Page 1 of 1

PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid [ERR]

Posted: Thu Jun 09, 2016 11:50 am
by trustee
We get this error when trying to connect with our VPN SSL. It works properly on Windows clients

It happens in IOS clients (OpenVPN 1.07 build:199) and Android clients (OpenVPN Connect 1.1.17 build:76)

We try to change settings, different combinations: "Force AES-CBC cipershites" and "TLS" and same results

any idea?

Re: PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid [ERR]

Posted: Thu Jun 09, 2016 1:15 pm
by TinCanTech
PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid [ERR]
The date tag or value is invalid ..

1. How did you create your certificate ?

2. Is this in the server or client log ?

3. Please post the complete, relevant log.

Re: PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid [ERR]

Posted: Fri Jun 10, 2016 1:19 pm
by trustee
We create the certified with our firewall (Cyberoam), the log is in the application (OpenVPN in IOS) :

2016-06-09 11:15:54 ----- OpenVPN Start -----
OpenVPN core 3.0.11 ios arm64 64-bit built on Apr 15 2016 14:13:50
2016-06-09 11:15:54 Frame=512/2048/512 mssfix-ctrl=1250
2016-06-09 11:15:54 EVENT: CORE_ERROR PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid [ERR]
2016-06-09 11:15:54 Raw stats on disconnect:
2016-06-09 11:15:54 Performance stats on disconnect:
CPU usage (microseconds): 5878
Network bytes per CPU second: 0
Tunnel bytes per CPU second: 0

Re: PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid [ERR]

Posted: Fri Jun 10, 2016 6:13 pm
by jamesyonan
PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid [ERR]


I believe this issue is occurring because of incorrectly formatted certificates.

The issue was discussed at length on the mbedTLS/PolarSSL forums:

https://github.com/ARMmbed/mbedtls/issues/499

I have personally viewed some of the certificates emailed to OpenVPN Tech. exhibiting this issue, and I can confirm that in all cases that trigger this error, the seconds field in the date (mandated by the X509 spec in RFC 5280) is omitted.

I've put together a simple Python script that will flag certs that use invalid dates, so you can confirm if your certs are affected:

https://gist.github.com/jamesyonan/90b8 ... be66d3c6a6

You can run this script on an individual cert or on the whole OpenVPN profile/config (if the profile uses inline certs).

James

Re: PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid [ERR]

Posted: Fri Jun 10, 2016 10:13 pm
by blinkingbee
I have run the script on my Witopia ovpn file and it reveals a 'missing seconds' error in one of the certs. I've informed Witopia who are looking into it.

Re: PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid [ERR]

Posted: Fri Jun 10, 2016 10:57 pm
by dhammond
I've run the script on my ovpn file generated by Sophos XG210 (SFOS 15.01.0 MR-3) and it passes the checks.

Code: Select all

[18:52:21] drewhammond:sophos-sslvpn-checker $ ./checkcert.py cert.ovpn
Certificate #1
  151106023945Z : correct date length per RFC 5280
  361231023945Z : correct date length per RFC 5280
Certificate #2


Still seeing the "OpenVPN error : PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid" error on the app.

Re: PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid [ERR]

Posted: Sat Jun 11, 2016 1:05 am
by jamesyonan
dhammond wrote:I've run the script on my ovpn file generated by Sophos XG210 (SFOS 15.01.0 MR-3) and it passes the checks.


But "Certificate #2" doesn't show any date info. If you can email your profile and certs (with private keys removed) to ios@openvpn.net, we can take a look at it.

James

Re: PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid [ERR]

Posted: Sat Jun 11, 2016 5:55 pm
by jamesyonan
dhammond wrote:I've run the script on my ovpn file generated by Sophos XG210 (SFOS 15.01.0 MR-3) and it passes the checks.

Code: Select all

[18:52:21] drewhammond:sophos-sslvpn-checker $ ./checkcert.py cert.ovpn
Certificate #1
  151106023945Z : correct date length per RFC 5280
  361231023945Z : correct date length per RFC 5280
Certificate #2


Still seeing the "OpenVPN error : PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid" error on the app.


I updated the cert validation script to check for certs that don't use GMT (Zulu) time as RFC 5280 requires. Running the script now on a Sophos-generated cert, you can see that it's using a time differential (i.e. the "+0000") which the RFC explicitly forbids. The RFC wants "Zulu" time where the date ends in 'Z':

For the purposes of this profile, UTCTime values MUST be expressed in
Greenwich Mean Time (Zulu) and MUST include seconds (i.e., times are
YYMMDDHHMMSSZ), even where the number of seconds is zero.


So I'd have to say that mbedTLS/PolarSSL is properly following the standard here.

Output on Sophos cert from updated cert checker:

Code: Select all

$ python ~/scripts/certdate.py UserCertificate.pem
=== UserCertificate.pem ===
Certificate #1
  150630000000+0000 : invalid date per RFC 5280 because not in Greenwich Mean Time (Zulu) format
  361231120000+0000 : invalid date per RFC 5280 because not in Greenwich Mean Time (Zulu) format


If you want to run the cert checker yourself, the script is here:

https://gist.github.com/jamesyonan/90b8 ... be66d3c6a6

More details about validity date requirements in RFC 5280:

https://tools.ietf.org/html/rfc5280#section-4.1.2.5

James

Re: PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid [ERR]

Posted: Sat Jun 11, 2016 9:10 pm
by dhammond
Thanks for the update James. Hopefully this will lead to a quick resolution at Sophos.

Re: PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid [ERR]

Posted: Mon Jun 20, 2016 8:48 am
by aljoscha.merkel@diegel.de
Hello,

I've got the same problem.
With iOS Version 9.2.1 it works fine. Only with iOS 9.3.2 I have this problem. It seems to be a apple problem!

Re: PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid [ERR]

Posted: Sun Jun 26, 2016 7:29 am
by freelandr
dhammond wrote:Thanks for the update James. Hopefully this will lead to a quick resolution at Sophos.


Yes, Thankyou James. I'm also having the same issue and the same result as you.

Has anyone here reported it to Cyberoam/Sophos for a fix?

Freelandr

Re: PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid [ERR]

Posted: Thu Jun 30, 2016 12:54 am
by tomiyalima
Cyberoam online support guys resolved the same situation by changing the firewall certificate configured for the SSL VPN. They used the Appliance Certificate. You have to replace the configuration in both your windows clients and android phones. It works.

Re: PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid [ERR]

Posted: Thu Sep 08, 2016 3:56 pm
by copper
Hi,

any update for this problem since the two months? I have checked my cert with the script, it's OK:

Certificate #1
080415095841Z : correct UTCTime date length per RFC 5280
350831095841Z : correct UTCTime date length per RFC 5280
Certificate #2
120416143118Z : correct UTCTime date length per RFC 5280
350831095831Z : correct UTCTime date length per RFC 5280


But still the same error with iPhone:

Client exception in transport_recv_excode: PolarSSL: SSL read error : X509 – The date tag or value is invalid

thanks,

Peter

Re: PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid [ERR]

Posted: Thu Jan 05, 2017 8:41 am
by ravipurbia
tomiyalima wrote:Cyberoam online support guys resolved the same situation by changing the firewall certificate configured for the SSL VPN. They used the Appliance Certificate. You have to replace the configuration in both your windows clients and android phones. It works.



Can you please guide me, how to issue Appliance Certificate from Cyberoam firewall. I'm trying to connect my iPhone 5s with OpenVPN to Cyberoam firewall. We have already working SSL VPN client configured on windows and working fine. But when I'm downloading the configuration for MAC /iOS and transferring to OpenVPN it is showing same error
"PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid"

Ravi