Soo... I did some more digging and I think I've found the thing. The
problem occurs ONLY when the CN appears first in the certificate's
subject, like this:
write(1, "Fri Dec 3 15:08:12 2010 us=921796 89.136.48.193:48274 VERIFY
OK: depth=0,
/CN=ximi3/C=RO/ST=CJ/L=Cluj_Napoca/O=DS9/emailaddress=gi...@narancs.net\n",
147) = 147
Notice the CN=ximi3 is the first and the result is:
open("ccd/UNDEF", O_RDONLY) = -1 ENOENT (No such file or
directory)
If the CN is not the first, everything is alright:
write(1, "Fri Dec 3 15:09:13 2010 us=139668 89.136.48.193:40757 VERIFY OK:
depth=0,
/C=RO/ST=CJ/L=Cluj_Napoca/O=DS9/CN=ximi2/emailaddress=gi...@narancs.net\n",
147) = 147
write(1, "Fri Dec 3 15:09:13 2010 us=276204 89.136.48.193:40757 [ximi2] Peer
Connection Initiated with 89.136.48.193:40757\n", 114) = 114
open("ccd/ximi2", O_RDONLY) = 6
The problem is hard to find because when you generate the certificates
with the included easy-rsa scripts, the order of the fields in the
generated certificate is:
r...@ds9:/etc/openvpn/easy-rsa# cat
/usr/share/doc/openvpn/examples/easy-rsa/2.0/openssl.cnf | grep -A8 '\[
policy_anything \]'
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
What I did was I moved the CN to the beginning:
r...@ds9:/etc/openvpn/easy-rsa# cat openssl.cnf | grep -A8 '\[ policy_anything
\]'
[ policy_anything ]
commonName = supplied <----
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
emailAddress = optional
So now my generated certificate had the CN at the front. I'm guessing
the bugreporters used some other tools to generate their certificates
which put the CN at the front. As was in this example on the mailing
list, if you look at the strace output of Jonathan:
http://sourceforge.net/mailarchive/message.php?msg_name=dac97fdc77ef4700eab65450a4fc2451%40127001.org
write(1, "Thu Sep 4 23:49:13 2008 us=5872"..., 189Thu Sep 4 23:49:13 2008
us=587265 87.127.168.35:55835 VERIFY OK: depth=0,
/CN=lifeless-jupiter/ST=ED/C=UK
/emailaddress=ad...@127001.org/O=localhost/OU=localhost_OpenVPN_client_certificate
) = 189
There you have the repro for it, just modify the Ubuntu-included
openssl.cnf and generate a certificate in which the CN is first.
I can confirm this bug in 2.1~rc7-1ubuntu3.5 on Hardy.
Please re-add the fix and get it in -proposed, I'll be happy to test it.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openvpn in ubuntu.
https://bugs.launchpad.net/bugs/265058
Title:
[SRU] openvpn2.1~rc7 fails to pick up the CN of certificates
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
