PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid [ERR]

trustee
OpenVpn Newbie
Posts: 2
Joined: Thu Jun 09, 2016 10:47 am

PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid [ERR]

Post by trustee » Thu Jun 09, 2016 11:50 am

We get this error when trying to connect with our VPN SSL. It works properly on Windows clients

It happens in IOS clients (OpenVPN 1.07 build:199) and Android clients (OpenVPN Connect 1.1.17 build:76)

We try to change settings, different combinations: "Force AES-CBC cipershites" and "TLS" and same results

any idea?

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 2810
Joined: Fri Jun 03, 2016 1:17 pm

Re: PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid [ERR]

Post by TinCanTech » Thu Jun 09, 2016 1:15 pm

PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid [ERR]
The date tag or value is invalid ..

1. How did you create your certificate ?

2. Is this in the server or client log ?

3. Please post the complete, relevant log.

trustee
OpenVpn Newbie
Posts: 2
Joined: Thu Jun 09, 2016 10:47 am

Re: PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid [ERR]

Post by trustee » Fri Jun 10, 2016 1:19 pm

We create the certified with our firewall (Cyberoam), the log is in the application (OpenVPN in IOS) :

2016-06-09 11:15:54 ----- OpenVPN Start -----
OpenVPN core 3.0.11 ios arm64 64-bit built on Apr 15 2016 14:13:50
2016-06-09 11:15:54 Frame=512/2048/512 mssfix-ctrl=1250
2016-06-09 11:15:54 EVENT: CORE_ERROR PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid [ERR]
2016-06-09 11:15:54 Raw stats on disconnect:
2016-06-09 11:15:54 Performance stats on disconnect:
CPU usage (microseconds): 5878
Network bytes per CPU second: 0
Tunnel bytes per CPU second: 0

jamesyonan
OpenVPN Technologies
Posts: 169
Joined: Thu Jan 24, 2013 12:13 am

Re: PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid [ERR]

Post by jamesyonan » Fri Jun 10, 2016 6:13 pm

PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid [ERR]
I believe this issue is occurring because of incorrectly formatted certificates.

The issue was discussed at length on the mbedTLS/PolarSSL forums:

https://github.com/ARMmbed/mbedtls/issues/499

I have personally viewed some of the certificates emailed to OpenVPN Tech. exhibiting this issue, and I can confirm that in all cases that trigger this error, the seconds field in the date (mandated by the X509 spec in RFC 5280) is omitted.

I've put together a simple Python script that will flag certs that use invalid dates, so you can confirm if your certs are affected:

https://gist.github.com/jamesyonan/90b8 ... be66d3c6a6

You can run this script on an individual cert or on the whole OpenVPN profile/config (if the profile uses inline certs).

James

blinkingbee
OpenVpn Newbie
Posts: 5
Joined: Wed Jun 01, 2016 2:59 pm

Re: PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid [ERR]

Post by blinkingbee » Fri Jun 10, 2016 10:13 pm

I have run the script on my Witopia ovpn file and it reveals a 'missing seconds' error in one of the certs. I've informed Witopia who are looking into it.

dhammond
OpenVpn Newbie
Posts: 2
Joined: Fri Jun 10, 2016 9:09 pm

Re: PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid [ERR]

Post by dhammond » Fri Jun 10, 2016 10:57 pm

I've run the script on my ovpn file generated by Sophos XG210 (SFOS 15.01.0 MR-3) and it passes the checks.

Code: Select all

[18:52:21] drewhammond:sophos-sslvpn-checker $ ./checkcert.py cert.ovpn
Certificate #1
  151106023945Z : correct date length per RFC 5280
  361231023945Z : correct date length per RFC 5280
Certificate #2
Still seeing the "OpenVPN error : PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid" error on the app.

jamesyonan
OpenVPN Technologies
Posts: 169
Joined: Thu Jan 24, 2013 12:13 am

Re: PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid [ERR]

Post by jamesyonan » Sat Jun 11, 2016 1:05 am

dhammond wrote:I've run the script on my ovpn file generated by Sophos XG210 (SFOS 15.01.0 MR-3) and it passes the checks.
But "Certificate #2" doesn't show any date info. If you can email your profile and certs (with private keys removed) to ios@openvpn.net, we can take a look at it.

James

jamesyonan
OpenVPN Technologies
Posts: 169
Joined: Thu Jan 24, 2013 12:13 am

Re: PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid [ERR]

Post by jamesyonan » Sat Jun 11, 2016 5:55 pm

dhammond wrote:I've run the script on my ovpn file generated by Sophos XG210 (SFOS 15.01.0 MR-3) and it passes the checks.

Code: Select all

[18:52:21] drewhammond:sophos-sslvpn-checker $ ./checkcert.py cert.ovpn
Certificate #1
  151106023945Z : correct date length per RFC 5280
  361231023945Z : correct date length per RFC 5280
Certificate #2
Still seeing the "OpenVPN error : PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid" error on the app.
I updated the cert validation script to check for certs that don't use GMT (Zulu) time as RFC 5280 requires. Running the script now on a Sophos-generated cert, you can see that it's using a time differential (i.e. the "+0000") which the RFC explicitly forbids. The RFC wants "Zulu" time where the date ends in 'Z':
For the purposes of this profile, UTCTime values MUST be expressed in
Greenwich Mean Time (Zulu) and MUST include seconds (i.e., times are
YYMMDDHHMMSSZ), even where the number of seconds is zero.
So I'd have to say that mbedTLS/PolarSSL is properly following the standard here.

Output on Sophos cert from updated cert checker:

Code: Select all

$ python ~/scripts/certdate.py UserCertificate.pem
=== UserCertificate.pem ===
Certificate #1
  150630000000+0000 : invalid date per RFC 5280 because not in Greenwich Mean Time (Zulu) format
  361231120000+0000 : invalid date per RFC 5280 because not in Greenwich Mean Time (Zulu) format
If you want to run the cert checker yourself, the script is here:

https://gist.github.com/jamesyonan/90b8 ... be66d3c6a6

More details about validity date requirements in RFC 5280:

https://tools.ietf.org/html/rfc5280#section-4.1.2.5

James

dhammond
OpenVpn Newbie
Posts: 2
Joined: Fri Jun 10, 2016 9:09 pm

Re: PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid [ERR]

Post by dhammond » Sat Jun 11, 2016 9:10 pm

Thanks for the update James. Hopefully this will lead to a quick resolution at Sophos.

aljoscha.merkel@diegel.de
OpenVpn Newbie
Posts: 1
Joined: Wed Jun 01, 2016 7:39 am

Re: PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid [ERR]

Post by aljoscha.merkel@diegel.de » Mon Jun 20, 2016 8:48 am

Hello,

I've got the same problem.
With iOS Version 9.2.1 it works fine. Only with iOS 9.3.2 I have this problem. It seems to be a apple problem!

freelandr
OpenVpn Newbie
Posts: 1
Joined: Sun Jun 26, 2016 7:23 am

Re: PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid [ERR]

Post by freelandr » Sun Jun 26, 2016 7:29 am

dhammond wrote:Thanks for the update James. Hopefully this will lead to a quick resolution at Sophos.
Yes, Thankyou James. I'm also having the same issue and the same result as you.

Has anyone here reported it to Cyberoam/Sophos for a fix?

Freelandr

tomiyalima
OpenVpn Newbie
Posts: 1
Joined: Thu Jun 30, 2016 12:49 am

Re: PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid [ERR]

Post by tomiyalima » Thu Jun 30, 2016 12:54 am

Cyberoam online support guys resolved the same situation by changing the firewall certificate configured for the SSL VPN. They used the Appliance Certificate. You have to replace the configuration in both your windows clients and android phones. It works.

copper
OpenVpn Newbie
Posts: 1
Joined: Thu Sep 08, 2016 3:45 pm

Re: PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid [ERR]

Post by copper » Thu Sep 08, 2016 3:56 pm

Hi,

any update for this problem since the two months? I have checked my cert with the script, it's OK:

Certificate #1
080415095841Z : correct UTCTime date length per RFC 5280
350831095841Z : correct UTCTime date length per RFC 5280
Certificate #2
120416143118Z : correct UTCTime date length per RFC 5280
350831095831Z : correct UTCTime date length per RFC 5280


But still the same error with iPhone:

Client exception in transport_recv_excode: PolarSSL: SSL read error : X509 – The date tag or value is invalid

thanks,

Peter

ravipurbia
OpenVpn Newbie
Posts: 1
Joined: Thu Jan 05, 2017 8:37 am

Re: PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid [ERR]

Post by ravipurbia » Thu Jan 05, 2017 8:41 am

tomiyalima wrote:Cyberoam online support guys resolved the same situation by changing the firewall certificate configured for the SSL VPN. They used the Appliance Certificate. You have to replace the configuration in both your windows clients and android phones. It works.

Can you please guide me, how to issue Appliance Certificate from Cyberoam firewall. I'm trying to connect my iPhone 5s with OpenVPN to Cyberoam firewall. We have already working SSL VPN client configured on windows and working fine. But when I'm downloading the configuration for MAC /iOS and transferring to OpenVPN it is showing same error
"PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid"

Ravi

hchammerich
OpenVpn Newbie
Posts: 3
Joined: Thu Feb 02, 2017 11:58 am

Re: PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid [ERR]

Post by hchammerich » Thu Feb 02, 2017 12:19 pm

Hi, has anyone found a solution so far for copper's problem:
Client exception in transport_recv_excode: PolarSSL: SSL read error : X509 – The date tag or value is invalid
What "date tagor value" is invalid?
Why does it loop (one minute, 60 seconds) until OpenVPN Connect tells
Connection timeout
???

Locked