Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#913 closed Bug / Defect (notabug)

OpenVPN cannot use standard CA root file on FreeBSD

Reported by: pirzyk Owned by:
Priority: major Milestone:
Component: Certificates Version: OpenVPN 2.4.3 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc: Steffan Karger, mandree, Eric Crist

Description

When you use the default CA root file on FreeBSD (ca-root-nss.crt) it will fail to load with the error "Cannot load CA certificate file /usr/local/share/certs/ca-root-nss.crt (only 169 of 170 entries were valid X509 names)"

The problem was tracked down to having 2 certificates with the same Subject (but different serials). StartCom? Ltd. has 2 CA certs (one is SHA1, the other is SHA256):

Subject: C=IL, O=StartCom? Ltd., OU=Secure Digital Certificate Signing, CN=StartCom? Certification Authority

Removing one of them from the CA file allows OpenVPN to startup.

See also https://forums.freebsd.org/threads/60254/ for details.

Attachments (4)

openvpn.log (1.4 KB) - added by pirzyk 3 years ago.
Log file
server.conf (10.7 KB) - added by pirzyk 3 years ago.
existing config file
ca-root-nss.crt.aa.gz (195.9 KB) - added by pirzyk 3 years ago.
CA Root file (Part 1)
ca-root-nss.crt.ab.gz (195.5 KB) - added by pirzyk 3 years ago.
CA Root file (Part 2)

Download all attachments as: .zip

Change History (6)

Changed 3 years ago by pirzyk

Attachment: openvpn.log added

Log file

Changed 3 years ago by pirzyk

Attachment: server.conf added

existing config file

Changed 3 years ago by pirzyk

Attachment: ca-root-nss.crt.aa.gz added

CA Root file (Part 1)

Changed 3 years ago by pirzyk

Attachment: ca-root-nss.crt.ab.gz added

CA Root file (Part 2)

comment:1 Changed 3 years ago by Gert Döring

Cc: Steffan Karger mandree added
Resolution: notabug
Status: newclosed

This is not something we're going to invest any amount of effort in.

Why? Because you are not supposed to trust 169 random entities for your VPN security, and this is why we're not using a default CA store for CA trust - you trust the CA cert that has issued your VPN certificates, and nobody else.

comment:2 Changed 3 years ago by Eric Crist

Cc: Eric Crist added
Note: See TracTickets for help on using tickets.