Regression in OpenVPNGui 2.4.7: format error in certificate's notAfter field

Post Reply
wknauf
OpenVpn Newbie
Posts: 5
Joined: Thu Feb 28, 2019 8:24 am

Regression in OpenVPNGui 2.4.7: format error in certificate's notAfter field

Post by wknauf » Thu Feb 28, 2019 8:27 am

I observe this error when connecting to a customers vpn server:

Thu Feb 28 08:48:50 2019 VERIFY ERROR: depth=0, error=format error in certificate's notAfter field: C=de, L=Dortmund, O=Versatel, CN=ASG_1, emailAddress=...

The certificate has those fields:
Validity
Not Before: Oct 22 13:28:29 2009 GMT
Not After : Mar 8 13:28:29 2037 GMT
(which is before the 2038 bug...)

It works with OpenVPNGui 2.4.6, so I assume this is a regression.

My machine is Win10x64.

Best regards

Wolfgang

plaisthos
OpenVPN User
Posts: 12
Joined: Mon May 14, 2012 1:15 pm

Re: Regression in OpenVPNGui 2.4.7: format error in certificate's notAfter field

Post by plaisthos » Thu Feb 28, 2019 11:04 am

This is probably newer OpenSSL that is more strict than the old one. Also if you can test this by copying the old ssl libraries from 2.4.6 to the new 2.4.7 dir.

If you can/posting the pem of the server or trying to see if openssl x509 -in also complains is a good step.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 6032
Joined: Fri Jun 03, 2016 1:17 pm

Re: Regression in OpenVPNGui 2.4.7: format error in certificate's notAfter field

Post by TinCanTech » Thu Feb 28, 2019 6:26 pm


wknauf
OpenVpn Newbie
Posts: 5
Joined: Thu Feb 28, 2019 8:24 am

Re: Regression in OpenVPNGui 2.4.7: format error in certificate's notAfter field

Post by wknauf » Fri Mar 01, 2019 9:06 am

It worked after replacing openssl.exe, libssl-1_1-x64.dll, libpkcs11-helper-1.dll, libcrypto-1_1-x64.dll. I replaced them step by step, and it started working after replacing libcrypto-1_1-x64.dll. It seems I have to replace the previous three files first, otherwise a dll load error will raise.

The certificate which seems to cause the trouble was given to us from the customers IT and we had to place it in the OpenVPNGui\config directory, So I am not sure whether it is smart to post it here ;-).
In the client config, we have three files: "...ca.crt", "...user.crt" and "...user.key".

A call to "openssl.exe x509 -in ..\config\...ca.crt" prints the "-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----" block. Same for the "...user.crt" file.

Please ask me for more information if needed...

Wolfgang

plaisthos
OpenVPN User
Posts: 12
Joined: Mon May 14, 2012 1:15 pm

Re: Regression in OpenVPNGui 2.4.7: format error in certificate's notAfter field

Post by plaisthos » Fri Mar 01, 2019 1:52 pm

Are you running with the new openssl.exe from 2.4.7?

you might also add -text to the openssl output to get human readable output.

But in summary this confirm was I suspected. The certificate gets rejected by OpenSSL. So either the certificate needs to be fixed or there might be a bug in OpenSSL. This is not really an OpenVPN bug.

wknauf
OpenVpn Newbie
Posts: 5
Joined: Thu Feb 28, 2019 8:24 am

Re: Regression in OpenVPNGui 2.4.7: format error in certificate's notAfter field

Post by wknauf » Fri Mar 01, 2019 2:27 pm

Yes, I used the openssl.exe from 2.4.7.

"-text" just prints the full certificate content.

Do you have a link to some OpenSSL forum where I could ask the same?

novaflash
I should be on the dev team.
Posts: 995
Joined: Fri Apr 13, 2012 8:43 pm

Re: Regression in OpenVPNGui 2.4.7: format error in certificate's notAfter field

Post by novaflash » Fri Mar 01, 2019 3:31 pm

I'm not plaisthos, but, simply looking around a bit seems to suggest you might be able to try here to report your issue:
https://github.com/openssl/openssl/issues

You *might* also be able to fix the certificate by using openssl (the version that works) to read the certificate, and then output it again. Running it through openssl this way might repair defects in the certificate. See instructions on the internet on how to do this.

plaisthos
OpenVPN User
Posts: 12
Joined: Mon May 14, 2012 1:15 pm

Re: Regression in OpenVPNGui 2.4.7: format error in certificate's notAfter field

Post by plaisthos » Fri Mar 01, 2019 3:35 pm

But note that https://github.com/openssl/openssl/issues is not a help forum but a developer, in there you probably have to provide a server.pem+server.key and reproduce the problem with s_server/s_client.

Even if we (Openvpn) should look into this more closely we would also need some server.pem/server.key that can reproduce the behaviour.

Reading/outputting will not help in this case as notValidAfter is in the signed part which alterning would break the CA signature.

wknauf
OpenVpn Newbie
Posts: 5
Joined: Thu Feb 28, 2019 8:24 am

Re: Regression in OpenVPNGui 2.4.7: format error in certificate's notAfter field

Post by wknauf » Mon Mar 04, 2019 8:11 am

Thanks, I asked this on the OpenSSL mailing list: https://mta.openssl.org/pipermail/opens ... 10013.html

Wolfgang

wknauf
OpenVpn Newbie
Posts: 5
Joined: Thu Feb 28, 2019 8:24 am

Re: Regression in OpenVPNGui 2.4.7: format error in certificate's notAfter field

Post by wknauf » Wed Mar 06, 2019 1:02 pm

It turned out to be a problem with the server certificate:

openssl asn1parse -in server.crt | grep UTC
157:d=3 hl=2 l= 13 prim: UTCTIME :091022132829Z
172:d=3 hl=2 l= 17 prim: UTCTIME :370308132808+0000

==>the second UTC time is invalid.

Thanks for your help!

novaflash
I should be on the dev team.
Posts: 995
Joined: Fri Apr 13, 2012 8:43 pm

Re: Regression in OpenVPNGui 2.4.7: format error in certificate's notAfter field

Post by novaflash » Wed Mar 06, 2019 2:11 pm

Great to hear, and to have this information on record in the forum.

User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:

Re: Regression in OpenVPNGui 2.4.7: format error in certificate's notAfter field

Post by janjust » Mon Mar 11, 2019 7:40 am

For the record: OpenSSL 1.0.x grokked the invalid certificate time. OpenSSL 1.1+ does not. This can be considered a bug in OpenSSL < 1.1.

plaisthos
OpenVPN User
Posts: 12
Joined: Mon May 14, 2012 1:15 pm

Re: Regression in OpenVPNGui 2.4.7: format error in certificate's notAfter field

Post by plaisthos » Mon Mar 11, 2019 9:12 am

I got a similar report (also with the 'format error in certificate's notAfter field" error) when I upgraded my app from OpenSSL 1.1.1 to OpenSSL 1.1.1a. So this might be an intended change in OpenSSL.

Post Reply