Opened 5 years ago

Closed 5 weeks ago

#966 closed Bug / Defect (fixed)

Expired certificate used from Windows trust store

Reported by: hrubsa Owned by:
Priority: major Milestone: release 2.4.9
Component: Certificates Version:
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: windows cryptoapicert expired


When using cryptoapicert witch SUBJ selector, OpenVPN doesn't check validity of the certificate.

Consider a situation, where a user has 2 certificates with the same subject (actually the same DN, but it doesn't matter with SUBJ selector):
SUBJ="John Doe", expiration="1900-01-01"
SUBJ="John Doe", expiration="2999-12-31"

OpenVPN selects the first one (either every time because it's the older one and first in the list of user's certificates or in a random matter) and the server rejects the connection as the certificate has expired.

Expected behaviour: OpenVPN skips expired certificates as they aren't usable for authentication.

Under the current behaviour, the user has to delete expired certificates for OpenVPN to work. However, deleting them isn't a proper soulution as they are used used for decryption of e.g. older emails. Additionally, it's cumbersome to require clients to open MMC and delete something they don't fully understand...

Change History (3)

comment:1 Changed 5 years ago by Selva Nair

--cryptoapicert option assumes that the argument uniquely identifies the certificate. If there are multiple certs in the store with the same subject, use the thumbprint instead: --cryptoapicert "THUMB:xx yy zz ...". The whole thumbprint (20 bytes as hex) is required and may be copy-pasted from the certificate properties.

comment:2 Changed 5 years ago by Selva Nair

This hit me the other day on adding a renewed certificate to a Windows host. A patch that picks the first valid (time-wise) cert is here:

comment:3 Changed 5 weeks ago by Gert Döring

Milestone: release 2.4.9
Resolution: fixed
Status: newclosed

So these patches have been merged - quite a while ago

commit 7b63984d51a2582ba2d406e46a7debb11df7f478 (master)
Author: Selva Nair <selva.nair@…>
Date: Wed Feb 12 10:06:06 2020 -0500

Skip expired certificates in Windows certificate store

which is part of 2.5.0 and up (not 2.4). There also is a 2.4 backport

commit 4658b3b6f6008eea1819ea26a46fd46df87b1030
Author: Selva Nair <selva.nair@…>
Date: Wed Feb 12 10:06:06 2020 -0500

Skip expired certificates in Windows certificate store

which is part of 2.4.9 and up.

So I claim this has been fixed :-) - and will proceed to close the ticket.

Note: See TracTickets for help on using tickets.