verify-x509-name subject data is not properly preserved in persistent configurations

[fleischie]

Hello,

I am using openvpn3 on Arch Linux installed from AUR but without DCO (was producing errors).

karl@archCarbon ~ $ openvpn3 version
OpenVPN 3/Linux git:makepkg:713b35e908489579 (openvpn3)
OpenVPN core 3.git:HEAD:b47c72b4 linux x86_64 64-bit
Copyright (C) 2012-2020 OpenVPN Inc. All rights reserved.

Importing a config and connecting to a session works as expected, but when I import a config with --persistent I am not able to re-connect to the stored config.

Looking at the error message it says: "Connection failed: option_error: Invalid verify-x509-name type" hinting at the first space character of the profile.verify-x509-name attribute of the configuration json.

E.g.:

• "C=DE, L=CN, O=Company Name" -> "Invalid verify-x509-name type: L=OE",
• "C=DE,L=CN,O=Company Name" -> "Invalid verify-x509-name type: Name".

Which might indicate, that the name is not correctly checked for certain characters. Might also be for non-ascii chars but I haven't checked that thouroughly.

Is this even correct here, or should this rather copy this issue to the openvpn3-core repo? Let me know if you need additional info and/or have hints/notes/etc.

[dsommers]

Thanks for testing OpenVPN 3 Linux on Arch! From the commit references, I see this is the v16_beta release.

Could you issue a test certificate and key with this behaviour and send it to my openvpn.net e-mail address (you'll find it in the git commit logs), so I can test just the certificate and your --verify-x509-name option? Just to see if I can reproduce this locally first. I do not need anything else, as I'll hack this information up in my own internal testing infrastructure.

[fleischie]

Will do. I'll send it once I am off work (and after I figured out how to create test certificates). 😅

[fleischie]

You should have now received an email from me (I hope it was sent alright). Let me know if you need additional information and/or the email never arrived.

✌️

[fleischie]

I checked this morning and the error explicitly says:
"Invalid verify-x509-name type: L=OD," resp. "Invalid verify-x509-name type: GmbH,".

[dsommers]

I've been testing this a bit today, and I can't reproduce this issue. I've also modified the VerifyX509Name unit test to have spaces inside several fields - which still works as expected.

I have a also tested a certificate I have which has space in the CN field. No issues.

I have double checked the test config you sent plus a few more places the Subject contents. I don't see any odd things in any of the strings at first glance.

But the Invalid verify-x509-name type error comes from the VerifyX509Name configuration parsing. This is called from the OpenSSL layer, where it sets up the SSL context. Somehow this is getting corrupted on your setup, but only on re-negotiations.

Since this issue is happening in the OpenVPN 3 Core library, I will move this issue to that project. We will look further into this.

Could you try your setup on a different distribution than Arch Linux? I will also setup an Arch Linux test box to have a closer look, but would be good to see if we can find a common denominator here first.

[dsommers]

And we have a similar report for OpenVPN Connect on Windows: https://community.openvpn.net/openvpn/ticket/1414

Update: This is not the same issue ... please ignore this comment.

[dsommers]

Moving this back to OpenVPN 3 Linux. I found the issue now. It's the persistent storage which is not doing the right thing.

Steps to reproduce this issue:

1. Run openvpn3 config-import --config $CONFIG_FILE --name testcfg --persistent
2. Run openvpn3 config-dump --config testcfg > after-import.conf
3. Stop the openvpn3-service-configmgr
4. Run openvpn3 config-dump --config testcfg > after-restart.conf
5. Run diff -u after-import.conf after-restart.conf

You will notice that the double quotes around the subject field is now missing in the diff output. This is due to the .json file which contains the configuration does not properly preserve the quoting.

Moving back to the openvpn3-linux project.

[fleischie]

Thank you for taking the time and putting in the work to investigate this so thoroughly. 🙇

Do you still need me to set something up, test something, or provide further info?

[dsommers]

No, I'm all fine now. I've been able to isolate the problem and can reproduce it at will now.

The problematic code path is related to a similar fix we added for --static-challenge in commit ef26761. But that was a hack, and this hack can't be reused for --verify-x509-name. I'm working on a fix in the Core library's option rendering method, which should also remove the need for the hack added for --static-challenge.

[dsommers]

This should now be fixed with commit 87570c0. This does a complete overhaul of the code importing and exporting the JSON data for the persistent storage, which helps removing several other hacks as well.

This approach will hopefully be much better in the end.