Opened 3 years ago

Last modified 3 years ago

#966 new Bug / Defect

Expired certificate used from Windows trust store

Reported by: hrubsa Owned by:
Priority: major Milestone:
Component: Certificates Version:
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: windows cryptoapicert expired


When using cryptoapicert witch SUBJ selector, OpenVPN doesn't check validity of the certificate.

Consider a situation, where a user has 2 certificates with the same subject (actually the same DN, but it doesn't matter with SUBJ selector):
SUBJ="John Doe", expiration="1900-01-01"
SUBJ="John Doe", expiration="2999-12-31"

OpenVPN selects the first one (either every time because it's the older one and first in the list of user's certificates or in a random matter) and the server rejects the connection as the certificate has expired.

Expected behaviour: OpenVPN skips expired certificates as they aren't usable for authentication.

Under the current behaviour, the user has to delete expired certificates for OpenVPN to work. However, deleting them isn't a proper soulution as they are used used for decryption of e.g. older emails. Additionally, it's cumbersome to require clients to open MMC and delete something they don't fully understand...

Change History (2)

comment:1 Changed 3 years ago by Selva Nair

--cryptoapicert option assumes that the argument uniquely identifies the certificate. If there are multiple certs in the store with the same subject, use the thumbprint instead: --cryptoapicert "THUMB:xx yy zz ...". The whole thumbprint (20 bytes as hex) is required and may be copy-pasted from the certificate properties.

comment:2 Changed 3 years ago by Selva Nair

This hit me the other day on adding a renewed certificate to a Windows host. A patch that picks the first valid (time-wise) cert is here:

Note: See TracTickets for help on using tickets.