Package: openvpn
Version: 2.4.4-2
Severity: important
Hi,
I have a PKI generated using certtool from the gnutls package. It's been
working fine with OpenVPN for years, up to with version 2.4.4-1.
With 2.4.4-2, it no longer does; the client complains that:
2017-12-28 10:19:51.581535500 Thu Dec 28 10:19:51 2017 us=581446 TLS: Initial
packet from [AF_INET]**.**.**.**:5000, sid=2b216141 7850038f
2017-12-28 10:19:51.615926500 Thu Dec 28 10:19:51 2017 us=615841 VERIFY ERROR:
depth=1, error=unsupported certificate purpose: CN=Certificate Authority,
DC=**, DC=**
2017-12-28 10:19:51.615980500 Thu Dec 28 10:19:51 2017 us=615952 OpenSSL:
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify
failed
2017-12-28 10:19:51.616033500 Thu Dec 28 10:19:51 2017 us=615975 TLS_ERROR: BIO
read tls_read_plaintext error
2017-12-28 10:19:51.616080500 Thu Dec 28 10:19:51 2017 us=616005 TLS Error: TLS
object -> incoming plaintext read error
2017-12-28 10:19:51.616097500 Thu Dec 28 10:19:51 2017 us=616018 TLS Error: TLS
handshake failed
The CA cert it complains about looks like this:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
**:**:**:**:**:**:**:**:**:**:**:**
Signature Algorithm: ecdsa-with-SHA512
Issuer: CN = Certificate Authority, DC = **, DC = **
Validity
Not Before: Jul 8 14:37:07 2014 GMT
Not After : Jul 5 14:37:07 2029 GMT
Subject: CN = Certificate Authority, DC = **, DC = **
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (521 bit)
pub:
[redacted]
ASN1 OID: secp521r1
NIST CURVE: P-521
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Extended Key Usage:
OCSP Signing
Authority Information Access:
OCSP - URI:http://...
CA Issuers - URI:http://...
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
**:**:**:**:**:**:**:**:**:**:**:**:**:**:**:**:**:**:**:**
X509v3 CRL Distribution Points:
Full Name:
URI:http://...
Signature Algorithm: ecdsa-with-SHA512
Even if there were something technically wrong with this CA cert, just breaking
openvpn doesn't strike me as appropriate.
There should be a way to turn whatever new check libssl1.1 implements off;
also, the error message should indicate more clearly what the problem with the
certificate is.
Justification for important severity: completely breaks the package for some
users.
Incidentally, the bug referenced in the Debian changelog entry for 2.4.4-2
seems to be unrelated:
* Build against OpenSSL 1.1.0 (Closes: #828447)
Best regards,
AndrĂ¡s
-- System Information:
Debian Release: buster/sid
APT prefers unstable
APT policy: (350, 'unstable'), (350, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.1.45-vs2.3.8.5.3+zfs20171023 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=hu_HU.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: runit
--
His conscience is clean - he's never used it.
