This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Certificate management: Importing Signing CA cert

Hi,

the new openVPN version throws an error when trying to connect to the ASG SSL-VPN, which is about the missing CN in the signing CA cert. in result, no client with a new software version can connect.

We already opened a ticket at Astaro.

What interests me is:
Did anybody of you successfully imported an own signing CA cert? I tried a few times, but didn't manage. There must be something magic about it...

bibo

PS: I used the following openssl commands (2048bit doesn't work either):
# openssl req -config openssl.cnf -extensions v3_ca -nodes -new -x509 -newkey rsa:1024 -keyout ca.key -out ca.pem
# openssl pkcs12 -export -in ca.pem -inkey ca.key -out ca.p12

This thread was automatically locked due to age.

Parents

0 BAlfson over 16 years ago

Bibo, I'm sure you tried regenerating a new CA from the 'Advanced' tab, so what is the missing CN that Astaro fails to include?

I admit I'm not very knowledgeable about certs and OpenVPN... How could there be a mismatch if you regen the CA then download a new cert for OpenVPN? Or are you saying that that's the problem - Astaro's cert and CA don't match with the new OpenVPN client?

Thanks - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 bibo over 16 years ago in reply to BAlfson

Bob,

the CN is missing in the signing CA cert. It's the one named ca.crt and it is part of the verification chain.
The new openVPN client throws the error because of that missing CN. See the new source code under my post.

Our workaround should be to import a correct signing CA cert under remote access -> certificate management -> certificate authority -> import CA

But i fail to import. I would like to know, if any of you ever managed to import a signing CA cert...
Maby it fails, because it has a CN   [;)]

bibo

snippet of new source code openVPN version 2.1

00571   /* extract the common name */
00572   if (!extract_x509_field_ssl (X509_get_subject_name (ctx->current_cert), "CN", common_name, TLS_CN_LEN))
00573     {
00574       if (!ctx->error_depth)
00575       {
00576         msg (D_TLS_ERRORS, "VERIFY ERROR: could not extract Common Name from X509 subject string ('%s') -- note that the Common Name length is limited to %d characters",
00577              subject,
00578              TLS_CN_LEN);
00579         goto err;
00580       }
00581     }
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 bibo over 16 years ago in reply to BAlfson

Bob,

the CN is missing in the signing CA cert. It's the one named ca.crt and it is part of the verification chain.
The new openVPN client throws the error because of that missing CN. See the new source code under my post.

Our workaround should be to import a correct signing CA cert under remote access -> certificate management -> certificate authority -> import CA

But i fail to import. I would like to know, if any of you ever managed to import a signing CA cert...
Maby it fails, because it has a CN   [;)]

bibo

snippet of new source code openVPN version 2.1

00571   /* extract the common name */
00572   if (!extract_x509_field_ssl (X509_get_subject_name (ctx->current_cert), "CN", common_name, TLS_CN_LEN))
00573     {
00574       if (!ctx->error_depth)
00575       {
00576         msg (D_TLS_ERRORS, "VERIFY ERROR: could not extract Common Name from X509 subject string ('%s') -- note that the Common Name length is limited to %d characters",
00577              subject,
00578              TLS_CN_LEN);
00579         goto err;
00580       }
00581     }
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 mhock over 16 years ago in reply to bibo

Hi,

I keep getting this error with OpenVPN 2.1 (on Windows Mobile):

VERIFY ERROR: could not extract Common Name from X509 subject string ('/C=de/L=MyCity/O=MyCompany/emailAddress=me@mycompany.de') -- note that the Common Name length is limited to 64 characters

The CA Certificate's Common Name contains blanks, but it can be imported in IE.
Does anyone know how to deal with this in Windows Mobile 6?

Thanks!
Cancel
Vote Up 0 Vote Down

Cancel
0 cvidal over 15 years ago in reply to mhock
Hi,

I keep getting this error with OpenVPN 2.1 (on Windows Mobile):

VERIFY ERROR: could not extract Common Name from X509 subject string ('/C=de/L=MyCity/O=MyCompany/emailAddress=me@mycompany.de') -- note that the Common Name length is limited to 64 characters

The CA Certificate's Common Name contains blanks, but it can be imported in IE.
Does anyone know how to deal with this in Windows Mobile 6?

Thanks!

I had the same problem with OpenVPN on Fedora Core 11, but it works fine in Fedora Core 8. After looking at the code, I found that the FC11 OpenVPN always tries to read the CN from the certificate's subject. When there is no CN, it just exits with the errors you mention.

Later in the code, OpenVPN checks both the full Subject line and, if this does not match the "tls-remote" field, the CN field inside the subject. Of course, in the new version it never comes this far.

Two solutions, either you regenerate the certificates of your server with a common name, or you modify your client OpenVPN.

The later solution (on Linux) is to avoid the exit when there is no CN. This is the patch:

--- openvpn-2.1_rc15/ssl.c      2008-11-18 03:57:27.000000000 +0100
+++ openvpn-2.1_rc15.new/ssl.c  2009-09-29 16:45:10.760897620 +0200
@@ -634,6 +634,7 @@
   /* extract the common name */
   if (!extract_x509_field_ssl (X509_get_subject_name (ctx->current_cert), "CN", common_name, TLS_CN_LEN))
     {
+#if 0
       if (!ctx->error_depth)
        {
          msg (D_TLS_ERRORS, "VERIFY ERROR: could not extract Common Name from X509 subject string ('%s') -- note that the Common Name length is limited to %d characters",
@@ -641,6 +642,7 @@
               TLS_CN_LEN);
          goto err;
        }
+#endif
     }

   string_mod_sslname (common_name, COMMON_NAME_CHAR_CLASS, opt->ssl_flags);

If you can't do either, maybe an older version of OpenVPN for Windows Mobile can do the trick.

Carlos
Cancel
Vote Up 0 Vote Down

Cancel