LEDE Project

  • Status Closed
  • Percent Complete
    100%
  • Task Type Bug Report
  • Category Packages
  • Assigned To No-one
  • Operating System All
  • Severity Medium
  • Priority Very Low
  • Reported Version Trunk
  • Due in Version Undecided
  • Due Date Undecided
  • Votes 1
  • Private
Attached to Project: LEDE Project
Opened by duvi - 18.01.2017
Last edited by Felix Fietkau - 22.01.2017

FS#405 - openvpn-mbedtls can not verify certificate

On the same configuration, same system, same certificates, openvpn-mbedtls can not verify the certificate, but openvpn-openssl is working ok.

Notice the “??=vma”, how openvpn-mbedtls doesn’t recognize the “name” field in the certificate. Maybe that is the problem.

I have the same suboptions enabled in “make menuconfig” in both cases.

openvpn-mbedtls:

Fri Jan 13 23:05:58 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]my.ser.ver.ip:1194
Fri Jan 13 23:05:58 2017 Socket Buffers: R=[163840->163840] S=[163840->163840]
Fri Jan 13 23:05:58 2017 UDP link local (bound): [AF_INET][undef]:1194
Fri Jan 13 23:05:58 2017 UDP link remote: [AF_INET]my.ser.ver.ip:1194
Fri Jan 13 23:05:58 2017 TLS: Initial packet from [AF_INET]my.ser.ver.ip:1194, sid=75e238e0 c51819f1
Fri Jan 13 23:05:58 2017 VERIFY ERROR: depth=0, subject=C=HU, ST=BA, L=Pecs, O=Duvinet, OU=vma, CN=my.server.dns, ??=vma, emailAddress=myemail@mydomain.hu: The certificate is signed with an unacceptable key (eg bad curve, RSA too short).
Fri Jan 13 23:05:58 2017 TLS_ERROR: read tls_read_plaintext error: X509 - Certificate verification failed, e.g. CRL, CA or signature check failed
Fri Jan 13 23:05:58 2017 TLS Error: TLS object -> incoming plaintext read error
Fri Jan 13 23:05:58 2017 TLS Error: TLS handshake failed
Fri Jan 13 23:05:58 2017 SIGUSR1[soft,tls-error] received, process restarting

openvpn-openssl:

Tue Jan 17 09:36:06 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]my.ser.ver.ip:1194
Tue Jan 17 09:36:06 2017 Socket Buffers: R=[163840->163840] S=[163840->163840]
Tue Jan 17 09:36:06 2017 UDP link local (bound): [AF_INET][undef]:1194
Tue Jan 17 09:36:06 2017 UDP link remote: [AF_INET]my.ser.ver.ip:1194
Tue Jan 17 09:36:06 2017 TLS: Initial packet from [AF_INET]my.ser.ver.ip:1194, sid=3fc0a62c be2ce0f4
Tue Jan 17 09:36:06 2017 VERIFY OK: depth=1, C=HU, ST=BA, L=Pecs, O=Duvinet, OU=vma, CN=my.server.dns, name=vma, emailAddress=myemail@mydomain.hu
Tue Jan 17 09:36:06 2017 Validating certificate key usage
Tue Jan 17 09:36:06 2017 ++ Certificate has key usage  00a0, expects 00a0
Tue Jan 17 09:36:06 2017 VERIFY KU OK
Tue Jan 17 09:36:06 2017 Validating certificate extended key usage
Tue Jan 17 09:36:06 2017 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Jan 17 09:36:06 2017 VERIFY EKU OK
Closed by  Felix Fietkau
22.01.2017 09:45
Reason for closing:  Not a bug
Project Manager
Felix Fietkau commented on 20.01.2017 10:42

It looks like the problem is this:
"The certificate is signed with an unacceptable key (eg bad curve, RSA too short)."

Are you still using an RSA-1024 certificate? mbedtls refuses those for security reasons

duvi commented on 22.01.2017 01:13

Thanks for the tip, I regeneretad the certificates with RSA 2048, and it's working ok now.
I just wonder, why openssl still accepts it.
Anyway, we can close this.

Adrián Panella commented on 04.04.2017 05:13

Hi, I'm having the same issue after switching from openssl to mbedtls.
I regenerated certificates with 2048length, and now the CA cert is ok, but now I get get a validation error on the client cert:
"The certificate is signed with an unacceptable hash."

On the client side (running an openssl version) the server certificate is successfully validated

Any ideas on what can be happening?

Adrián Panella commented on 06.04.2017 06:30

Just to share the solution that worked for me to switch to mbedtls:

+ change to RSA 2048
+ change certificate digest from MD5 to SHA256 (use option "default_md = sha256").

The default digest used by easy-rsa key generation scripts was "md5", and it was rejected by mbedtls.

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing