Re: AW: OpenVPNGui 2.4.7 fails: format error in certificate's notAfter field
On Monday, 4 March 2019 15:20:36 CET Jan Just Keijser wrote: > Hi Matt, > > On 04/03/19 14:24, Matt Caswell wrote: > > On 04/03/2019 13:16, Jan Just Keijser wrote: > >> On 04/03/19 10:21, Wolfgang Knauf wrote: > >>> Hi, > >>> > >>> the output is this: > >>> > >>> C:\Program Files\OpenVPN\bin>openssl.exe asn1parse -i -in > >>> ..\config\ssl_h...@l1139218.vt-security.de\l1139218.vt-security.de.user. > >>> crt > >>> Error: offset too large > >>> > >>> Would it be OK if I send the crt file to only your mail adress? I don't > >>> feel save by posting it to the mailing list ;-)? > >> > >> I ran into the "offset too large" problem myself with my own certs as > >> well. It turns out the 'asn1parse' util only likes PEM blobs, i.e. the > >> parts starting with --BEGIN CERTIFICATE-- > > > > asn1parse will expect PEM by default but is perfectly capable of > > processing raw DER too. Just use the "-inform DER" option. > > 100% true but that is not what I was referring to; my certs usually look > like this: > > Certificate: > Data: > Version: 3 (0x2) > Serial Number: 5338 (0x14da) > Signature Algorithm: sha256WithRSAEncryption > [...] > -BEGIN CERTIFICATE- > MIIEmjCCA4KgAwIBAgICFNowDQYJKoZIhvcNAQELBQAwUjELMAkGA1UEBhMCTkwx > > > it's that part *before* the --BEGIN CERTIFICATE-- on which the > asn1parse command chokes. You can feed it either a DER file or a PEM > blob - but not a certificate file with the certificate info listed in it. ah, yes, that's https://github.com/openssl/openssl/issues/7317 that should be possible to workaround with -strictpem option -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic signature.asc Description: This is a digitally signed message part.
Re: AW: OpenVPNGui 2.4.7 fails: format error in certificate's notAfter field
Hi Matt, On 04/03/19 14:24, Matt Caswell wrote: On 04/03/2019 13:16, Jan Just Keijser wrote: On 04/03/19 10:21, Wolfgang Knauf wrote: Hi, the output is this: C:\Program Files\OpenVPN\bin>openssl.exe asn1parse -i -in ..\config\ssl_h...@l1139218.vt-security.de\l1139218.vt-security.de.user.crt Error: offset too large Would it be OK if I send the crt file to only your mail adress? I don't feel save by posting it to the mailing list ;-)? I ran into the "offset too large" problem myself with my own certs as well. It turns out the 'asn1parse' util only likes PEM blobs, i.e. the parts starting with --BEGIN CERTIFICATE-- asn1parse will expect PEM by default but is perfectly capable of processing raw DER too. Just use the "-inform DER" option. 100% true but that is not what I was referring to; my certs usually look like this: Certificate: Data: Version: 3 (0x2) Serial Number: 5338 (0x14da) Signature Algorithm: sha256WithRSAEncryption [...] -BEGIN CERTIFICATE- MIIEmjCCA4KgAwIBAgICFNowDQYJKoZIhvcNAQELBQAwUjELMAkGA1UEBhMCTkwx it's that part *before* the --BEGIN CERTIFICATE-- on which the asn1parse command chokes. You can feed it either a DER file or a PEM blob - but not a certificate file with the certificate info listed in it. JJK
Re: AW: OpenVPNGui 2.4.7 fails: format error in certificate's notAfter field
On 04/03/2019 13:16, Jan Just Keijser wrote: > On 04/03/19 10:21, Wolfgang Knauf wrote: >> Hi, >> >> the output is this: >> >> C:\Program Files\OpenVPN\bin>openssl.exe asn1parse -i -in >> ..\config\ssl_h...@l1139218.vt-security.de\l1139218.vt-security.de.user.crt >> Error: offset too large >> >> Would it be OK if I send the crt file to only your mail adress? I don't feel >> save by posting it to the mailing list ;-)? >> >> > I ran into the "offset too large" problem myself with my own certs as well. It > turns out the 'asn1parse' util only likes PEM blobs, i.e. the parts starting > with --BEGIN CERTIFICATE-- asn1parse will expect PEM by default but is perfectly capable of processing raw DER too. Just use the "-inform DER" option. Matt
Re: AW: OpenVPNGui 2.4.7 fails: format error in certificate's notAfter field
On 04/03/19 10:21, Wolfgang Knauf wrote: Hi, the output is this: C:\Program Files\OpenVPN\bin>openssl.exe asn1parse -i -in ..\config\ssl_h...@l1139218.vt-security.de\l1139218.vt-security.de.user.crt Error: offset too large Would it be OK if I send the crt file to only your mail adress? I don't feel save by posting it to the mailing list ;-)? I ran into the "offset too large" problem myself with my own certs as well. It turns out the 'asn1parse' util only likes PEM blobs, i.e. the parts starting with --BEGIN CERTIFICATE-- You can use openssl x509 -in l1139218.vt-security.de.user.crt -out | openssl ans1parse to work around this. For your certificates this results in 0:d=0 hl=4 l= 942 cons: SEQUENCE 4:d=1 hl=4 l= 791 cons: SEQUENCE 8:d=2 hl=2 l= 3 cons: cont [ 0 ] 10:d=3 hl=2 l= 1 prim: INTEGER :02 13:d=2 hl=2 l= 9 prim: INTEGER :C604316CD0321FA1 24:d=2 hl=2 l= 13 cons: SEQUENCE 26:d=3 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption 37:d=3 hl=2 l= 0 prim: NULL [...] 155:d=2 hl=2 l= 30 cons: SEQUENCE 157:d=3 hl=2 l= 13 prim: UTCTIME :160418140054Z 172:d=3 hl=2 l= 13 prim: UTCTIME :370308132808Z 187:d=2 hl=2 l= 88 cons: SEQUENCE 189:d=3 hl=2 l= 11 cons: SET 191:d=4 hl=2 l= 9 cons: SEQUENCE 193:d=5 hl=2 l= 3 prim: OBJECT :countryName 198:d=5 hl=2 l= 2 prim: PRINTABLESTRING :de In other words, the dates look OK to me. Also, I've thrown my own verification code against the certificate and everything checks out OK. I'll see if I can reproduce the issue in my own OpenVPN setup. HTH, JJK / Jan Just Keijser
