View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0001089Main CAcert Websitecertificate issuingpublic2012-08-13 22:062013-01-15 18:22
Reporterjosupeit Assigned To 
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionno change required 
Fixed in Version2012 Q3 
Summary0001089: Renewed server certificate no longer works for an OpenVPN Server
DescriptionI'm running an OpenVPN server at home with a CACert Class 3 certificate. This certificate is valid up to Oct 9th so I decided to renew the certificate.

Unfortunally I'm unable to create a vpn connection with this new certificate due to a failing tls handshake.

It seems that critical fields have changed in certificates between Oct 9th 2010 and today.
Additional InformationOld working certificate:
========================

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 47428 (0xb944)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: O=CAcert Inc., OU=http://www.CAcert.org, CN=CAcert Class 3 Root
        Validity
            Not Before: Oct 10 22:01:40 2010 GMT
            Not After : Oct 9 22:01:40 2012 GMT
        Subject: CN=<snip>
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    <snip>
                Exponent: <snip>
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication, Netscape Server Gated Crypto, Microsoft Server Gated Crypto
            Authority Information Access:
                OCSP - URI:http://ocsp.cacert.org/

            X509v3 Subject Alternative Name:
                DNS:<snip>, othername:<unsupported>



    Signature Algorithm: sha1WithRSAEncryption
        <snip>



New no longer working certificate:
==================================

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 66484 (0x103b4)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: O=CAcert Inc., OU=http://www.CAcert.org, CN=CAcert Class 3 Root
        Validity
            Not Before: Aug 13 21:25:21 2012 GMT
            Not After : Aug 13 21:25:21 2014 GMT
        Subject: CN=<snip>
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    <snip>
                Exponent: <snip>
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication, Netscape Server Gated Crypto, Microsoft Server Gated Crypto
            Authority Information Access:
                OCSP - URI:http://ocsp.cacert.org/

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://crl.cacert.org/class3-revoke.crl

    Signature Algorithm: sha1WithRSAEncryption
        <snip>
TagsNo tags attached.
Reviewed by
Test Instructions

Activities

josupeit

2012-08-14 20:37

reporter   ~0003135

It seems that the value of the key usage attribute field has changed from 2010 to now (http://wiki.cacert.org/PolicyDrafts/CPSKeyUsageChanges). The default openvpn configuration option "remote-cert-tls server" is an equivalent to "remote-cert-ku a0 88" and also 'remote-cert-eku "TLS Web Server Authentication"' what seems to restrict the key usage to either 0xa0 or 0x88 (what means Digital Signature and Key Encipherment or else Digital Signature and Key Agreement) but not to a combination of both what would be 0xa0 (bitwise) or 0x88 = 0xa8 (what means Digital Signature and Key Enciphermeht or else Digital Signature and Key Agreement or else Digital Signature and Key Encipherment and Key Agreement).

The current certificates issued by CACert do have exactly set such a combination of those so changing the openvpn configuration value "remote-cert-tls server" to the two options "remote-cert-ku a0 88 a8" and 'remote-cert-eku "TLS Web Server Authentication"' does the trick.

Issue History

Date Modified Username Field Change
2012-08-13 22:06 josupeit New Issue
2012-08-14 20:37 josupeit Note Added: 0003135
2012-08-14 20:37 josupeit Status new => solved?
2012-08-14 20:37 josupeit Resolution open => no change required
2012-08-28 21:04 NEOatNHNG Status solved? => closed
2013-01-15 18:22 Werner Dworak Fixed in Version => 2012 Q3