Hello OpenVPN community!
Line below was extract from my openvpn server log.
Jan 8 17:44:25 myserver openvpn[28644]: a.b.178.157:22853 VERIFY
ERROR: could not extract CN from X509 subject string (' ***user
certificate dn here*** ') -- note that the username length is limited
to 64 characters
Initially I thought such user certificate DN had more than 64
characters on CN field, actually CN has *exactly* 64 ASCII characters.
Looking at ssl_verify.c and ssl_verify_openssl.c, I found that
backend_x509_get_username returns FAILURE. In turn,
extract_x509_field_ssl returns FAILURE as well. At the end of
extract_x509_field_ssl, I found something suspicious. Look at the line
bellow:
const result_t ret = (strlen ((char *)buf) < size) ? SUCCESS: FAILURE;
Is the comparison between strlen ((char *)buf) and size correct?
Shouldn't be less equal?
I'll do some tests, e.g. changing TLS_USERNAME_LEN from 64 to 65.
PS: According to rfc5280, common name maximum length is 64.
Regards,
Jorge Peixoto
------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
