search

OpenVPN / easy-rsa

easy-rsa - Simple shell based CA utility
Other
4k stars 1.19k forks source link

Any magic about the 64 bytes common-name length limit #1095

Closed ihipop closed 5 months ago

ihipop commented 5 months ago

Since I have read about the RFC3280: https://www.ietf.org/rfc/rfc3280.html#:~:text=ub-common-name-length%20integer%20%3A%3A%3D RFC5280: https://www.ietf.org/rfc/rfc5280.html#:~:text=ub-common-name-length%20integer%20%3A%3A%3D and related https://github.com/notaryproject/notary/issues/914

And if I issue a certificate with a common name longer than 64 bytes, easy-rsa will fail with an error

Using Easy-RSA 'vars' configuration:
* /home/*****/CA/vars

Using SSL:
* openssl OpenSSL 3.2.1 30 Jan 2024 (Library: OpenSSL 3.2.1 30 Jan 2024)
-----
String too long, must be at most 64 bytes long
Error making certificate request

Easy-RSA error:

easyrsa_openssl - Command has failed:
* openssl req -utf8 -new -newkey ec:/home/*****/CA/pki/15b9edd6/temp.1.1 -keyout /home/*****/CA/pki/15b9edd6/temp.2.1 -out /home/*****/CA/pki/15b9edd6/temp.3.1 -noenc -batch

EasyRSA Version Information
Version:     3.1.7
Generated:   Fri Oct 13 17:27:51 CDT 2023
SSL Lib:     OpenSSL 3.2.1 30 Jan 2024 (Library: OpenSSL 3.2.1 30 Jan 2024)
Git Commit:  3c233d279d43e419b0529411ee62bba7a08f0c0f
Source Repo: https://github.com/OpenVPN/easy-rsa
Host: 3.1.7 | nix | Linux | /bin/bash

WARNING
=======
cleanup - remove_secure_session failed

but your CloudConnexa of OpenVPN allows a common name to exceed 64 bytes

image

Is there any magic in easy-rsa ?

ihipop commented 5 months ago

I've tried to change the

EASYRSA_DN to cn_only

then change the commonName_max of cn_only to 128 in openssl-easyrsa.cnf still,the error exists: 


Using SSL:
* openssl OpenSSL 3.2.1 30 Jan 2024 (Library: OpenSSL 3.2.1 30 Jan 2024)
-----
Error making certificate request
4077017C547F0000:error:06800097:asn1 encoding routines:ASN1_mbstring_ncopy:string too long:crypto/asn1/a_mbstr.c:106:maxsize=64
TinCanTech commented 5 months ago

Also, try changing easyrsa:6242:

commonName_max      = 64
ihipop commented 5 months ago

Also, try changing easyrsa:6242:

commonName_max        = 64

have you tried? I can't make it work

TinCanTech commented 5 months ago

The max appears to be 64.

ihipop commented 5 months ago

your CloudConnexa of OpenVPN allows a common name to longer than 64 bytes

TinCanTech commented 5 months ago

The EasyRSA commonName 64 character limit is sufficient for sensible requirements.

TinCanTech commented 5 months ago

Taking ASCII characters 0-9 and a-z gives a naming pool of:

36^64 = 4×10⁹⁹

More than enough.

ihipop commented 5 months ago

Taking ASCII characters 0-9 and a-z gives a naming pool of:

36^64 = 4×10⁹⁹

More than enough.

@TinCanTech

If you use OpenVPN web auth, you will find out that every device has a device ID in the form of UUID, which is 36 bytes long

to distinguish every device with different devices with different common name, usually an enterprise email address is prefixed as a part of a common name, Just like what CloudConnexa of OpenVPN does. for example

TinCanTech@mail.TinCanTech.com/2BB779C3-7765-46AA-9EB2-8E9BFC0500D8

tata, exceed 64bytes~

TinCanTech commented 5 months ago

CloudConnexa obviously have their own solution.