Soo... I did some more digging and I think I've found the thing. The problem occurs ONLY when the CN appears first in the certificate's subject, like this:
The problem is hard to find because when you generate the certificates with the included easy-rsa scripts, the order of the fields in the generated certificate is:
So now my generated certificate had the CN at the front. I'm guessing the bugreporters used some other tools to generate their certificates which put the CN at the front. As was in this example on the mailing list, if you look at the strace output of Jonathan:
Soo... I did some more digging and I think I've found the thing. The problem occurs ONLY when the CN appears first in the certificate's subject, like this:
write(1, "Fri Dec 3 15:08:12 2010 us=921796 89.136.48.193:48274 VERIFY OK: depth=0, /<email address hidden>\n", 147) = 147
Notice the CN=ximi3 is the first and the result is:
open("ccd/UNDEF", O_RDONLY) = -1 ENOENT (No such file or directory)
If the CN is not the first, everything is alright:
write(1, "Fri Dec 3 15:09:13 2010 us=139668 89.136.48.193:40757 VERIFY OK: depth=0, /<email address hidden>\n", 147) = 147 48.193: 40757\n" , 114) = 114
write(1, "Fri Dec 3 15:09:13 2010 us=276204 89.136.48.193:40757 [ximi2] Peer Connection Initiated with 89.136.
open("ccd/ximi2", O_RDONLY) = 6
The problem is hard to find because when you generate the certificates with the included easy-rsa scripts, the order of the fields in the generated certificate is:
root@ds9: /etc/openvpn/ easy-rsa# cat /usr/share/ doc/openvpn/ examples/ easy-rsa/ 2.0/openssl. cnf | grep -A8 '\[ policy_anything \]' nitName = optional
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalU
commonName = supplied
emailAddress = optional
What I did was I moved the CN to the beginning:
root@ds9: /etc/openvpn/ easy-rsa# cat openssl.cnf | grep -A8 '\[ policy_anything \]' nitName = optional
[ policy_anything ]
commonName = supplied <----
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalU
emailAddress = optional
So now my generated certificate had the CN at the front. I'm guessing the bugreporters used some other tools to generate their certificates which put the CN at the front. As was in this example on the mailing list, if you look at the strace output of Jonathan:
http:// sourceforge. net/mailarchive /message. php?msg_ name=dac97fdc77 ef4700eab65450a 4fc2451% 40127001. org
write(1, "Thu Sep 4 23:49:13 2008 us=5872"..., 189Thu Sep 4 23:49:13 2008 jupiter/ ST=ED/C= UK admin@127001. org/O=localhost /OU=localhost_ OpenVPN_ client_ certificate
us=587265 87.127.168.35:55835 VERIFY OK: depth=0,
/CN=lifeless-
/emailAddress=
) = 189
There you have the repro for it, just modify the Ubuntu-included openssl.cnf and generate a certificate in which the CN is first.
I can confirm this bug in 2.1~rc7-1ubuntu3.5 on Hardy.
Please re-add the fix and get it in -proposed, I'll be happy to test it.