PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid [ERR]
-
- OpenVpn Newbie
- Posts: 2
- Joined: Thu Jun 09, 2016 10:47 am
PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid [ERR]
We get this error when trying to connect with our VPN SSL. It works properly on Windows clients
It happens in IOS clients (OpenVPN 1.07 build:199) and Android clients (OpenVPN Connect 1.1.17 build:76)
We try to change settings, different combinations: "Force AES-CBC cipershites" and "TLS" and same results
any idea?
It happens in IOS clients (OpenVPN 1.07 build:199) and Android clients (OpenVPN Connect 1.1.17 build:76)
We try to change settings, different combinations: "Force AES-CBC cipershites" and "TLS" and same results
any idea?
-
- OpenVPN Protagonist
- Posts: 11139
- Joined: Fri Jun 03, 2016 1:17 pm
Re: PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid [ERR]
The date tag or value is invalid ..PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid [ERR]
1. How did you create your certificate ?
2. Is this in the server or client log ?
3. Please post the complete, relevant log.
-
- OpenVpn Newbie
- Posts: 2
- Joined: Thu Jun 09, 2016 10:47 am
Re: PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid [ERR]
We create the certified with our firewall (Cyberoam), the log is in the application (OpenVPN in IOS) :
2016-06-09 11:15:54 ----- OpenVPN Start -----
OpenVPN core 3.0.11 ios arm64 64-bit built on Apr 15 2016 14:13:50
2016-06-09 11:15:54 Frame=512/2048/512 mssfix-ctrl=1250
2016-06-09 11:15:54 EVENT: CORE_ERROR PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid [ERR]
2016-06-09 11:15:54 Raw stats on disconnect:
2016-06-09 11:15:54 Performance stats on disconnect:
CPU usage (microseconds): 5878
Network bytes per CPU second: 0
Tunnel bytes per CPU second: 0
2016-06-09 11:15:54 ----- OpenVPN Start -----
OpenVPN core 3.0.11 ios arm64 64-bit built on Apr 15 2016 14:13:50
2016-06-09 11:15:54 Frame=512/2048/512 mssfix-ctrl=1250
2016-06-09 11:15:54 EVENT: CORE_ERROR PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid [ERR]
2016-06-09 11:15:54 Raw stats on disconnect:
2016-06-09 11:15:54 Performance stats on disconnect:
CPU usage (microseconds): 5878
Network bytes per CPU second: 0
Tunnel bytes per CPU second: 0
- jamesyonan
- OpenVPN Inc.
- Posts: 169
- Joined: Thu Jan 24, 2013 12:13 am
Re: PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid [ERR]
I believe this issue is occurring because of incorrectly formatted certificates.PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid [ERR]
The issue was discussed at length on the mbedTLS/PolarSSL forums:
https://github.com/ARMmbed/mbedtls/issues/499
I have personally viewed some of the certificates emailed to OpenVPN Tech. exhibiting this issue, and I can confirm that in all cases that trigger this error, the seconds field in the date (mandated by the X509 spec in RFC 5280) is omitted.
I've put together a simple Python script that will flag certs that use invalid dates, so you can confirm if your certs are affected:
https://gist.github.com/jamesyonan/90b8 ... be66d3c6a6
You can run this script on an individual cert or on the whole OpenVPN profile/config (if the profile uses inline certs).
James
-
- OpenVpn Newbie
- Posts: 5
- Joined: Wed Jun 01, 2016 2:59 pm
Re: PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid [ERR]
I have run the script on my Witopia ovpn file and it reveals a 'missing seconds' error in one of the certs. I've informed Witopia who are looking into it.
-
- OpenVpn Newbie
- Posts: 2
- Joined: Fri Jun 10, 2016 9:09 pm
Re: PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid [ERR]
I've run the script on my ovpn file generated by Sophos XG210 (SFOS 15.01.0 MR-3) and it passes the checks.
Still seeing the "OpenVPN error : PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid" error on the app.
Code: Select all
[18:52:21] drewhammond:sophos-sslvpn-checker $ ./checkcert.py cert.ovpn
Certificate #1
151106023945Z : correct date length per RFC 5280
361231023945Z : correct date length per RFC 5280
Certificate #2
- jamesyonan
- OpenVPN Inc.
- Posts: 169
- Joined: Thu Jan 24, 2013 12:13 am
Re: PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid [ERR]
But "Certificate #2" doesn't show any date info. If you can email your profile and certs (with private keys removed) to ios@openvpn.net, we can take a look at it.dhammond wrote:I've run the script on my ovpn file generated by Sophos XG210 (SFOS 15.01.0 MR-3) and it passes the checks.
James
- jamesyonan
- OpenVPN Inc.
- Posts: 169
- Joined: Thu Jan 24, 2013 12:13 am
Re: PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid [ERR]
I updated the cert validation script to check for certs that don't use GMT (Zulu) time as RFC 5280 requires. Running the script now on a Sophos-generated cert, you can see that it's using a time differential (i.e. the "+0000") which the RFC explicitly forbids. The RFC wants "Zulu" time where the date ends in 'Z':dhammond wrote:I've run the script on my ovpn file generated by Sophos XG210 (SFOS 15.01.0 MR-3) and it passes the checks.
Still seeing the "OpenVPN error : PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid" error on the app.Code: Select all
[18:52:21] drewhammond:sophos-sslvpn-checker $ ./checkcert.py cert.ovpn Certificate #1 151106023945Z : correct date length per RFC 5280 361231023945Z : correct date length per RFC 5280 Certificate #2
So I'd have to say that mbedTLS/PolarSSL is properly following the standard here.For the purposes of this profile, UTCTime values MUST be expressed in
Greenwich Mean Time (Zulu) and MUST include seconds (i.e., times are
YYMMDDHHMMSSZ), even where the number of seconds is zero.
Output on Sophos cert from updated cert checker:
Code: Select all
$ python ~/scripts/certdate.py UserCertificate.pem
=== UserCertificate.pem ===
Certificate #1
150630000000+0000 : invalid date per RFC 5280 because not in Greenwich Mean Time (Zulu) format
361231120000+0000 : invalid date per RFC 5280 because not in Greenwich Mean Time (Zulu) format
https://gist.github.com/jamesyonan/90b8 ... be66d3c6a6
More details about validity date requirements in RFC 5280:
https://tools.ietf.org/html/rfc5280#section-4.1.2.5
James
-
- OpenVpn Newbie
- Posts: 2
- Joined: Fri Jun 10, 2016 9:09 pm
Re: PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid [ERR]
Thanks for the update James. Hopefully this will lead to a quick resolution at Sophos.
-
- OpenVpn Newbie
- Posts: 1
- Joined: Wed Jun 01, 2016 7:39 am
Re: PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid [ERR]
Hello,
I've got the same problem.
With iOS Version 9.2.1 it works fine. Only with iOS 9.3.2 I have this problem. It seems to be a apple problem!
I've got the same problem.
With iOS Version 9.2.1 it works fine. Only with iOS 9.3.2 I have this problem. It seems to be a apple problem!
-
- OpenVpn Newbie
- Posts: 1
- Joined: Sun Jun 26, 2016 7:23 am
Re: PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid [ERR]
Yes, Thankyou James. I'm also having the same issue and the same result as you.dhammond wrote:Thanks for the update James. Hopefully this will lead to a quick resolution at Sophos.
Has anyone here reported it to Cyberoam/Sophos for a fix?
Freelandr
-
- OpenVpn Newbie
- Posts: 1
- Joined: Thu Jun 30, 2016 12:49 am
Re: PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid [ERR]
Cyberoam online support guys resolved the same situation by changing the firewall certificate configured for the SSL VPN. They used the Appliance Certificate. You have to replace the configuration in both your windows clients and android phones. It works.
-
- OpenVpn Newbie
- Posts: 1
- Joined: Thu Sep 08, 2016 3:45 pm
Re: PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid [ERR]
Hi,
any update for this problem since the two months? I have checked my cert with the script, it's OK:
Certificate #1
080415095841Z : correct UTCTime date length per RFC 5280
350831095841Z : correct UTCTime date length per RFC 5280
Certificate #2
120416143118Z : correct UTCTime date length per RFC 5280
350831095831Z : correct UTCTime date length per RFC 5280
But still the same error with iPhone:
Client exception in transport_recv_excode: PolarSSL: SSL read error : X509 – The date tag or value is invalid
thanks,
Peter
any update for this problem since the two months? I have checked my cert with the script, it's OK:
Certificate #1
080415095841Z : correct UTCTime date length per RFC 5280
350831095841Z : correct UTCTime date length per RFC 5280
Certificate #2
120416143118Z : correct UTCTime date length per RFC 5280
350831095831Z : correct UTCTime date length per RFC 5280
But still the same error with iPhone:
Client exception in transport_recv_excode: PolarSSL: SSL read error : X509 – The date tag or value is invalid
thanks,
Peter
-
- OpenVpn Newbie
- Posts: 1
- Joined: Thu Jan 05, 2017 8:37 am
Re: PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid [ERR]
tomiyalima wrote:Cyberoam online support guys resolved the same situation by changing the firewall certificate configured for the SSL VPN. They used the Appliance Certificate. You have to replace the configuration in both your windows clients and android phones. It works.
Can you please guide me, how to issue Appliance Certificate from Cyberoam firewall. I'm trying to connect my iPhone 5s with OpenVPN to Cyberoam firewall. We have already working SSL VPN client configured on windows and working fine. But when I'm downloading the configuration for MAC /iOS and transferring to OpenVPN it is showing same error
"PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid"
Ravi
-
- OpenVpn Newbie
- Posts: 3
- Joined: Thu Feb 02, 2017 11:58 am
Re: PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid [ERR]
Hi, has anyone found a solution so far for copper's problem:
Client exception in transport_recv_excode: PolarSSL: SSL read error : X509 – The date tag or value is invalid
What "date tagor value" is invalid?
Why does it loop (one minute, 60 seconds) until OpenVPN Connect tells
Connection timeout
???
Client exception in transport_recv_excode: PolarSSL: SSL read error : X509 – The date tag or value is invalid
What "date tagor value" is invalid?
Why does it loop (one minute, 60 seconds) until OpenVPN Connect tells
Connection timeout
???
-
- OpenVpn Newbie
- Posts: 3
- Joined: Thu Feb 02, 2017 11:58 am
Re: PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid [ERR]
Hi again, I've seen OpenVPN on iOS has updated to 1.1.1 last week.
It works again !!!
It works again !!!
-
- OpenVpn Newbie
- Posts: 3
- Joined: Thu Feb 02, 2017 11:58 am
Re: PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid [ERR]
Since update of OpenVPN on iOS to 1.1.1 (last week) it works again, yipeeh ...