Your message dated Tue, 1 Sep 2020 21:50:17 +0200 with message-id <[email protected]> and subject line OpenVPN: Closing outdated bugreports has caused the Debian Bug report #885581, regarding building with openssl 1.1 breaks existing setups ("VERIFY ERROR: depth=1, error=unsupported certificate purpose") to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 885581: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=885581 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: openvpn Version: 2.4.4-2 Severity: important Hi, I have a PKI generated using certtool from the gnutls package. It's been working fine with OpenVPN for years, up to with version 2.4.4-1. With 2.4.4-2, it no longer does; the client complains that: 2017-12-28 10:19:51.581535500 Thu Dec 28 10:19:51 2017 us=581446 TLS: Initial packet from [AF_INET]**.**.**.**:5000, sid=2b216141 7850038f 2017-12-28 10:19:51.615926500 Thu Dec 28 10:19:51 2017 us=615841 VERIFY ERROR: depth=1, error=unsupported certificate purpose: CN=Certificate Authority, DC=**, DC=** 2017-12-28 10:19:51.615980500 Thu Dec 28 10:19:51 2017 us=615952 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed 2017-12-28 10:19:51.616033500 Thu Dec 28 10:19:51 2017 us=615975 TLS_ERROR: BIO read tls_read_plaintext error 2017-12-28 10:19:51.616080500 Thu Dec 28 10:19:51 2017 us=616005 TLS Error: TLS object -> incoming plaintext read error 2017-12-28 10:19:51.616097500 Thu Dec 28 10:19:51 2017 us=616018 TLS Error: TLS handshake failed The CA cert it complains about looks like this: Certificate: Data: Version: 3 (0x2) Serial Number: **:**:**:**:**:**:**:**:**:**:**:** Signature Algorithm: ecdsa-with-SHA512 Issuer: CN = Certificate Authority, DC = **, DC = ** Validity Not Before: Jul 8 14:37:07 2014 GMT Not After : Jul 5 14:37:07 2029 GMT Subject: CN = Certificate Authority, DC = **, DC = ** Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (521 bit) pub: [redacted] ASN1 OID: secp521r1 NIST CURVE: P-521 X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE X509v3 Extended Key Usage: OCSP Signing Authority Information Access: OCSP - URI:http://... CA Issuers - URI:http://... X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Subject Key Identifier: **:**:**:**:**:**:**:**:**:**:**:**:**:**:**:**:**:**:**:** X509v3 CRL Distribution Points: Full Name: URI:http://... Signature Algorithm: ecdsa-with-SHA512 Even if there were something technically wrong with this CA cert, just breaking openvpn doesn't strike me as appropriate. There should be a way to turn whatever new check libssl1.1 implements off; also, the error message should indicate more clearly what the problem with the certificate is. Justification for important severity: completely breaks the package for some users. Incidentally, the bug referenced in the Debian changelog entry for 2.4.4-2 seems to be unrelated: * Build against OpenSSL 1.1.0 (Closes: #828447) Best regards, AndrĂ¡s -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (350, 'unstable'), (350, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.1.45-vs2.3.8.5.3+zfs20171023 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=hu_HU.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Init: runit -- His conscience is clean - he's never used it.
--- End Message ---
--- Begin Message ---Dear reporter, thanks for reporting bugs and making Debian better. Unfortunately your bug report could not be properly dealt with in time. The bug you are describing seems to affect an outdated version of OpenVPN in Debian. It would be very time consuming to verify this in a current version, and we believe the issue might have been fixed in the meantime. We are therefor closing this bug report. If you can still reproduce this issue on an up-to-date system (Debian 10 Buster or newer) feel free to reopen this bug report. Best Regards, Your OpenVPN maintainers
--- End Message ---
