7 years ago by
Resolution: | → worksforme |
---|---|
Status: | assigned → closed |
Please, reopen the bug if that's the case.
Thanks
comment:7 Changed 6 years ago by
Resolution: | worksforme |
---|---|
Status: | closed → reopened |
The bug is still not fixed in the current version 1.2.9.
comment:8 follow-up: 9 Changed 6 years ago by
Summary: | Incorrect processing of <ca></ca> contents in OpenVPN Connect (iOS) → iOS: Incorrect processing of <ca></ca> contents in OpenVPN Connect |
---|---|
Version: | → OpenVPN Connect for iOS v1.2.9 |
the OP said that he found a solution to this problem, therefore I guess that what you are seeing is something different? Could you please clarify and provide logs and configs?
Thanks!
comment:9 Changed 4 years ago by
Replying to Antonio:
the OP said that he found a solution to this problem, therefore I guess that what you are seeing is something different? Could you please clarify and provide logs and configs?
Thanks!
This bug still exists and is not fixed. All the original data remains the same (logs and configs are the same, except iOS/iPadOS versions and OpenVPN Connect 3.1.2 version (3096)).
comment:10 Changed 3 years ago by
Owner: | changed from Antonio Quartulli to OpenVPN Inc. |
---|---|
Status: | reopened → assigned |
comment:11 Changed 21 months ago by
Resolution: | → wontfix |
---|---|
Status: | assigned → closed |
OpenVPN Inc does not want to receive any feedback for the "Connect"
OpenVPN clients via the community bug trackers (here and in GH issues).
Please resubmit - if still relevant - via https://support.openvpn.net/
I have the exact same problem. I need to put the full certificate chain in the .opvn file, otherwise my vpn connection will not work. So this is the reason why there are multiple certs in the <ca> tag.
This works on windows with the OpenVPN GUI, just on Apple iOS it doesnt.