[FS#405] openvpn-mbedtls can not verify certificate

LEDE Bugs lede-bugs at lists.infradead.org
Wed Jan 18 02:42:13 PST 2017


A new Flyspray task has been opened.  Details are below. 

User who did this - duvi (duvi) 

Attached to Project - LEDE Project
Summary - openvpn-mbedtls can not verify certificate
Task Type - Bug Report
Category - Packages
Status - Unconfirmed
Assigned To - 
Operating System - All
Severity - Medium
Priority - Very Low
Reported Version - Trunk
Due in Version - Undecided
Due Date - Undecided
Details - On the same configuration, same system, same certificates, openvpn-mbedtls can not verify the certificate, but openvpn-openssl is working ok.

Notice the "??=vma", how openvpn-mbedtls doesn't recognize the "name" field in the certificate. Maybe that is the problem.

I have the same suboptions enabled in "make menuconfig" in both cases.

openvpn-mbedtls:
Fri Jan 13 23:05:58 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]my.ser.ver.ip:1194
Fri Jan 13 23:05:58 2017 Socket Buffers: R=[163840->163840] S=[163840->163840]
Fri Jan 13 23:05:58 2017 UDP link local (bound): [AF_INET][undef]:1194
Fri Jan 13 23:05:58 2017 UDP link remote: [AF_INET]my.ser.ver.ip:1194
Fri Jan 13 23:05:58 2017 TLS: Initial packet from [AF_INET]my.ser.ver.ip:1194, sid=75e238e0 c51819f1
Fri Jan 13 23:05:58 2017 VERIFY ERROR: depth=0, subject=C=HU, ST=BA, L=Pecs, O=Duvinet, OU=vma, CN=my.server.dns, ??=vma, emailAddress=myemail at mydomain.hu: The certificate is signed with an unacceptable key (eg bad curve, RSA too short).
Fri Jan 13 23:05:58 2017 TLS_ERROR: read tls_read_plaintext error: X509 - Certificate verification failed, e.g. CRL, CA or signature check failed
Fri Jan 13 23:05:58 2017 TLS Error: TLS object -> incoming plaintext read error
Fri Jan 13 23:05:58 2017 TLS Error: TLS handshake failed
Fri Jan 13 23:05:58 2017 SIGUSR1[soft,tls-error] received, process restarting

openvpn-openssl:
Tue Jan 17 09:36:06 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]my.ser.ver.ip:1194
Tue Jan 17 09:36:06 2017 Socket Buffers: R=[163840->163840] S=[163840->163840]
Tue Jan 17 09:36:06 2017 UDP link local (bound): [AF_INET][undef]:1194
Tue Jan 17 09:36:06 2017 UDP link remote: [AF_INET]my.ser.ver.ip:1194
Tue Jan 17 09:36:06 2017 TLS: Initial packet from [AF_INET]my.ser.ver.ip:1194, sid=3fc0a62c be2ce0f4
Tue Jan 17 09:36:06 2017 VERIFY OK: depth=1, C=HU, ST=BA, L=Pecs, O=Duvinet, OU=vma, CN=my.server.dns, name=vma, emailAddress=myemail at mydomain.hu
Tue Jan 17 09:36:06 2017 Validating certificate key usage
Tue Jan 17 09:36:06 2017 ++ Certificate has key usage  00a0, expects 00a0
Tue Jan 17 09:36:06 2017 VERIFY KU OK
Tue Jan 17 09:36:06 2017 Validating certificate extended key usage
Tue Jan 17 09:36:06 2017 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Jan 17 09:36:06 2017 VERIFY EKU OK


More information can be found at the following URL:
https://bugs.lede-project.org/index.php?do=details&task_id=405



More information about the lede-bugs mailing list