Opened 6 years ago
Closed 16 months ago
#966 closed Bug / Defect (fixed)
Expired certificate used from Windows trust store
| Reported by: | hrubsa | Owned by: | |
|---|---|---|---|
| Priority: | major | Milestone: | release 2.4.9 |
| Component: | Certificates | Version: | |
| Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | windows cryptoapicert expired |
| Cc: |
Description
When using cryptoapicert witch SUBJ selector, OpenVPN doesn't check validity of the certificate.
Consider a situation, where a user has 2 certificates with the same subject (actually the same DN, but it doesn't matter with SUBJ selector):
SUBJ="John Doe", expiration="1900-01-01"
SUBJ="John Doe", expiration="2999-12-31"
OpenVPN selects the first one (either every time because it's the older one and first in the list of user's certificates or in a random matter) and the server rejects the connection as the certificate has expired.
Expected behaviour: OpenVPN skips expired certificates as they aren't usable for authentication.
Under the current behaviour, the user has to delete expired certificates for OpenVPN to work. However, deleting them isn't a proper soulution as they are used used for decryption of e.g. older emails. Additionally, it's cumbersome to require clients to open MMC and delete something they don't fully understand...
Change History (3)
comment:1 Changed 6 years ago by
comment:2 Changed 6 years ago by
This hit me the other day on adding a renewed certificate to a Windows host. A patch that picks the first valid (time-wise) cert is here: https://patchwork.openvpn.net/patch/269/
comment:3 Changed 16 months ago by
| Milestone: | → release 2.4.9 |
|---|---|
| Resolution: | → fixed |
| Status: | new → closed |
So these patches have been merged - quite a while ago
commit 7b63984d51a2582ba2d406e46a7debb11df7f478 (master)
Author: Selva Nair <selva.nair@…>
Date: Wed Feb 12 10:06:06 2020 -0500
Skip expired certificates in Windows certificate store
which is part of 2.5.0 and up (not 2.4). There also is a 2.4 backport
commit 4658b3b6f6008eea1819ea26a46fd46df87b1030
Author: Selva Nair <selva.nair@…>
Date: Wed Feb 12 10:06:06 2020 -0500
Skip expired certificates in Windows certificate store
which is part of 2.4.9 and up.
So I claim this has been fixed :-) - and will proceed to close the ticket.
--cryptoapicertoption assumes that the argument uniquely identifies the certificate. If there are multiple certs in the store with the same subject, use the thumbprint instead:--cryptoapicert "THUMB:xx yy zz ...". The whole thumbprint (20 bytes as hex) is required and may be copy-pasted from the certificate properties.