[Bug 265058] Re: [SRU] openvpn2.1~rc7 fails to pick up the CN of certificates

Imre Gergely gimre at narancs.net
Fri Dec 3 13:22:26 GMT 2010 

Soo... I did some more digging and I think I've found the thing. The
problem occurs ONLY when the CN appears first in the certificate's
subject, like this:

write(1, "Fri Dec  3 15:08:12 2010 us=921796 89.136.48.193:48274 VERIFY
OK: depth=0,
/CN=ximi3/C=RO/ST=CJ/L=Cluj_Napoca/O=DS9/emailAddress=gimre at narancs.net\n",
147) = 147

Notice the CN=ximi3 is the first and the result is:

open("ccd/UNDEF", O_RDONLY)             = -1 ENOENT (No such file or
directory)

If the CN is not the first, everything is alright:

write(1, "Fri Dec  3 15:09:13 2010 us=139668 89.136.48.193:40757 VERIFY OK: depth=0, /C=RO/ST=CJ/L=Cluj_Napoca/O=DS9/CN=ximi2/emailAddress=gimre at narancs.net\n", 147) = 147
write(1, "Fri Dec  3 15:09:13 2010 us=276204 89.136.48.193:40757 [ximi2] Peer Connection Initiated with 89.136.48.193:40757\n", 114) = 114
open("ccd/ximi2", O_RDONLY)             = 6

The problem is hard to find because when you generate the certificates
with the included easy-rsa scripts, the order of the fields in the
generated certificate is:

root at ds9:/etc/openvpn/easy-rsa# cat /usr/share/doc/openvpn/examples/easy-rsa/2.0/openssl.cnf | grep -A8 '\[ policy_anything \]'
[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

What I did was I moved the CN to the beginning:

root at ds9:/etc/openvpn/easy-rsa# cat openssl.cnf | grep -A8 '\[ policy_anything \]'
[ policy_anything ]
commonName              = supplied  <----
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
emailAddress            = optional

So now my generated certificate had the CN at the front. I'm guessing
the bugreporters used some other tools to generate their certificates
which put the CN at the front. As was in this example on the mailing
list, if you look at the strace output of Jonathan:

http://sourceforge.net/mailarchive/message.php?msg_name=dac97fdc77ef4700eab65450a4fc2451%40127001.org

write(1, "Thu Sep  4 23:49:13 2008 us=5872"..., 189Thu Sep  4 23:49:13 2008
us=587265 87.127.168.35:55835 VERIFY OK: depth=0,
/CN=lifeless-jupiter/ST=ED/C=UK
/emailAddress=admin at 127001.org/O=localhost/OU=localhost_OpenVPN_client_certificate
) = 189

There you have the repro for it, just modify the Ubuntu-included
openssl.cnf and generate a certificate in which the CN is first.

I can confirm this bug in 2.1~rc7-1ubuntu3.5 on Hardy.
Please re-add the fix and get it in -proposed, I'll be happy to test it.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openvpn in ubuntu.
https://bugs.launchpad.net/bugs/265058

Title:
  [SRU] openvpn2.1~rc7 fails to pick up the CN of certificates

More information about the Ubuntu-server-bugs mailing list