Ubuntu
openvpn package

Bug #265058
Comment #25

Comment 25 for bug 265058

Revision history for this message

Imre Gergely (cemc) wrote on 2010-12-03:

#25

Soo... I did some more digging and I think I've found the thing. The problem occurs ONLY when the CN appears first in the certificate's subject, like this:

write(1, "Fri Dec 3 15:08:12 2010 us=921796 89.136.48.193:48274 VERIFY OK: depth=0, /<email address hidden>\n", 147) = 147

Notice the CN=ximi3 is the first and the result is:

open("ccd/UNDEF", O_RDONLY) = -1 ENOENT (No such file or directory)

If the CN is not the first, everything is alright:

write(1, "Fri Dec 3 15:09:13 2010 us=139668 89.136.48.193:40757 VERIFY OK: depth=0, /<email address hidden>\n", 147) = 147
write(1, "Fri Dec 3 15:09:13 2010 us=276204 89.136.48.193:40757 [ximi2] Peer Connection Initiated with 89.136.48.193:40757\n", 114) = 114
open("ccd/ximi2", O_RDONLY) = 6

The problem is hard to find because when you generate the certificates with the included easy-rsa scripts, the order of the fields in the generated certificate is:

root@ds9:/etc/openvpn/easy-rsa# cat /usr/share/doc/openvpn/examples/easy-rsa/2.0/openssl.cnf | grep -A8 '\[ policy_anything \]'
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

What I did was I moved the CN to the beginning:

root@ds9:/etc/openvpn/easy-rsa# cat openssl.cnf | grep -A8 '\[ policy_anything \]'
[ policy_anything ]
commonName = supplied <----
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
emailAddress = optional

So now my generated certificate had the CN at the front. I'm guessing the bugreporters used some other tools to generate their certificates which put the CN at the front. As was in this example on the mailing list, if you look at the strace output of Jonathan:

http://sourceforge.net/mailarchive/message.php?msg_name=dac97fdc77ef4700eab65450a4fc2451%40127001.org

write(1, "Thu Sep 4 23:49:13 2008 us=5872"..., 189Thu Sep 4 23:49:13 2008
us=587265 87.127.168.35:55835 VERIFY OK: depth=0,
/CN=lifeless-jupiter/ST=ED/C=UK
/emailAddress=admin@127001.org/O=localhost/OU=localhost_OpenVPN_client_certificate
) = 189

There you have the repro for it, just modify the Ubuntu-included openssl.cnf and generate a certificate in which the CN is first.

I can confirm this bug in 2.1~rc7-1ubuntu3.5 on Hardy.
Please re-add the fix and get it in -proposed, I'll be happy to test it.

Soo... I did some more digging and I think I've found the thing. The problem occurs ONLY when the CN appears first in the certificate's subject, like this:

write(1, "Fri Dec  3 15:08:12 2010 us=921796 89.136.48.193:48274 VERIFY OK: depth=0, /CN=ximi3/C=RO/ST=CJ/L=Cluj_Napoca/O=DS9/emailAddress=gimre@narancs.net\n", 147) = 147

Notice the CN=ximi3 is the first and the result is:

open("ccd/UNDEF", O_RDONLY)             = -1 ENOENT (No such file or directory)

If the CN is not the first, everything is alright:

write(1, "Fri Dec  3 15:09:13 2010 us=139668 89.136.48.193:40757 VERIFY OK: depth=0, /C=RO/ST=CJ/L=Cluj_Napoca/O=DS9/CN=ximi2/emailAddress=gimre@narancs.net\n", 147) = 147
write(1, "Fri Dec  3 15:09:13 2010 us=276204 89.136.48.193:40757 [ximi2] Peer Connection Initiated with 89.136.48.193:40757\n", 114) = 114
open("ccd/ximi2", O_RDONLY)             = 6

The problem is hard to find because when you generate the certificates with the included easy-rsa scripts, the order of the fields in the generated certificate is:

root@ds9:/etc/openvpn/easy-rsa# cat /usr/share/doc/openvpn/examples/easy-rsa/2.0/openssl.cnf | grep -A8 '\[ policy_anything \]'
[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

What I did was I moved the CN to the beginning:

root@ds9:/etc/openvpn/easy-rsa# cat openssl.cnf | grep -A8 '\[ policy_anything \]'
[ policy_anything ]
commonName              = supplied  <----
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
emailAddress            = optional

http://sourceforge.net/mailarchive/message.php?msg_name=dac97fdc77ef4700eab65450a4fc2451%40127001.org

write(1, "Thu Sep  4 23:49:13 2008 us=5872"..., 189Thu Sep  4 23:49:13 2008
us=587265 87.127.168.35:55835 VERIFY OK: depth=0,
/CN=lifeless-jupiter/ST=ED/C=UK
/emailAddress=admin@127001.org/O=localhost/OU=localhost_OpenVPN_client_certificate
) = 189

There you have the repro for it, just modify the Ubuntu-included openssl.cnf and generate a certificate in which the CN is first.

I can confirm this bug in 2.1~rc7-1ubuntu3.5 on Hardy.
Please re-add the fix and get it in -proposed, I'll be happy to test it.

Ubuntuopenvpn package

Comment 25 for bug 265058

Ubuntu
openvpn package