OpenVPN Connect iOS 1.0.5 broken: Cert verify fails

[sophitus]

I cannot login anymore using my iOS devices with version 1.0.5.
Server Certificate verification fails with new PolarSSL version!

Same problem applies to current Android version.

However everything works fine with versions that use previous PolarSSL version.

I can also connect with TunnelBlick without any problems.

I use ovpn files with inline certs and keys.

Will there be a fix?

[Flubber]

HI, same problem, I resolved re-importing trough iTunes in one folder: ca.crt crl.pem and .ovpn file.
Now all work great

[sophitus]

Did you leave the other certs inline in ovpn file?

Anyway it is a blocker bug and the devs just ignore it. They upgraded PolarSSL quite some time ago an Android and did nothing to fix it....

[Flubber]

I deleted all and added all again.

But now the problem is another, in my iPad air wifi with iOS 8 vpn randomly disconnects!! It's unacceptable!

Maybe a notification from the app when it disconnect will be more acceptable!

[Rider]

I deleted all and added all again.

But now the problem is another, in my iPad air wifi with iOS 8 vpn randomly disconnects!! It's unacceptable!

Maybe a notification from the app when it disconnect will be more acceptable!

Yes, it is a iOS8 bug. Indeed unacceptable.

[sophitus]

Even when I remove inline certs and keys and provide them as external files I get cert fails with version 1.0.5 but with 1.0.4 both profiles work with no problems.

Why is there no dev replying?

You should revert to previous SSL library of fix the issues with the current one

[jamesyonan]

What is the actual error message you are seeing?

Can you provide more details, such as a cert chain that succeeds with 1.0.4 but fails with 1.0.5?

James

[sophitus]

What is the actual error message you are seeing?

Can you provide more details, such as a cert chain that succeeds with 1.0.4 but fails with 1.0.5?

James

Here is the log:

Code: Select all

2014-09-21 10:06:01 ----- OpenVPN Start -----
OpenVPN core 3.0 ios arm64 64-bit
2014-09-21 10:06:01 UNUSED OPTIONS
6 [resolv-retry] [infinite] 
7 [nobind] 
8 [persist-key] 
9 [persist-tun] 
13 [verb] [3] 

2014-09-21 10:06:01 LZO-ASYM init swap=0 asym=0
2014-09-21 10:06:01 EVENT: RESOLVE
2014-09-21 10:06:03 Contacting xx.xx.xx.xx:1194 via UDP
2014-09-21 10:06:03 EVENT: WAIT
2014-09-21 10:06:03 SetTunnelSocket returned 0
2014-09-21 10:06:03 Connecting to yy.yy.yy:1194 (xx.xx.xx.xx) via UDPv4
2014-09-21 10:06:04 EVENT: CONNECTING
2014-09-21 10:06:04 Tunnel Options:V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client
2014-09-21 10:06:04 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 1.0.5-177
IV_VER=3.0
IV_PLAT=ios
IV_NCP=1
IV_LZO=1

2014-09-21 10:06:17 VERIFY FAIL CERT_NOT_TRUSTED : depth=0
cert. version    : 3
serial number    : 53:B3:00:5B
issuer name      : CN=xxx
subject name      : CN=xx.xx.xx
issued  on        : 2014-07-01 18:43:58
expires on        : 2047-07-01 18:43:58
signed using      : RSA with SHA-512
RSA key size      : 4096 bits
subject alt name  : yy.yy.yy
cert. type        : SSL Server

2014-09-21 10:06:17 Transport Error: PolarSSL: SSL read error : X509 - Certificate verification failed, e.g. CRL, CA or signature check failed
2014-09-21 10:06:17 EVENT: CERT_VERIFY_FAIL PolarSSL: SSL read error : X509 - Certificate verification failed, e.g. CRL, CA or signature check failed [ERR]
2014-09-21 10:06:17 EVENT: DISCONNECTED
2014-09-21 10:06:17 Raw stats on disconnect:
  BYTES_IN : 3808
  BYTES_OUT : 1968
  PACKETS_IN : 28
  PACKETS_OUT : 33
  SSL_ERROR : 1
  CERT_VERIFY_FAIL : 1
2014-09-21 10:06:17 Performance stats on disconnect:
  CPU usage (microseconds): 31227
  Network bytes per CPU second: 184968
  Tunnel bytes per CPU second: 0
2014-09-21 10:06:17 EVENT: DISCONNECT_PENDING
2014-09-21 10:06:17 ----- OpenVPN Stop -----

[jamesyonan]

I wouldn't be able to diagnose an issue like this unless I have the actual certs that are failing to verify.

This includes the server-side certs ("ca" and "cert" directives in server-side OpenVPN config file) and "ca" directive in client-side OpenVPN config.

James

[jamesyonan]

I would also point out that while certs are generally safe to post publicly, feel free to PM me or email them to ios@openvpn.net.

James

[sophitus]

I would also point out that while certs are generally safe to post publicly, feel free to PM me or email them to ios@openvpn.net.

James

I just sent the requested certs to ios@openvpn.net

Thanks for analyzing the issue....

[300000]

openvpn connec works perfect and nothing wrong with ios8 , just because something is wrong in your conf so it does not connect as it should , i set up test server so you can try my server to see if it can conect or not .

the server is run on htc chacha android phone so it has nothing on that just let you people connec to test ,

you only copy this text and paste to new test openvpn and email to your mail box and try it.

Code: Select all

remote www.thuctap.co.uk 900
tls-cipher   TLS-DHE-RSA-WITH-AES-256-CBC-SHA
client
mute-replay-warnings
dev tun
proto tcp-client
ns-cert-type  server
remote-cert-tls server
remote-cert-eku "TLS Web Server Authentication"
pull
comp-noadapt 
comp-lzo yes
resolv-retry infinite
nobind 
key-direction 1
cipher BF-CBC # CBC 
persist-key
persist-tun
mute-replay-warnings
verb 3
script-security 3
reneg-sec 5900
auth SHA1
tcp-queue-limit 295536
bcast-buffers 295536
<ca>
-----BEGIN CERTIFICATE-----
MIIGKTCCBBGgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBvTELMAkGA1UEBhMCVk4x
FjAUBgNVBAgMDU1p4buBbiBi4bqvYyAxIzAhBgNVBAcMGlRow6BuaCBwaOG7kSBI
4bqjaSBQaMOybmcgMRowGAYDVQQKDBFQaMOybmcga2luaCBkb2FuaDEaMBgGA1UE
CwwRUGjDsm5nIGtpbmggZG9hbmgxEjAQBgNVBAMTCU9wZW5WcG5DQTElMCMGCSqG
SIb3DQEJARYWdHVhbl90cnVuZzk2QHlhaG9vLmNvbTAgFw0xMTExMzAxODA1MDBa
GA8yMTMxMTEzMDE4MDUwMFowgb0xCzAJBgNVBAYTAlZOMRYwFAYDVQQIDA1NaeG7
gW4gYuG6r2MgMSMwIQYDVQQHDBpUaMOgbmggcGjhu5EgSOG6o2kgUGjDsm5nIDEa
MBgGA1UECgwRUGjDsm5nIGtpbmggZG9hbmgxGjAYBgNVBAsMEVBow7JuZyBraW5o
IGRvYW5oMRIwEAYDVQQDEwlPcGVuVnBuQ0ExJTAjBgkqhkiG9w0BCQEWFnR1YW5f
dHJ1bmc5NkB5YWhvby5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
AQDjJKg0W6MOOwqmP40VYf1gmNOp57vSNEFLjYeeFNeMtZw4O/TlrfHtGoQ5MAvL
dz4Ns6iAXhnDg9eZ1Er8JHS9bNfQNxYSFM1BoVmdczJKNEHE+wpHigedTfGta7ND
z5amzFm1ahUO9brG1JtUoJK1Ca2GLCqFV/7QDr8+u/PK5fTHs7rOZLF5C9PpCk2s
WCVIGdTcXRzwGFc3/CJiyJwuCc23YQzrGh1P3jz4PsIyIcov0lz3nM1V0+11hOFL
oW9Y0foIF4tqq8+oKTuBxUt0oal4VcbbVw4mOiZwfxEvso9WAx6bAuPW6LIJn/nS
Xb9QXc0J36L6DkS7R5XjWG8/29kld8GpTHowdvg9tKRSte5aKbv8ivjb53uKoEim
v/khmcLKgNUMo/G5dBz/EqsQmxNWT1Tbq8GmuqnIQDMtXnXjQXDKjaHS/3vyuwtI
vyqI2m/4kBquCIvGEXsvKCSHAEpo7OwBunoL16eLVqQdryp7oLEOf/ufFl+o+bUo
2SKhGD9HgneLYuDqcZ0f/EJFCS4VpqIrj0B3HbkkrdceNpIK1mf/k1YY+2SaMXUi
bSodyrj44oBj9YyeFI6LW/s1pzAMovCTD2RTbMkUg27U+r3UF46DezT2LagYy6A1
o4mL1uIjYDRE+BnVjkeDRE5BJu+PfFtWZn2o+BUwqrjO2wIDAQABozAwLjALBgNV
HQ8EBAMCAQYwEQYJYIZIAYb4QgEBBAQDAgAHMAwGA1UdEwQFMAMBAf8wDQYJKoZI
hvcNAQEFBQADggIBAC6ehZ5F1cvgdD96BqlgIhF2VcvLfnvpSMj3PPPh02yErb28
JfMGNwrCN0/3J/I/BdmnORz38hlMsMK2n+sN2HaylFHKxiObLHLp2lAmmnwZdyUa
ZuqUMZFmeXUIE1smKHyoeao6m0ahNlbl03+Ef7/cbjARILSBl37EvqKq/7LR0FVT
kto/QRa1XZbXMq2+op92GpMlABkJ+RQjbhV9o+2W+P61vZ+E1pV1D3HMwLsVeoBD
LPcyMrixMyIcA9lgMvJOCV/rysrqaKuC9sVBMIYO79h59moW/gZJr8m0dHSBW9Lv
rh/GJOyBud5zjSkRz4znUoh7FtZ5jim15IGesekXPeoC8jM0esaMY4CGnVKTBQgA
elTwCYue6vILLvAgfPM/hMcX/J2V/DZmIgzv+UPf1jcI2WeOBseEaAMFvikmTZBf
yEISjFSe8av2v30UWU8yJ6M7nuDnP6WoebEE73uBIQfqliNNyee+06aSQ/dvHq3Y
L1Xcjeg6H0/3GwMcGU3zTY74demkmQTj7dj0ogo//7ZJbt4EM444MNSCVAjUB6Ja
QpW7HCFGsJpxVzDtz4PF29D1fHmuCKiKvrsPxyKTDB4WlNU8e8CJpnzcYpIZzwek
lXgoqj7ChjZGYJhE+p7II2xp6EckSR60cW5BS2Grs14qb+3dNkFkaSAAYJxG
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIIFDTCCAvWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBvTELMAkGA1UEBhMCVk4x
FjAUBgNVBAgMDU1p4buBbiBi4bqvYyAxIzAhBgNVBAcMGlRow6BuaCBwaOG7kSBI
4bqjaSBQaMOybmcgMRowGAYDVQQKDBFQaMOybmcga2luaCBkb2FuaDEaMBgGA1UE
CwwRUGjDsm5nIGtpbmggZG9hbmgxEjAQBgNVBAMTCU9wZW5WcG5DQTElMCMGCSqG
SIb3DQEJARYWdHVhbl90cnVuZzk2QHlhaG9vLmNvbTAgFw0xMTExMzAxODA3MDBa
GA8yMTExMTEzMDE4MDcwMFowgZoxCzAJBgNVBAYTAlZOMRYwFAYDVQQIDA1NaeG7
gW4gQuG6r2MgMSMwIQYDVQQHDBpUaMOgbmggUGjhu5EgSOG6o2kgUGjDsm5nIDEa
MBgGA1UECgwRUGjDsm5nIEtpbmggRG9hbmgxGjAYBgNVBAsMEVBow7JuZyBLaW5o
IERvYW5oMRYwFAYDVQQDEw1PcGVuVnBuQ2xpZW50MIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAupRKjELhruTTeWLfyperJAyNNilNjzz3Ne33VbsDgn6r
53tM252kFoTI5mJTGsgp73hZ7xkAP4C46TWHTNCClDMq2pqett8NBuuqLy6i2Fo+
r87XLu28wvxjTMLI1O5gILR2mpaJ5rqfX4inXBejyq80bGmDofx/CcG7bMcf8+bh
RHS2GdZp/OriSzlkWjzLhRF/UsgbW+4qTUyC+9Cg39yLHpIpHIO0b8MPv2Cq7eDq
Nc8vdehcpVBFrmzpnzuMSWw2/0XexUpfIdzexoZ2mdVuVkImrBgnou5JF80kvjn7
lY2QYvmE5HRrhTF/v8wsuJEhxV0WjQh4oWQFXXl4HwIDAQABozcwNTALBgNVHQ8E
BAMCA4gwEwYDVR0lBAwwCgYIKwYBBQUHAwIwEQYJYIZIAYb4QgEBBAQDAgeAMA0G
CSqGSIb3DQEBBQUAA4ICAQDZIz13Qozcg467WnUHB/v3Ni5JzTk0UxiFn5bFmEg9
WXCA8sUB0rf8RJ2A6EO7TguUP04upbGhx5WDG6bLxCOzU/myaRSO90KA6k7U1I6L
SRQsuqKHX2SBu4kwRNpO1T+tOb+sxau+3tVeARS7qkL7GK8cfXd2AdFZ2+7nJE5l
fCL3tjv0aLo5m/YKNT4FXBcSLHDTWVa9+oQ+aIdl+Ad6MHmzEFsrqftHOZ2xFCAw
G/b43V/qSL4JSC0cHXqssMtnjmRU19ISXfk8NJ5Z6YA2IrSZ5rwV6Var+xeZdKEx
WIBG426WcUvtenXE8qULCw5Kur+OISmzIRsRKASx5supKIkqiQ8rrloMJX3DUWoE
HNYjmia1ofwKwvbkHXXkdTqHWoiHsZuasJBq3GkekRukhjdm7CpghpVei2rqNR3K
YIyVI2n86MDYWRs2r+smPQr3IYJcDxI3dpd2wIGWaA7xX3zzuJSoNcT1dtPNLXJY
s8JmIYq+F4m4ba6zPTLoNJo84toTpq9E4NBO2k9AZsq1yycOytAple36IhRXa0Dx
O81BusaHGEhggYdd9KdWUq6KVu025SCr1++UyHic1LDu2bajzZWh0AImOktaZCKZ
SSc90NHoFCZM5wwPLSYsuNo/WzLwjq2GCVAKxOfSMYQ7b120jF3yGPMt1A2AiRnH
5A==
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAupRKjELhruTTeWLfyperJAyNNilNjzz3Ne33VbsDgn6r53tM
252kFoTI5mJTGsgp73hZ7xkAP4C46TWHTNCClDMq2pqett8NBuuqLy6i2Fo+r87X
Lu28wvxjTMLI1O5gILR2mpaJ5rqfX4inXBejyq80bGmDofx/CcG7bMcf8+bhRHS2
GdZp/OriSzlkWjzLhRF/UsgbW+4qTUyC+9Cg39yLHpIpHIO0b8MPv2Cq7eDqNc8v
dehcpVBFrmzpnzuMSWw2/0XexUpfIdzexoZ2mdVuVkImrBgnou5JF80kvjn7lY2Q
YvmE5HRrhTF/v8wsuJEhxV0WjQh4oWQFXXl4HwIDAQABAoIBAQCkOl8b8srfvP7/
u64sjy/O/VVWtShVyl33FE0/IuvF82WwzXErZijGwX5se2OXEVUIOjE/Kgxz2QPq
EnnTfT1S4W75GFxXryGyU8Fq4mvocBb5fOEfp5cdMjbdnB5WfrQSVYaIL7WWZ/Jc
jtZxU0WS5IEKZB2/eZcAqYwmBWf0sGPAchSrcgzhZiNxV8QzAvTn5G+M0eIXFrZj
us6bywXZJT0mAZaCTmGnSS/hFkJRFQElJFyH3YOgLumLSMN9TWdLkZyES9dcS3D2
zxhlEscCNHKQHlbMnjDPcT9i3WBArOL4MM5B+st9pdusBhWe7LJxSmek+Nrpwzhd
RLxDl7uRAoGBAPQqCRtvs0dZtBfs1WqeZIDqt4dduL3ZtCMmmNT3Ev39PuE4dSaY
iAoIRcEbiofACXyoDqjQrYLGTatSeZTwr04DWYW6hHx12/yWWo5HhDbrJLq9wv+p
bbPGKEgJjUyMdcPJURnRu67kMVoHEN7jbN1xaD0Kv4IG7ptglxIWaiMLAoGBAMOf
pzwPsGhJgOFuDz3pt8oJGsSEcs3KQf3fygJlg3L91Scg64ae+pL5W1pK4BbzjKHG
/kQvA9wge70mm0fx6zgDF+t5tLPHdjUpp6YeX+CjQIBPS5k+lvkdLMDySao1oZY4
jjJoaLCbIsgi1W9/uhw5sQ8xWgKtNyKz6+2oaGu9AoGBANASFmq8GNJf/lo5KHHQ
gyNdYoNH+gxHvvwJg0pRN20c5/30J9l5OM0b2Z3Dw50FqNADQ2LXWlXMehnakeO7
7BiWQC73ELojkhHBa3A+P8yxPD6rQcavct41qtQg17n5JM5w+9z932wd6HSo+taG
hpp7b3I9e4/qKmJcwMDYOyCbAoGBAKkHIyYHXGLP2Bdw1KSndJGSillxJA1ijODC
5DZr5keOwgV8MWXxqgsigGelOLk8GbCTU5IwmYIzYxeN6zAf/SE5swpY7+VDHIVV
B7HGnwtno8z6NxUjeqmnJstUzofOrV8yYNN3WbX3ZfdN+ePMlk/bHX1GJEMZzgEj
O2DvWcJ1AoGAf1lt+ckcq+iLYSHKSu5HoPMznoxDJ+O7lnaOSQ1OUJ1Z6IDVm70M
trbC7V2o2ktqEeQVQ6dywoSgLNOaifr9dRoU10WJa8Q48DIZrobe9NBJfwSdEQO+
OD6q/wobt9nj6zCInL7Pz+sG0PUhY24VF9m4qpWp+SXcVOVVZ4MQyLk=
-----END RSA PRIVATE KEY-----
</key>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
f97980572a1bfedccbfe3277479fd42d
f25cf35328c37b26e9a7da655468dff3
035ae7684b5cecf6cfb322065f69746d
f414a6ee6f60f7d223b791eb4be062d9
9ed3c9a41a61470b30f194359da1e919
e6d6ec49d3af31301c3a542ddc097a8a
dedc9c93ea88cbd6bedc1b59c3a023c3
d3889e40f75bbe27bf1d689a16b2227a
2e1beedf9406e4b420725bd7cfca26ef
6b6604f7fd1b1ca41b8b9f3c22e5aef2
ceb19ab5018b9ebe29cffb22d7e1b1f0
36de56f9677e89ac7e59a087f8b2ee91
83c0586e56f691b71467bf4de5afe274
50e10b7b69a80af898c801362e1241dd
c2bbb122f8f5d0d90dde541c5cfcee70
24235c19761e1064bb208cecdbe2e35a
-----END OpenVPN Static key V1-----
</tls-auth>

[jmacres]

I'm getting the same errors described in this thread.

I did try re-installing the app and the related files via iTunes. Same error.

iOS 8 and OpenVPN 1.0.5

Any updates from the OpenVPN development community on this?

SSL Read Error X509.

Is there any easy way to revert back to 1.04?

Jason

[sophitus]

Solved....

I got a hint from OpenVPN support that my CA cert was missing the "CA basic constraints". I added that constraint to my CA certificate and OpenVPN Connect V1.0.5 accepted my CA certificate.

Somehow the new PolarSSL library used in OpenVPN connect 1.0.5 all of a sudden requires this "CA basic constraint" to be set in the CA certificate, where as other OpenVPN client do not require that, and even the 1.0.4 version of OpenVPN connect did not.
Nice backward compatibility for an 1.0.4 -> 1.0.5 update ... a note in the changelog would have been nice too

[jamesyonan]

Somehow the new PolarSSL library used in OpenVPN connect 1.0.5 all of a sudden requires this "CA basic constraint" to be set in the CA certificate

I think PolarSSL is doing the right thing because the standard very clearly requires this. Take a look at section 4.2.1.9 of the X.509 standards document http://tools.ietf.org/html/rfc5280#section-4.2.1.9

Conforming CAs MUST include this extension in all CA certificates that contain public keys used to validate digital signatures on certificates and MUST mark the extension as critical in such certificates.

[criggie]

Solved....
I got a hint from OpenVPN support that my CA cert was missing the "CA basic constraints". I added that constraint to my CA certificate and OpenVPN Connect V1.0.5 accepted my CA certificate.

Good work! Exactly how did you do that?

[solava]

I cannot login anymore using my iOS devices with version 1.0.5.
Server Certificate verification fails with new PolarSSL version!

solava

[solava]

I'm getting the same errors described in this thread.

I did try re-installing the app and the related files via iTunes. Same error.

iOS 7.12 and OpenVPN 1.0.5

Any updates from the OpenVPN development community on this?

SSL Read Error X509.

Is there any easy way to revert back to 1.04?