|
|
Terry L. Inzauro wrote:
Nik wrote:
Erich Titl schrieb:
here is more info
if I enter the complete subject line in the config file
tls-remote "/C=CH/L=Schlieren/O=Ruf
Telematik/CN=openvpn@xxxxxxxxxxxxxxx/emailAddress=openvpn@xxxxxxxxxxxxxxx"
the following error occurs
Tue Apr 05 15:27:51 2005 VERIFY OK: depth=1,
/C=CH/L=Schlieren/O=Ruf_Telematik/OU=ASP/CN=AspCA/emailAddress=ca@xxxxxxxxxx
Tue Apr 05 15:27:51 2005 VERIFY X509NAME ERROR:
/C=CH/L=Schlieren/O=Ruf_Telematik/CN=openvpn@xxxxxxxxxxxxxxx/emailAddress=openvpn@xxxxxxxxxxxxxxx,
must be /C=CH/L=Schlieren/O=Ruf
Telematik/CN=openvpn@xxxxxxxxxxxxxxx/emailAddress=openvpn@xxxxxxxxxxxxxxx
I came across this as well. Something (openvpn, openssl, etc) changes
spaces in the X509 name into underscores for the purposes of this
comparison.
If you look at the error message, you will see that openvpn is trying
to compare "...Ruf_telematik..." to "...Ruf Telematik..." (and failing).
So the value you enter for the tls-remote parameter must have all
spaces changed to underscores.
James said he had added some notes on this to the documentation. I
didn't actually check what was added, because I had already fixed my
config files.
Using
tls-remote "openvpn@xxxxxxxxxxxxxxx"
appears OK
What exactly is the X509 name, the entire subject line does not
appear to be right
My understanding is that the X509 name is the entire "subject" such as:
C=xyz/L=abc/O=123/Cn=456/...
The documentation of the tls-remote options says:
"Accept connections only from a host with X509 name or common name
equal to name."
If I understand it correctly, the X509 name is the entire string, and
the common name is the value of the CN= part of the X509 name.
The man entry goes on to say: "Name can also be a common name prefix
[...]".
So, in your example above, "openvpn@xxxxxxxxxxxxxxx" is being
successfully matched as a common name prefix. Ie, the string matches
the beginning of the CN= part of the X509 name of the certificate.
Hope this helps
Cheers!
Nik.
good afternoon all.
i ""THINK"" i'm having the same issue. so for my sanity's sake,
"openvpn@xxxxxxxxxxxxxxx" is the CN prefix of the openvpn server
certificate or the CN prefix of the CA certificate prefix?
...my log snip from client
Thu Apr 7 16:09:22 2005 TLS: Initial packet from 12.108.217.23:2000,
sid=b140c5d9 209aa748
Thu Apr 7 16:09:23 2005 VERIFY ERROR: depth=1, error=self signed
certificate in certificate chain:
/C=US/ST=Nebraska/L=Omaha/O=HA_Solutions/OU=HAS_Root_CA/CN=sylvia.ha-solutions.net/emailAddress=support@xxxxxxxxxxxxxxxx
Thu Apr 7 16:09:23 2005 TLS_ERROR: BIO read tls_read_plaintext error:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed
Thu Apr 7 16:09:23 2005 TLS Error: TLS object -> incoming plaintext
read error
..end snip
regards,
Terry
ok all. i've answered my a near death experience for my dog(poor little guy).
first off, i had copied the wrong CA cert to the client. that explains the "VERIFY ERROR: depth=1, error=self signed " from above. once that was resolved. i got the following:
VERIFY X509NAME ERROR: /C=US/ST=Nebraska/O=HA_Solutions/OU=unixsystems/CN=ovpn01.oma.ha-solutions.net, must be CN=ovpn01.oma.ha-solutions.net
this was due to an incorrect "tls-remote" option. once i fixed it with the CN prefix, it lit up like a s&^*t house in the fog.
hope this helps future folks.
_Terry
____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users
Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2005-04/msg00119.html on line 263
Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2005-04/msg00119.html on line 263
|