Opened 4 years ago

Last modified 10 months ago

#540 reopened Bug / Defect

iOS: Incorrect processing of <ca></ca> contents in OpenVPN Connect

Reported by: fufel Owned by: Antonio
Priority: major Milestone:
Component: OpenVPN Connect Version: OpenVPN Connect for iOS v1.2.9
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: ios, ipad, iphone, OpenVPN Connect
Cc:

Description

OpenVPN Connect doesn't extract certificate chains in <ca></ca>. Unified form of configuration files is used.
We have this config:

remote my.domain.com 443
client
dev tun
proto tcp
persist-remote-ip
nobind
persist-key
persist-tun
cipher AES-256-CBC
remote-cert-tls server
redirect-gateway def1
tls-timeout 4
comp-lzo
verb 3
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
</tls-auth>
<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
..
-----END RSA PRIVATE KEY-----
</key>

When trying to connect with OpenVPN Connect on iOS and Android we have the following error on client side:

2015-12-12 23:23:23 TCP recv EOF
2015-12-12 23:23:23 Transport Error: Transport error on 'my.domain.com: NETWORK_EOF_ERROR

on server side:

2015-12-12 23:23:23 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: CN=2323
2015-12-12 23:23:23 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned

This config file work perfectly on OpenVPN GUI and OpenVPN for Android. If we issue client certificate without intermediate certificate, then OpenVPN Connect works fine.

Change History (8)

comment:1 Changed 4 years ago by Samuli Seppänen

Owner: set to jamesyonan
Status: newassigned

comment:2 Changed 4 years ago by Samuli Seppänen

Milestone: release 1.0.5

comment:3 Changed 2 years ago by lanopop

I have the exact same problem. I need to put the full certificate chain in the .opvn file, otherwise my vpn connection will not work. So this is the reason why there are multiple certs in the <ca> tag.

This works on windows with the OpenVPN GUI, just on Apple iOS it doesnt.

Sat Oct  1 07:11:57 2016 TLS: Initial packet from [AF_INET6]::ffff:1.1.1.1:62867, sid=xxx xxx
Sat Oct  1 07:11:58 2016 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: C=xxx, ST=xxx, O=xxx, CN=xxx
Sat Oct  1 07:11:58 2016 OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
Sat Oct  1 07:11:58 2016 TLS_ERROR: BIO read tls_read_plaintext error
Sat Oct  1 07:11:58 2016 TLS Error: TLS object -> incoming plaintext read error
Last edited 2 years ago by lanopop (previous) (diff)

comment:4 in reply to:  3 Changed 2 years ago by lanopop

Replying to lanopop:

I have the exact same problem. I need to put the full certificate chain in the .opvn file, otherwise my vpn connection will not work. So this is the reason why there are multiple certs in the <ca> tag.

This works on windows with the OpenVPN GUI, just on Apple iOS it doesnt.

Sat Oct  1 07:11:57 2016 TLS: Initial packet from [AF_INET6]::ffff:1.1.1.1:62867, sid=xxx xxx
Sat Oct  1 07:11:58 2016 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: C=xxx, ST=xxx, O=xxx, CN=xxx
Sat Oct  1 07:11:58 2016 OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
Sat Oct  1 07:11:58 2016 TLS_ERROR: BIO read tls_read_plaintext error
Sat Oct  1 07:11:58 2016 TLS Error: TLS object -> incoming plaintext read error

So forget what i wrote before, because i figured out what was the problem for me... You are not allowed to use the same OU Name for your root and intermediate certificate. Otherwise openvpn will tell you

Cannot load CA certificate file [[INLINE]] (entry 2 did not validate)
Cannot load CA certificate file [[INLINE]] (only 1 of 2 entries were valid X509 names)

comment:5 Changed 13 months ago by Antonio

Owner: changed from jamesyonan to Antonio

v1.2.6 has just been launched on AppStore??. Could you please test that version and let us know if the bug is still there?

comment:6 Changed 13 months ago by Antonio

Resolution: worksforme
Status: assignedclosed

Please, reopen the bug if that's the case.
Thanks

comment:7 Changed 10 months ago by fufel

Resolution: worksforme
Status: closedreopened

The bug is still not fixed in the current version 1.2.9.

comment:8 Changed 10 months ago by Antonio

Summary: Incorrect processing of <ca></ca> contents in OpenVPN Connect (iOS)iOS: Incorrect processing of <ca></ca> contents in OpenVPN Connect
Version: OpenVPN Connect for iOS v1.2.9

the OP said that he found a solution to this problem, therefore I guess that what you are seeing is something different? Could you please clarify and provide logs and configs?
Thanks!

Note: See TracTickets for help on using tickets.