search

schwabe / ics-openvpn

OpenVPN for Android
3.31k stars 1.2k forks source link

Server reports: path length constraint exceeded #1077

Closed moutonjr closed 4 years ago

moutonjr commented 5 years ago

To make issues more manageable, I would appreciate it if you fill out the following details as applicable:

General information

  1. Android Version 9
  2. Android Vendor/Custom ROM OxygenOS 9.5.8.GM57AA
  3. Device OnePlus 7 GM1900
  4. Version of the app (version number/play store version/self-built) play store actual version 0.7.8

    Description of the issue

    Protocol

    OpenVPN server set up and connection successful with standard .ovpn file generated and standard OpenVPN Connect app by OpenVPN team.

Imported .ovpn in the ics-openvpn app and imported certs & keys that are in separated files. Started the connection.

Expected results:

VPN tunnel starts successfully and I can reach private endpoints.

Got:

VPN fails to mount due to TLS connection.

Note:

schwabe commented 5 years ago

What does your server say? Usually tls timeout means the server does not like something.

Also does switchting to openvpn3 core make a difference?

moutonjr commented 5 years ago

Hi Arne,

Here's what I got:


Sep  8 09:09:12 vpn openvpn[1296]: 9.8.7.6:40832 TLS: Initial packet from [AF_INET]9.8.7.6:40832, sid=cba307ab 138f0125           
Sep  8 09:09:12 vpn openvpn[1296]: 9.8.7.6:40832 VERIFY ERROR: depth=2, error=path length constraint exceeded: C=FR, L=Paris, O=MySampleServer,
 OU=MySampleServer, CN=MySampleServer MAIN CA, emailAddress=contact@MySampleServer.fr                                                                               
Sep  8 09:09:12 vpn openvpn[1296]: 9.8.7.6:40832 OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify fa
iled                                                                                                                                        
Sep  8 09:09:12 vpn openvpn[1296]: 9.8.7.6:40832 TLS_ERROR: BIO read tls_read_plaintext error                                          
Sep  8 09:09:12 vpn openvpn[1296]: 9.8.7.6:40832 TLS Error: TLS object -> incoming plaintext read error                                
Sep  8 09:09:12 vpn openvpn[1296]: 9.8.7.6:40832 TLS Error: TLS handshake failed                                                       
Sep  8 09:09:12 vpn openvpn[1296]: 9.8.7.6:40832 SIGUSR1[soft,tls-error] received, client-instance restarting                          
Sep  8 09:09:20 vpn openvpn[1296]: 9.8.7.6:48978 TLS: Initial packet from [AF_INET]9.8.7.6:48978, sid=f35e2e39 b53c26ac           
Sep  8 09:09:20 vpn openvpn[1296]: 9.8.7.6:48978 VERIFY ERROR: depth=2, error=path length constraint exceeded: C=FR, L=Paris, O=MySampleServer,
 OU=MySampleServer, CN=MySampleServer MAIN CA, emailAddress=contact@MySampleServer.fr

My server is : 

openvpn --version                                                                                                              
OpenVPN 2.4.7 amd64-portbld-freebsd11.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Feb 23 2019

I don't know as the OpenVPN in production is not upgradeable.

Thenk you for your help!

schwabe commented 5 years ago

This is something that has nothing to do with my app. SOmething in the way you configure your CA/OpenSSL on the server does not like the certificate (error=path length constraint exceeded:).

Also you did not yet answer:

Does switching to openvpn3 core make a difference? (General settings in the app)

moutonjr commented 5 years ago

Tested with the OpenVPNv3 without success... :(

The main issue here is not about the setup, insofar as the imported configuration already works with official app. There is therefore a bug in the process.

A significant difference lies in the fact that the original imported .ovpn configuration only links the certificates, whereas they are embedded in the generated configuration in your app.

I'll check if your config works with official app.

moutonjr commented 5 years ago

acknowledged: generated config works with official app.

schwabe commented 5 years ago

Logs of server for my app and log of server for the official app would be nice.

Also log of official app and log of my app in both openvpn2 and openvpn3.

I know that is a lot but OpenVPN3 core is the same code as the official app.

If you are unlucky the difference is the mbed TLS in the official app vs OpenSSL in my app.

moutonjr commented 5 years ago

Ok I gathered this.

Note hat using v2 or v3 doesn't change much on the server side.

All the best,

20190913_OpenVPNOfficial.log 20190913_SERVER_OpenVPN.log 20190913_OpenVPNICS_v2.log 20190913_OpenVPNICS_v3.log

schwabe commented 5 years ago

v3 log and official app look almost identical.

So it must be something down to either the way the certificates are used by mbed/OpenSSL or how both apps generate the config. Without looking at the generated configuration files/being able to reproduce the problem I don't really now what is happening here. I would suggest you to try to find what really triggers the error message from OpenSSL on the server. It says chain depth but that should be same in both apps (4).

moutonjr commented 4 years ago

Hi @schwabe Shall we reopen ? No matter the verbosity of my server, it still crashed on depth failure. The cert chain is indeed the same for both instances, so it doesn't have something with server.

If I can give you more details on the PKI, the cert chain is foundable here : https://bit.ly/2PpVwEd

To reproduce, I guess that you simply need to build up a chain of 5 certs with 4096-bit key length.

If you suspect the SSL vendor, shall we place a bug in its github?

Regards,

-- moutonjr

schwabe commented 4 years ago

It would be helpful if you can narrow it down, e.g. running a different server. E.g. a ubuntu openvpn binary (maybe in a linux jail/chroot? Or a short live aws/digital ocean instance for a few cents). What library is openvpn linked against? (Should report this on startup).

And see if that is something with the server side that goes away with different libraries.