longzuyuan / ics-openvpn

Automatically exported from code.google.com/p/ics-openvpn
0 stars 0 forks source link

Slashes in X509NAME are replaced with commas #72

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
I'am trying to connect to my Astaro firewall using your app. In my ovpn I have 
configured something like this:
tls-remote "/C=c/L=l/O=o/CN=cn/emailAddress=a@b.com"

But when connecting the slashes are converted into commas, which produces the 
following error:
P:VERIFY X509NAME ERROR: C=c, L=l, O=o, CN=cn, emailAddress=a@b.com, must be 
/C=c/L=l/O=o/CN=cn/emailAddress=a@b.com

What is the expected output? What do you see instead?
Slashes should not be replaced.

What mobile phone are you using?
Asus Transformer Pad Infinity

Which Android Version and stock ROM or aftermarket like cyanogenmod?
4.0.3 Asus Stock Firmware

Please provide any additional information below.

Original issue reported on code.google.com by david.ma...@gmail.com on 21 Aug 2012 at 3:23

GoogleCodeExporter commented 9 years ago
This not a bug in ics openvpn. The behaviour you are reporting is in openvpn 
itself.  Does openvpn on your PC behave different?

Original comment by arne@rfc2549.org on 21 Aug 2012 at 3:42

GoogleCodeExporter commented 9 years ago
On my pc the ovpn config is working and also on my Samsung Galaxy S2. 
(CyanogenMod 9 + OpenVpn Settings App) This is written in the log on my pc:
VERIFY X509NAME OK: /C=c/L=l/O=o/CN=cn/emailAddress=a@b.com

The devices have the following versions of OpenVPN:

PC 2.1.1
Samsung Galaxy S2 2.2.2
Asus Transformer Pad Infinity 2.1.1

What else could cause this problem?

Original comment by david.ma...@gmail.com on 21 Aug 2012 at 3:50

GoogleCodeExporter commented 9 years ago
OpenVPN 2.3 changed the X509 name behaviour. There is a proposed patch to add a 
compatbility for older version but it is not yet included in 2.3: 
http://comments.gmane.org/gmane.network.openvpn.devel/6988

Original comment by arne@rfc2549.org on 21 Aug 2012 at 4:31

GoogleCodeExporter commented 9 years ago
I've just installed your app on my Samsung Galaxy S2 and there I get the same 
error. But the connection does work when I use the "OpenVpn Settings" app, so i 
think its not a fault of the openvpn client or server. I will download your 
sourcecode and try to debug the app. Maybe I will be able to find the Problem.

Original comment by david.ma...@gmail.com on 22 Aug 2012 at 7:43

GoogleCodeExporter commented 9 years ago
As I explained this is a change in Openvpn 2.3. There will be a compat-names 
option in later 2.3 releases but for now you have to use the new format with 
tls-remote. E.g. specifiying 

tls-remote "C=c, L=l, O=o, CN=cn, emailAddress=a@b.com"

instead of 

tls-remote "/C=c/L=l/O=o/CN=cn/emailAddress=a@b.com"

Original comment by arne@rfc2549.org on 22 Aug 2012 at 7:53

GoogleCodeExporter commented 9 years ago
I just realized that you include your own openvpn binaries in your app. Would 
it be possible to just replace them on my device with the 2.2 version to get it 
to work?

Original comment by david.ma...@gmail.com on 22 Aug 2012 at 7:57

GoogleCodeExporter commented 9 years ago
It is possible but using a 2.2 version would requiring backporting the patches 
needed for the VPNService API. Also I don't understand why you cannot change 
the tls-remote to the new format of 2.3?

Original comment by arne@rfc2549.org on 22 Aug 2012 at 8:06

GoogleCodeExporter commented 9 years ago
I'am using an Sophos (Astaro) firewall as OpenVpn server and this firewall 
automaticly chooses this format for the tls-remote, so I'cannot change that. I 
think I will checkout an older version of your sourcecode and compile myself 
this older version until the new feature is available. Can you tell me wich 
version I have to download to get the old OpenVpn version?

Original comment by david.ma...@gmail.com on 22 Aug 2012 at 8:12

GoogleCodeExporter commented 9 years ago
There is no version of my software that uses an OpenVPN 2.2  version. 

Original comment by arne@rfc2549.org on 22 Aug 2012 at 8:32

GoogleCodeExporter commented 9 years ago
Alternativly you can apply the compat-names patch manually to my source and use 
that until the patch is upstream

Original comment by arne@rfc2549.org on 22 Aug 2012 at 8:34

GoogleCodeExporter commented 9 years ago
The patch site is offline at the moment, I will try that when its online again.

Original comment by david.ma...@gmail.com on 22 Aug 2012 at 9:40

GoogleCodeExporter commented 9 years ago
http://sourceforge.net/mailarchive/forum.php?thread_name=1345211355-26513-1-git-
send-email-heiko.hund%40sophos.com&forum_name=openvpn-devel

Original comment by arne@rfc2549.org on 22 Aug 2012 at 9:44

GoogleCodeExporter commented 9 years ago
I've applied the patch and compiled openvpn using the ndk. But how can I now 
specify the startup parameters for the openvpn binary in your application? 
(--compat-names is a starup parameter, right?)

Original comment by david.ma...@gmail.com on 22 Aug 2012 at 1:01

GoogleCodeExporter commented 9 years ago
--compat-names is a config parameter like any another. You can set it in 
advanced settings under custom config options of the VPN. 

Original comment by arne@rfc2549.org on 22 Aug 2012 at 1:08

GoogleCodeExporter commented 9 years ago
I've tried to add this option to the buildOpenvpnArgv and under custom options, 
but I just get the error "Unrecognized option or missing 
parameters......compat-names". I see that my own compiled openvpn libs are 
copied to the device, but the new command doesn't seem to be recognized. I've 
cleaned all ndk libs and rebuilt them. The output of the patch was:

patch -p1 < openvpn.patch 
patching file doc/openvpn.8
Hunk #1 succeeded at 3439 with fuzz 1 (offset 44 lines).
patching file src/openvpn/misc.c
patching file src/openvpn/misc.h
patching file src/openvpn/options.c
Hunk #1 succeeded at 2127 (offset -4 lines).
Hunk #2 succeeded at 5528 (offset -1 lines).
patching file src/openvpn/ssl_verify.c
patching file src/openvpn/ssl_verify_openssl.c
patch unexpectedly ends in middle of line

What could be the problem?

Original comment by david.ma...@gmail.com on 22 Aug 2012 at 3:06

GoogleCodeExporter commented 9 years ago
I found out that the --compat-names command is just for openvpn server, but I 
also found the solution for the problem. I just hat to rename the tls-remote to 
C=c, L=l, O=o, CN=cn, emailAddress=a@b.com in the config to get a connection!

Original comment by david.ma...@gmail.com on 22 Aug 2012 at 6:57

GoogleCodeExporter commented 9 years ago
I added an option in the import that should automatically convert the 
remote-tls option for you. Can you test it?

Original comment by arne@rfc2549.org on 23 Aug 2012 at 8:22

Attachments: