Problem with CN in unicode.

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
forth
OpenVpn Newbie
Posts: 8
Joined: Tue Oct 19, 2010 7:13 am

Problem with CN in unicode.

Post by forth » Tue Oct 19, 2010 7:23 am

Hi all. First, thanks to developers for a good and free vpn solution. :)
I have a problem with openvpn daemon. CN attribute in clients certificates is first name + last name given in russian with unicode encoding. OpenVPN treat them all as "___________________", and writes CN in this form to ipp.txt and openvpn.log. So, when client with CN, which length equal to another connected client, try to connect, OpenVPN treat this as equal CN's and drop another connection.
Is this a bug?
I think that duplicate-cn option in openvpn.conf is not good, and i do not want regenerate certificates with latin translate of CN's.

User avatar
krzee
Forum Team
Posts: 729
Joined: Fri Aug 29, 2008 5:42 pm

Re: Problem with CN in unicode.

Post by krzee » Thu Oct 21, 2010 2:50 am

you really should re-generate your certs with better common-names (better in the eyes of openvpn). With that said, here you go:
OpenVPN manual wrote:--no-name-remapping
Allow Common Name, X509 Subject, and username strings to include any printable character including space, but excluding control characters such as tab, newline, and carriage-return.

By default, OpenVPN will remap any character other than alphanumeric, underbar ('_'), dash ('-'), dot ('.'), and slash ('/') to underbar ('_'). The X509 Subject string as returned by the tls_id environmental variable, can additionally contain colon (':') or equal ('=').

While name remapping is performed for security reasons to reduce the possibility of introducing string expansion security vulnerabilities in user-defined authentication scripts, this option is provided for those cases where it is desirable to disable the remapping feature. Don't use this option unless you know what you are doing!

forth
OpenVpn Newbie
Posts: 8
Joined: Tue Oct 19, 2010 7:13 am

Re: Problem with CN in unicode.

Post by forth » Thu Oct 21, 2010 7:17 pm

Thanks for answer.
What that mean "any printable"? Is it include Unicode character sets?

User avatar
krzee
Forum Team
Posts: 729
Joined: Fri Aug 29, 2008 5:42 pm

Re: Problem with CN in unicode.

Post by krzee » Thu Oct 21, 2010 8:02 pm

honestly im not sure...
if you like you can use that option and let us know based on trial/error.
if you need, i will forward this thread to some developers and see if they can be more helpful

forth
OpenVpn Newbie
Posts: 8
Joined: Tue Oct 19, 2010 7:13 am

Re: Problem with CN in unicode.

Post by forth » Thu Oct 28, 2010 12:24 pm

no-name-remapping is'nt solving the problem. Yes, it's disable remapping, but only for space in CN.
All unicode symbols replaced by underscores.:(

User avatar
krzee
Forum Team
Posts: 729
Joined: Fri Aug 29, 2008 5:42 pm

Re: Problem with CN in unicode.

Post by krzee » Tue Nov 02, 2010 8:35 am

forth wrote:no-name-remapping is'nt solving the problem. Yes, it's disable remapping, but only for space in CN.
All unicode symbols replaced by underscores.:(
then there ya go... you cant use unicode in your certs... time to make more ;)

forth
OpenVpn Newbie
Posts: 8
Joined: Tue Oct 19, 2010 7:13 am

Re: Problem with CN in unicode.

Post by forth » Tue Nov 02, 2010 9:10 am

This it sad. I have redhat directory server, with 500+ already generated certs. :(
How can i create bug report/feature request to openvpn developers?

User avatar
krzee
Forum Team
Posts: 729
Joined: Fri Aug 29, 2008 5:42 pm

Re: Problem with CN in unicode.

Post by krzee » Wed Nov 03, 2010 4:31 am

forth wrote: How can i create bug report/feature request to openvpn developers?
community.openvpn.net trac, same login and password that you use here

you can script the re-generating of your certs, something tells me they wont be adding unicode support for CN of certs

forth
OpenVpn Newbie
Posts: 8
Joined: Tue Oct 19, 2010 7:13 am

Re: Problem with CN in unicode.

Post by forth » Wed Nov 03, 2010 7:32 am

something tells me they wont be adding unicode support for CN of certs
Why not? I think this is not so difficult.

User avatar
krzee
Forum Team
Posts: 729
Joined: Fri Aug 29, 2008 5:42 pm

Re: Problem with CN in unicode.

Post by krzee » Wed Nov 03, 2010 7:42 am

forth wrote: Why not? I think this is not so difficult.
then why submit a ticket? just make the patch and use it :D

forth
OpenVpn Newbie
Posts: 8
Joined: Tue Oct 19, 2010 7:13 am

Re: Problem with CN in unicode.

Post by forth » Wed Nov 03, 2010 8:12 am

I submitted bug. :)

User avatar
krzee
Forum Team
Posts: 729
Joined: Fri Aug 29, 2008 5:42 pm

Re: Problem with CN in unicode.

Post by krzee » Wed Nov 03, 2010 8:14 am

its not a bug, it is a feature request

forth
OpenVpn Newbie
Posts: 8
Joined: Tue Oct 19, 2010 7:13 am

Re: Problem with CN in unicode.

Post by forth » Wed Nov 03, 2010 8:35 am

I think it's a bug. Unicode symbols in x509 documented and standartized. So any software, which based on x509 pki must properly working with unicode fields.

User avatar
krzee
Forum Team
Posts: 729
Joined: Fri Aug 29, 2008 5:42 pm

Re: Problem with CN in unicode.

Post by krzee » Wed Nov 03, 2010 8:43 am

the program not doing what you hoped it would is not a bug... this is a feature request

User avatar
dazo
OpenVPN Inc.
Posts: 148
Joined: Mon Jan 11, 2010 10:14 am
Location: dazo :: #openvpn-devel @ libera.chat

Re: Problem with CN in unicode.

Post by dazo » Wed Nov 03, 2010 6:10 pm

I tend to agree to both of you guys ... but that's basically an irrelevant discussion.

What would be a better approach is to write a patch and send it to the openvpn-devel mailing list for review. If accepted, case closed in the following release. The other option is to wait long enough for some developers having time to fix it. But to be honest, this is a minor issue so it won't get too much attention at the moment.

So if you're impatient - send a patch!

forth
OpenVpn Newbie
Posts: 8
Joined: Tue Oct 19, 2010 7:13 am

Re: Problem with CN in unicode.

Post by forth » Thu Nov 04, 2010 6:08 am

I just read the source code, so I try to write a patch. If I can .. :?
All, thanks for answers :)

User avatar
dazo
OpenVPN Inc.
Posts: 148
Joined: Mon Jan 11, 2010 10:14 am
Location: dazo :: #openvpn-devel @ libera.chat

Re: Problem with CN in unicode.

Post by dazo » Thu Mar 22, 2012 12:21 pm

Just an update.

OpenVPN 2.3-alpha1 should contain a fix for UTF-8 characters in the X.509 certificates.

See this commit for more info:
http://openvpn.git.sourceforge.net/git/ ... 414cd78a4f

Post Reply