Opened 8 months ago

Last modified 6 months ago

#957 accepted Bug / Defect

X509v3 Name Constraints cause issues with recent OpenVPN Connect versions

Reported by: sysadmin-htlleonding Owned by: Antonio
Priority: major Milestone:
Component: OpenVPN Connect Version:
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

Since the recent OpenVPN Connect update our students are unable to connect to the OpenVPN server:

OpenVPN core error: mbed TLS: error parsing ca certificate: X509 - The extension tag or value is invalid: ASN1 - ASN1 tag was of an unexpected value.

Testing with mbedTLS 2.6.0 on a Linux computer with
mbedtls_cert_app ca_file=cacertwithdns.pem mode=file
shows
mbedtls_x509_crt_parse returned -0x2562

with a modified version you see that it finds an unknown critical extension and bails out.

It seems that it doesn't support X509v3 Name Constraints.

In my opinion OpenVPN Connect should use a modified version of mbedTLS which ignores the X509v3 Name Constraints extension as long as they aren't supported by mbedTLS (DNS checks should be handled by OpenVPN directly) and gives a warning to the user and then the option to decide whether he/she wants to connect anyway.

Probably you won't see many CAs with name constraints extensions in the wild, but they are useful when you want to create your own CA and protect your users and yourself from abuse (your own CA should only be able to create certificates for your domain and should not be misused for creating certificates for other domains).

Attachments (3)

ca.crt (13.2 KB) - added by sysadmin-htlleonding 8 months ago.
Original CA file
cacertwithoutdns.pem (7.4 KB) - added by sysadmin-htlleonding 8 months ago.
CA without Name Constraints
cacertwithdns.pem (7.6 KB) - added by sysadmin-htlleonding 8 months ago.
CA with only DNS as name constraint

Download all attachments as: .zip

Change History (9)

Changed 8 months ago by sysadmin-htlleonding

Attachment: ca.crt added

Original CA file

Changed 8 months ago by sysadmin-htlleonding

Attachment: cacertwithoutdns.pem added

CA without Name Constraints

Changed 8 months ago by sysadmin-htlleonding

Attachment: cacertwithdns.pem added

CA with only DNS as name constraint

comment:1 Changed 8 months ago by sysadmin-htlleonding

The attachments ca.crt and cacert*.pem unfortunately aren't from the same CA (different public keys). But they can still be used for verifying the error codes of mbedTLS.

comment:2 Changed 8 months ago by Antonio

Hello and thank you for the bug report.
I am glad you already did most (if not all) of the analysis.

For what I am concerned you are the first user to report such problem, hence the reason why nobody has ever looked into patching the mbedTLS package we ship to support that.

Having x509v3 support in mbedTLS (upstream) would be the best solution, but it seems they are a bit reluctant of adding so much complexity for setups that are used by just few people.

I have found this forum thread where they talk a bit more about their policy about this problem: https://tls.mbed.org/discussions/feature-request/supported-for-x-509-name-constraints-extension

I will submit your request into our internal feature tracker, however, I have to be honest and say that the priority will still be somewhat low compared to other changes as this problem is not affecting a significant portion of our userbase.

Still, I agree that just ignoring the name constraint extension might be a quick workaround which might be implemented as first step.

comment:3 Changed 8 months ago by Antonio

Owner: set to Antonio
Status: newaccepted

comment:4 Changed 6 months ago by Antonio

Is this still a problem with the latest release?

comment:5 in reply to:  4 Changed 6 months ago by Antonio

Replying to ordex:

Is this still a problem with the latest release?

actually it is, because mbedTLS hasn't changed anything about that.

comment:6 Changed 6 months ago by stipa

@sysadmin-htlleonding Do you actually follow those name constraints? Could you provide your server certificate?

Note: See TracTickets for help on using tickets.