|
|
Nik wrote:
Erich Titl schrieb:
here is more info
if I enter the complete subject line in the config file
tls-remote "/C=CH/L=Schlieren/O=Ruf
Telematik/CN=openvpn@xxxxxxxxxxxxxxx/emailAddress=openvpn@xxxxxxxxxxxxxxx"
the following error occurs
Tue Apr 05 15:27:51 2005 VERIFY OK: depth=1,
/C=CH/L=Schlieren/O=Ruf_Telematik/OU=ASP/CN=AspCA/emailAddress=ca@xxxxxxxxxx
Tue Apr 05 15:27:51 2005 VERIFY X509NAME ERROR:
/C=CH/L=Schlieren/O=Ruf_Telematik/CN=openvpn@xxxxxxxxxxxxxxx/emailAddress=openvpn@xxxxxxxxxxxxxxx,
must be /C=CH/L=Schlieren/O=Ruf
Telematik/CN=openvpn@xxxxxxxxxxxxxxx/emailAddress=openvpn@xxxxxxxxxxxxxxx
I came across this as well. Something (openvpn, openssl, etc) changes
spaces in the X509 name into underscores for the purposes of this
comparison.
If you look at the error message, you will see that openvpn is trying to
compare "...Ruf_telematik..." to "...Ruf Telematik..." (and failing).
So the value you enter for the tls-remote parameter must have all spaces
changed to underscores.
James said he had added some notes on this to the documentation. I
didn't actually check what was added, because I had already fixed my
config files.
Using
tls-remote "openvpn@xxxxxxxxxxxxxxx"
appears OK
What exactly is the X509 name, the entire subject line does not appear
to be right
My understanding is that the X509 name is the entire "subject" such as:
C=xyz/L=abc/O=123/Cn=456/...
The documentation of the tls-remote options says:
"Accept connections only from a host with X509 name or common name equal
to name."
If I understand it correctly, the X509 name is the entire string, and
the common name is the value of the CN= part of the X509 name.
The man entry goes on to say: "Name can also be a common name prefix
[...]".
So, in your example above, "openvpn@xxxxxxxxxxxxxxx" is being
successfully matched as a common name prefix. Ie, the string matches the
beginning of the CN= part of the X509 name of the certificate.
Hope this helps
Cheers!
Nik.
good afternoon all.
i ""THINK"" i'm having the same issue. so for my sanity's sake, "openvpn@xxxxxxxxxxxxxxx" is the CN prefix of the openvpn server certificate or the CN prefix of the CA certificate prefix?
...my log snip from client
Thu Apr 7 16:09:22 2005 TLS: Initial packet from 12.108.217.23:2000, sid=b140c5d9 209aa748
Thu Apr 7 16:09:23 2005 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /C=US/ST=Nebraska/L=Omaha/O=HA_Solutions/OU=HAS_Root_CA/CN=sylvia.ha-solutions.net/emailAddress=support@xxxxxxxxxxxxxxxx
Thu Apr 7 16:09:23 2005 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Thu Apr 7 16:09:23 2005 TLS Error: TLS object -> incoming plaintext read error
..end snip
regards,
Terry
____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users
Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2005-04/msg00116.html on line 240
Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2005-04/msg00116.html on line 240
|