Hi,
Martin Mokrejs wrote:
Hi,
David Sommerseth wrote:
On 08/06/10 18:24, Martin Mokrejs wrote:
Hi,
I had a look into the original bug report I sent and the summary is this:
at some version openvpn implemented a more strict check for certificate
values and if teh cjeck fails one yields "unsupported certificate purpose"
message.
I figured out that few more allowed values have to be included in the
certificate so that openVPN does not complain anymore. Basically, the patch
synchronizes the current openVPN behavior with the easy-rsa/ tools.
Is it clearer now? I attached to the bugreport at Gentoo an older version
of the patch to hopefully help you better with understanding what I tried.
What I believe should happen that somebody documents better what requirements
are for the server/client certifices in openVPN. The patch(es) show what
fields you should describe in docs and some version of the patch be committed
over easy-rsa/openssl.cf as well (or loosen the checks back in openVPN sources).
Martin
Ahoj Martin,
Thanks a lot for your patch and your investigations! That is very much
appreciated!
Your issues was discussed in the last developers meeting (Thu June 3rd)
and it is not clear to us why you experiences this problem. I believe
Jan Just Keiser told that he had quite recently tested out easy-rsa-2.0
and he had no issues at all.
I am also running a OpenVPN server on a Gentoo box, even though on this
box I'm using TinyCA, so it is not directly comparable. Anyhow, the
X509v3 extensions are not that far away from what I do see easy-rsa-2.0
should normally set:
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Client, S/MIME, Object Signing
I do see however that you are having mentioned Netscape Cert Type in
your bug report.
Could this be related to some trickery patches Gentoo does to OpenVPN or
OpenSSL? Or that it is related to the OpenSSL version?
I have no idea what is patched on Gentoo and why, but I found lots of those
"unsupported certificate purpose" reports through Google, with very few real
answers. I don't believe it is Gentoo specific.
On the client:
I use net-misc/openvpn-2.1.0-r1, I see there are two patches applying to
my systems (no IPv6 patch):
epatch "${FILESDIR}/${PN}-2.1_rc13-peercred.patch"
epatch "${FILESDIR}/${PN}-2.1_rc20-pkcs11.patch"
I use dev-libs/openssl-0.9.8n.
On the server:
net-misc/openvpn-2.1.0-r1
dev-libs/openssl-0.9.8n
Would you mind sharing your configuration files and information about
the OpenSSL version you are using?
The client and server configs are attached.
here's what I just did:
- downloaded openssl 0.9.8n
- ran
./config shared
make
on it
- reconfigured openvpn 2.1.1 to make use of this version of openssl
- ran
./configure ...
make clean
make
on it
- set up a new CA + server cert + client server using umodified easy-rsa
2.0 scripts from the openvpn distro
- set up client and server config files pretty much like the ones attached
Result: Both server and client start without problems. I can even add
remote-cert-tls client
to the server config and the thing still starts. In other words: I
cannot reproduce the bug.
When I took a closer look at the original Ubuntu bug report it suggests
that the original server cert was not built correctly:
May 17 14:33:20 vrapenec openvpn[21477]: ++ Certificate has key usage 0080,
expects 00a0
May 17 14:33:20 vrapenec openvpn[21477]: ++ Certificate has key usage 0080,
expects 0088
May 17 14:33:20 vrapenec openvpn[21477]: VERIFY KU ERROR
the key usage found (0080) is for a *client* certificate, not a server certificate.
The server certificate should eku '00a0' set, as the log file later on in the bug report
shows.
Martin, can you
- use the stock easy-rsa scripts (i.e. not the ones from ubuntu)
- create a new CA and client server and server cert (build-ca, build-key
, build-key-server)
- rerun your test
If this still fails then Ubuntu may have added a patch that broke something.
cheers,
JJK
Hi,
We discussed your bug report in last week's public IRC meeting:
<http://thread.gmane.org/gmane.network.openvpn.devel/3748>
In a nutshell, we had difficulties understanding what is required to
reproduce this bug. Unfortunately the discussion logs were lost so I
can't be any more specific. Would you like help us understand this issue
by chatting with our devs on #openvpn-de...@irc.freenode.net? Or
alternatively by sending mail to openvpn-devel mailinglist:
<http://sourceforge.net/mail/?group_id=48978>
All the best,
-- Samuli Seppänen Community Manager OpenVPN Technologies, Inc irc freenode net: mattock
Martin Mokrejs wrote:
Hi,
I think the easy-rsa/openssl.cnf file should be modified so thet client
CERTs would match current openVPN expectations. Please see my bug report
at http://bugs.gentoo.org/show_bug.cgi?id=320171 . For convenience, I am
attaching the patch here. Did I get it right what has to be done? Would
someone fix the HOWTO and FAQ documentation to describe the keyUsage
fields and what is actually required for what? There is too many hit
