Hi,
David Sommerseth wrote:
> On 08/06/10 18:24, Martin Mokrejs wrote:
>> Hi,
>> I had a look into the original bug report I sent and the summary is this:
>> at some version openvpn implemented a more strict check for certificate
>> values and if teh cjeck fails one yields "unsupported certificate purpose"
>> message.
>
>> I figured out that few more allowed values have to be included in the
>> certificate so that openVPN does not complain anymore. Basically, the patch
>> synchronizes the current openVPN behavior with the easy-rsa/ tools.
>
>> Is it clearer now? I attached to the bugreport at Gentoo an older version
>> of the patch to hopefully help you better with understanding what I tried.
>> What I believe should happen that somebody documents better what requirements
>> are for the server/client certifices in openVPN. The patch(es) show what
>> fields you should describe in docs and some version of the patch be committed
>> over easy-rsa/openssl.cf as well (or loosen the checks back in openVPN
>> sources).
>> Martin
>
> Ahoj Martin,
>
> Thanks a lot for your patch and your investigations! That is very much
> appreciated!
>
> Your issues was discussed in the last developers meeting (Thu June 3rd)
> and it is not clear to us why you experiences this problem. I believe
> Jan Just Keiser told that he had quite recently tested out easy-rsa-2.0
> and he had no issues at all.
>
> I am also running a OpenVPN server on a Gentoo box, even though on this
> box I'm using TinyCA, so it is not directly comparable. Anyhow, the
> X509v3 extensions are not that far away from what I do see easy-rsa-2.0
> should normally set:
>
> X509v3 extensions:
> X509v3 Basic Constraints:
> CA:FALSE
> Netscape Cert Type:
> SSL Client, S/MIME, Object Signing
>
> I do see however that you are having mentioned Netscape Cert Type in
> your bug report.
>
> Could this be related to some trickery patches Gentoo does to OpenVPN or
> OpenSSL? Or that it is related to the OpenSSL version?
I have no idea what is patched on Gentoo and why, but I found lots of those
"unsupported certificate purpose" reports through Google, with very few real
answers. I don't believe it is Gentoo specific.
On the client:
I use net-misc/openvpn-2.1.0-r1, I see there are two patches applying to
my systems (no IPv6 patch):
epatch "${FILESDIR}/${PN}-2.1_rc13-peercred.patch"
epatch "${FILESDIR}/${PN}-2.1_rc20-pkcs11.patch"
I use dev-libs/openssl-0.9.8n.
On the server:
net-misc/openvpn-2.1.0-r1
dev-libs/openssl-0.9.8n
>
> Would you mind sharing your configuration files and information about
> the OpenSSL version you are using?
The client and server configs are attached.
Thanks,
Martin
>
>
> kind regards,
>
> David Sommerseth
>
>
>>> Hi,
>>>
>>> We discussed your bug report in last week's public IRC meeting:
>>>
>>> <http://thread.gmane.org/gmane.network.openvpn.devel/3748>
>>>
>>> In a nutshell, we had difficulties understanding what is required to
>>> reproduce this bug. Unfortunately the discussion logs were lost so I
>>> can't be any more specific. Would you like help us understand this issue
>>> by chatting with our devs on #openvpn-de...@irc.freenode.net? Or
>>> alternatively by sending mail to openvpn-devel mailinglist:
>>>
>>> <http://sourceforge.net/mail/?group_id=48978>
>>>
>>> All the best,
>>>
>>> -- Samuli Seppänen Community Manager OpenVPN Technologies, Inc irc freenode
>>> net: mattock
>
>>> Martin Mokrejs wrote:
>>>> Hi,
>>>> I think the easy-rsa/openssl.cnf file should be modified so thet client
>>>> CERTs would match current openVPN expectations. Please see my bug report
>>>> at http://bugs.gentoo.org/show_bug.cgi?id=320171 . For convenience, I am
>>>> attaching the patch here. Did I get it right what has to be done? Would
>>>> someone fix the HOWTO and FAQ documentation to describe the keyUsage
>>>> fields and what is actually required for what? There is too many hit
>>>> in google for "unsupported certificate purpose". ;)
>
>> ------------------------------------------------------------------------------
>> ThinkGeek and WIRED's GeekDad team up for the Ultimate
>> GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
>> lucky parental unit. See the prize list and enter to win:
>> http://p.sf.net/sfu/thinkgeek-promo
>> _______________________________________________
>> Openvpn-devel mailing list
>> Openvpn-devel@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>
>
##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
;proto tcp
proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote XX.XX.XX.XX 1194
;remote my-server-2 1194
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
user nobody
group nobody
# Try to preserve some state across restarts.
persist-key
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca keys/ca.crt
# gozer.ectoplasm.org/blog/archive/.../openvpn-verify.html
cert keys/client.crt # broken due to bug in openssl or easy-rsa?
key keys/client.key
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build-key-server
# script in the easy-rsa folder will do this.
# This will block clients from connecting to any server which lacks the
nsCertType=server designation in its certificate, even if the certificate has
been signed by the ca file in the OpenVPN configuration file.
# ns-cert-type server. This is to preent "Man-in-the-Middle" attack.
#ns-cert-type server
remote-cert-tls server
# If a tls-auth key is used on the server
# then every client must also have the key.
# Generated by `openvpn --genkey --secret ta.key`
tls-auth keys/ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo
# Set log file verbosity.
verb 3
# Silence repeating messages
;mute 20
tls-server
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
;proto tcp-server
proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
;remote XX.XX.XX.XX 1194
;remote my-server-2 1194
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
;nobind
# Downgrade privileges after initialization (non-Windows only)
user nobody
group nobody
# Try to preserve some state across restarts.
persist-key
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca keys/ca.crt
cert keys/client.crt keys/server.crt
key keys/client.key keys/server.key
dh keys/dh2048.pem
server 192.168.251.0 255.255.255.0
keepalive 10 120
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build-key-server
# script in the easy-rsa folder will do this.
#ns-cert-type server
# If a tls-auth key is used on the server
# then every client must also have the key.
tls-auth keys/ta.key 0
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo
# Set log file verbosity.
verb 3
# Silence repeating messages
;mute 20
