This forum is for admins who are looking to build or expand their OpenVPN setup.
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
forth
- OpenVpn Newbie
- Posts: 8
- Joined: Tue Oct 19, 2010 7:13 am
Post
by forth » Tue Oct 19, 2010 7:23 am
Hi all. First, thanks to developers for a good and free vpn solution.
I have a problem with openvpn daemon. CN attribute in clients certificates is first name + last name given in russian with unicode encoding. OpenVPN treat them all as "___________________", and writes CN in this form to ipp.txt and openvpn.log. So, when client with CN, which length equal to another connected client, try to connect, OpenVPN treat this as equal CN's and drop another connection.
Is this a bug?
I think that duplicate-cn option in openvpn.conf is not good, and i do not want regenerate certificates with latin translate of CN's.
-
krzee
- Forum Team
- Posts: 728
- Joined: Fri Aug 29, 2008 5:42 pm
Post
by krzee » Thu Oct 21, 2010 2:50 am
you really should re-generate your certs with better common-names (better in the eyes of openvpn). With that said, here you go:
OpenVPN manual wrote:--no-name-remapping
Allow Common Name, X509 Subject, and username strings to include any printable character including space, but excluding control characters such as tab, newline, and carriage-return.
By default, OpenVPN will remap any character other than alphanumeric, underbar ('_'), dash ('-'), dot ('.'), and slash ('/') to underbar ('_'). The X509 Subject string as returned by the tls_id environmental variable, can additionally contain colon (':') or equal ('=').
While name remapping is performed for security reasons to reduce the possibility of introducing string expansion security vulnerabilities in user-defined authentication scripts, this option is provided for those cases where it is desirable to disable the remapping feature. Don't use this option unless you know what you are doing!
-
forth
- OpenVpn Newbie
- Posts: 8
- Joined: Tue Oct 19, 2010 7:13 am
Post
by forth » Thu Oct 21, 2010 7:17 pm
Thanks for answer.
What that mean "any printable"? Is it include Unicode character sets?
-
krzee
- Forum Team
- Posts: 728
- Joined: Fri Aug 29, 2008 5:42 pm
Post
by krzee » Thu Oct 21, 2010 8:02 pm
honestly im not sure...
if you like you can use that option and let us know based on trial/error.
if you need, i will forward this thread to some developers and see if they can be more helpful
-
forth
- OpenVpn Newbie
- Posts: 8
- Joined: Tue Oct 19, 2010 7:13 am
Post
by forth » Thu Oct 28, 2010 12:24 pm
no-name-remapping is'nt solving the problem. Yes, it's disable remapping, but only for space in CN.
All unicode symbols replaced by underscores.
![Sad :(](./images/smilies/icon_e_sad.gif)
-
krzee
- Forum Team
- Posts: 728
- Joined: Fri Aug 29, 2008 5:42 pm
Post
by krzee » Tue Nov 02, 2010 8:35 am
forth wrote:no-name-remapping is'nt solving the problem. Yes, it's disable remapping, but only for space in CN.
All unicode symbols replaced by underscores.
![Sad :(](./images/smilies/icon_e_sad.gif)
then there ya go... you cant use unicode in your certs... time to make more
![Wink ;)](./images/smilies/icon_e_wink.gif)
-
forth
- OpenVpn Newbie
- Posts: 8
- Joined: Tue Oct 19, 2010 7:13 am
Post
by forth » Tue Nov 02, 2010 9:10 am
This it sad. I have redhat directory server, with 500+ already generated certs.
How can i create bug report/feature request to openvpn developers?
-
krzee
- Forum Team
- Posts: 728
- Joined: Fri Aug 29, 2008 5:42 pm
Post
by krzee » Wed Nov 03, 2010 4:31 am
forth wrote:
How can i create bug report/feature request to openvpn developers?
community.openvpn.net trac, same login and password that you use here
you can script the re-generating of your certs, something tells me they wont be adding unicode support for CN of certs
-
forth
- OpenVpn Newbie
- Posts: 8
- Joined: Tue Oct 19, 2010 7:13 am
Post
by forth » Wed Nov 03, 2010 7:32 am
something tells me they wont be adding unicode support for CN of certs
Why not? I think this is not so difficult.
-
krzee
- Forum Team
- Posts: 728
- Joined: Fri Aug 29, 2008 5:42 pm
Post
by krzee » Wed Nov 03, 2010 7:42 am
forth wrote:
Why not? I think this is not so difficult.
then why submit a ticket? just make the patch and use it
![Very Happy :D](./images/smilies/icon_e_biggrin.gif)
-
forth
- OpenVpn Newbie
- Posts: 8
- Joined: Tue Oct 19, 2010 7:13 am
Post
by forth » Wed Nov 03, 2010 8:12 am
I submitted bug.
![Smile :)](./images/smilies/icon_e_smile.gif)
-
krzee
- Forum Team
- Posts: 728
- Joined: Fri Aug 29, 2008 5:42 pm
Post
by krzee » Wed Nov 03, 2010 8:14 am
its not a bug, it is a feature request
-
forth
- OpenVpn Newbie
- Posts: 8
- Joined: Tue Oct 19, 2010 7:13 am
Post
by forth » Wed Nov 03, 2010 8:35 am
I think it's a bug. Unicode symbols in x509 documented and standartized. So any software, which based on x509 pki must properly working with unicode fields.
-
krzee
- Forum Team
- Posts: 728
- Joined: Fri Aug 29, 2008 5:42 pm
Post
by krzee » Wed Nov 03, 2010 8:43 am
the program not doing what you hoped it would is not a bug... this is a feature request
-
dazo
- OpenVPN Inc.
- Posts: 155
- Joined: Mon Jan 11, 2010 10:14 am
- Location: dazo :: #openvpn-devel @ libera.chat
Post
by dazo » Wed Nov 03, 2010 6:10 pm
I tend to agree to both of you guys ... but that's basically an irrelevant discussion.
What would be a better approach is to write a patch and send it to the openvpn-devel mailing list for review. If accepted, case closed in the following release. The other option is to wait long enough for some developers having time to fix it. But to be honest, this is a minor issue so it won't get too much attention at the moment.
So if you're impatient - send a patch!
-
forth
- OpenVpn Newbie
- Posts: 8
- Joined: Tue Oct 19, 2010 7:13 am
Post
by forth » Thu Nov 04, 2010 6:08 am
I just read the source code, so I try to write a patch. If I can ..
All, thanks for answers
![Smile :)](./images/smilies/icon_e_smile.gif)
-
dazo
- OpenVPN Inc.
- Posts: 155
- Joined: Mon Jan 11, 2010 10:14 am
- Location: dazo :: #openvpn-devel @ libera.chat
Post
by dazo » Thu Mar 22, 2012 12:21 pm
Just an update.
OpenVPN 2.3-alpha1 should contain a fix for UTF-8 characters in the X.509 certificates.
See this commit for more info:
http://openvpn.git.sourceforge.net/git/ ... 414cd78a4f