[Openvpn-users] Wildcard certificates?

[Paco H. <bh...@ci...>]

Short version of the question: I'm getting errors validating a =
certificate
at the client side and nothing I do seems to remedy it.  The server uses =
a
wildcard certificate, and I'm wondering if that's part of the problem.  =
I
noticed that the example "verify-cn" perl script would fail on a =
wildcard
certificate, so I thought perhaps there are other parts of the system =
that
don't handle it right, either.

Details:
My company uses the same wildcard certificate for most of its
externally-facing systems. Here's the relevant (I think) bits:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            28:57:bb:22:77:27:3f:e3:f7:4e:f2:2b:b7:57:48:37
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=3DSE, O=3DAddTrust AB, OU=3DAddTrust External TTP =
Network,
CN=3DAddTrust External CA Root
        Validity
            Not Before: Oct 10 00:00:00 2005 GMT
            Not After : Oct 10 23:59:59 2006 GMT
        Subject: C=3DUS/2.5.4.17=3D20161, ST=3DVA, =
L=3DSterling/2.5.4.9=3D21351
Ridgetop Circle, O=3Dcigital.com, OU=3Dcorporate, OU=3DPremiumSSL =
Wildcard,
CN=3D*.cigital.com
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                =
94:76:EA:0E:DD:7F:B1:E0:D8:76:28:47:25:2C:78:0B:4E:6B:B2:DF
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client =
Authentication
            Netscape Cert Type:
                SSL Client, SSL Server
            X509v3 Certificate Policies:
                Policy: 1.3.6.1.4.1.6449.1.2.1.3.4
                  CPS: https://secure.comodo.net/CPS

(sorry for the unfortunate line breaks, Microsoft Entourage does dumb =
things
when I force it to plain text)

You can get the Root CA here:
http://www.instantssl.com/ssl-certificate-support/cert_installation/UTN-U=
SER
First-Hardware.crt
and the intermediate, issuing CA here:
http://www.instantssl.com/ssl-certificate-support/cert_installation/AddTr=
ust
UTNServerCA.crt

On the server, I have the wildcard certificate as the "cert" parameter, =
and
both CAs are in the file that the "ca" parameter uses.

My client is FreeBSD 5.4-STABLE running OpenVPN 2.0.5 built from ports.
My server is FreeBSD 5.4-STABLE running OpenVPN 2.0.5 built from ports.

Here's the client config:
dev tun
auth-user-pass
tls-client
proto tcp-client
remote [[my host]]
port 1194
ca /usr/local/etc/openvpn/ca.crt

I'm invoking it this way for testing purposes:
sudo openvpn --client --config client.conf --verb 4

The client gives me various behaviors in various situations, depending =
on
the contents of the ca.crt file.

1. If the ca.crt file contains a valid CA, but not one that is at all
related to my server's certificate, I get this error:
Thu Jan 19 10:00:39 2006 us=3D315557 VERIFY ERROR: depth=3D2, =
error=3Dself signed
certificate in certificate chain:
/C=3DUS/ST=3DUT/L=3DSalt_Lake_City/O=3DThe_USERTRUST_Network/OU=3Dhttp://=
www.usertrust
.com/CN=3DUTN-USERFirst-Hardware

That sorta makes sense, since it follows the chain up, and stops at a
self-signed certificate that it doesn't trust.

2. If the ca.crt file contains (a) just the root CA, or (b) both the =
root
and intermediate CAs, I get this verify error:
Thu Jan 19 10:02:20 2006 us=3D170284 VERIFY ERROR: depth=3D1, =
error=3Dinvalid CA
certificate:=20
/C=3DSE/O=3DAddTrust_AB/OU=3DAddTrust_External_TTP_Network/CN=3DAddTrust_=
External_CA
_Root

What's puzzling is that it doesn't complain about depth 1 when the =
problem
is a self-signed CA at depth 2.

Lastly, openssl verifies this set of certificates just fine if I ask it =
to
verify using this command:
openssl verify -verbose -purpose sslserver -CAfile ca.crt star.crt
star.crt: OK

Reading the man page on the verify command, I come across this =
discussion:
24 X509_V_ERR_INVALID_CA: invalid CA certificate
 a CA certificate is invalid. Either it is not a CA or its extensions =
are
not consistent with the supplied purpose.

What purpose is openvpn trying to validate? Am I on a wild goose chase =
and
looking in totally the wrong place?

Thanks,
Paco
--=20
Paco Hope, CISSP
Managing Consultant
Cigital, Inc. http://www.cigital.com/



-------------------------------------------------------------------------=
---
This electronic message transmission contains information that may be
confidential or privileged.  The information contained herein is =
intended
solely for the recipient and use by any other party is not authorized.  =
If
you are not the intended recipient (or otherwise authorized to receive =
this
message by the intended recipient), any disclosure, copying, =
distribution or
use of the contents of the information is prohibited.  If you have =
received
this electronic message transmission in error, please contact the sender =
by
reply email and delete all copies of this message.  Cigital, Inc. =
accepts no
responsibility for any loss or damage resulting directly or indirectly =
from
the use of this email or its contents.
Thank You.
-------------------------------------------------------------------------=
---