Problem with CN in unicode.

[forth]

Hi all. First, thanks to developers for a good and free vpn solution.
I have a problem with openvpn daemon. CN attribute in clients certificates is first name + last name given in russian with unicode encoding. OpenVPN treat them all as "___________________", and writes CN in this form to ipp.txt and openvpn.log. So, when client with CN, which length equal to another connected client, try to connect, OpenVPN treat this as equal CN's and drop another connection.
Is this a bug?
I think that duplicate-cn option in openvpn.conf is not good, and i do not want regenerate certificates with latin translate of CN's.

[krzee]

you really should re-generate your certs with better common-names (better in the eyes of openvpn). With that said, here you go:

--no-name-remapping
Allow Common Name, X509 Subject, and username strings to include any printable character including space, but excluding control characters such as tab, newline, and carriage-return.

By default, OpenVPN will remap any character other than alphanumeric, underbar ('_'), dash ('-'), dot ('.'), and slash ('/') to underbar ('_'). The X509 Subject string as returned by the tls_id environmental variable, can additionally contain colon (':') or equal ('=').

While name remapping is performed for security reasons to reduce the possibility of introducing string expansion security vulnerabilities in user-defined authentication scripts, this option is provided for those cases where it is desirable to disable the remapping feature. Don't use this option unless you know what you are doing!

[forth]

Thanks for answer.
What that mean "any printable"? Is it include Unicode character sets?

[krzee]

honestly im not sure...
if you like you can use that option and let us know based on trial/error.
if you need, i will forward this thread to some developers and see if they can be more helpful

[forth]

no-name-remapping is'nt solving the problem. Yes, it's disable remapping, but only for space in CN.
All unicode symbols replaced by underscores.

[krzee]

no-name-remapping is'nt solving the problem. Yes, it's disable remapping, but only for space in CN.
All unicode symbols replaced by underscores.

then there ya go... you cant use unicode in your certs... time to make more

[forth]

This it sad. I have redhat directory server, with 500+ already generated certs.
How can i create bug report/feature request to openvpn developers?

[krzee]

How can i create bug report/feature request to openvpn developers?

community.openvpn.net trac, same login and password that you use here

you can script the re-generating of your certs, something tells me they wont be adding unicode support for CN of certs

[forth]

something tells me they wont be adding unicode support for CN of certs

Why not? I think this is not so difficult.

[krzee]

Why not? I think this is not so difficult.

then why submit a ticket? just make the patch and use it

[forth]

I submitted bug.

[krzee]

its not a bug, it is a feature request

[forth]

I think it's a bug. Unicode symbols in x509 documented and standartized. So any software, which based on x509 pki must properly working with unicode fields.

[krzee]

the program not doing what you hoped it would is not a bug... this is a feature request

[dazo]

I tend to agree to both of you guys ... but that's basically an irrelevant discussion.

What would be a better approach is to write a patch and send it to the openvpn-devel mailing list for review. If accepted, case closed in the following release. The other option is to wait long enough for some developers having time to fix it. But to be honest, this is a minor issue so it won't get too much attention at the moment.

So if you're impatient - send a patch!

[forth]

I just read the source code, so I try to write a patch. If I can ..
All, thanks for answers

[dazo]

Just an update.

OpenVPN 2.3-alpha1 should contain a fix for UTF-8 characters in the X.509 certificates.

See this commit for more info:
http://openvpn.git.sourceforge.net/git/ ... 414cd78a4f