Faulty openvpn-client-export config files.



  • Hi,

    i'd exported my android user config (inline) with openvpn-client-export utility.

    I can't import those into my android.

    I get the following error:

    No endtag for starttag <tls-auth>found

    I checked the generated config and it looks as it was half exported:

    <tls-auth>#

    2048 bit OpenVPN static key

    –---BEGIN OpenVPN Static key V1-----
    3563656648eregr4545t4gf4wt54tw45e8b
    f37eee2tzer2b580fe57954af737dc36c064
    2b59471dbc95238b4c6662e3377bae8b
    7146db0fa26f3d9349b70b4f803c5a97
    8ec7ba43c2a8eaa3aa543b142d8722e0
    f058925f41e214f43fc8893248cfe280
    30b7ebcb5zer536362awa532632q5641a6
    696917f05b54a72b96689f7448a63176
    7ef4bd168d5df68a9bdc5b26a50acc89
    56e54004dec763bb613da3988330f769
    1d1adb3c45346346457z54763

    as you see it looks a it wasn't fully exported.

    If i download the zip archive i can't unzip. Faulty archive (file-roller & 7-zip for me)

    Any help?

    Thanks

    elemay</tls-auth></tls-auth>


  • LAYER 8 Global Moderator

    and using what what version of pfsense, snapshot?  What browser, what version of the export package.

    I am on 2.1.1 snap
    2.1.1-PRERELEASE (i386)
    built on Thu Feb 13 13:59:46 EST 2014
    FreeBSD 8.3-RELEASE-p14

    using 1.2.4 of the export package with firefox 28 and working here, both the inline and zip files are fine.



  • My version:

    2.1.1-PRERELEASE (amd64)
    built on Wed Mar 26 13:50:51 EDT 2014
    FreeBSD 8.3-RELEASE-p14

    openvpn-client-export-utility:

    1.2.4

    tried with firefox 24.4.0 and chromium  33.0.1750.152 (256984)

    and i forgot to mention thos lines as the first 2 line of my config files (stupid me):

    Warning: openssl_x509_parse(): illegal ASN1 data type for timestamp in /etc/inc/certs.inc on line 419
    
    Warning: openssl_x509_parse(): illegal ASN1 data type for timestamp in /etc/inc/certs.inc on line 480
    

    greetings



  • when i go to cert-manager i also got those lines in the webui:

    Warning: openssl_x509_parse(): illegal ASN1 data type for timestamp in /etc/inc/certs.inc on line 394 Warning: openssl_x509_parse(): illegal ASN1 data type for timestamp in /etc/inc/certs.inc on line 444 Warning: openssl_x509_parse(): illegal ASN1 data type for timestamp in /etc/inc/certs.inc on line 490

    any way to fix this?


  • Banned

    @elemay:

    any way to fix this?

    The way to fix the warning is to stop issuing insane certificates that expire after 2050.

    https://bugs.php.net/bug.php?id=66636



  • Hi doktornotor,

    thats nice to know.

    My cert shows:

    Valid From: 	Wed, 07 Mar 2012 17:48:38 +0100
    Valid Until: 	
    

    as you can see no Valid until is shown.

    My client certs show (the one i want to export):

    Valid From: 	Mon, 31 Mar 2014 20:33:42 +0200
    Valid Until: 	Thu, 28 Mar 2024 19:33:42 +0100
    

    Funny thing is that i could export an older cert just fine (1 year ago :P )

    Maybe with the mentioned fix for 'GENERALIZEDTIME parsing' they broke my cert export :P

    I'll try with a new cert.

    Thanks



  • I found this topic searching for a solution to this error:

    An error code was received while attempting Filter sync with username …  - Code 2: Invalid return payload: enable debugging to examine incoming payload

    This error start happening after upgrading from 2.1 to >=2.1.1-2.1.4

    The "Warning" that generates the new openssl version breaks the XML response that rc.filter_synchronize uses, and thus the referrer error appears on System Log.

    If one can not recreate the SSL certs with expiration year before 2050, one way to workaround this is to use the php functions ob_start(); and ob_end_clean();.

    I've modified /etc/inc/certs.inc (in every CARP server), adding this function:

    
    function openssl_x509_parse_nooutput($str_crt) {
    	ob_start();
    	$inf_crt = openssl_x509_parse($str_crt);
    	ob_end_clean();
    	return $inf_crt;
    }
    
    

    And then, modified (in the same file) every call to openssl_x509_parse to the new openssl_x509_parse_nooutput.

    I've been using this workaround for a couple of hours and everything seems to works fine, and the Sync error now reads:

    php: rc.filter_synchronize: Filter sync successfully completed with …



  • Hi,

    I have the same problem.

    I created a new certificate and recognized a mistyping in the Name.
    Then I deleted it. After I recognized the text in the WebGui of the Certificate Authority Manager:

    Warning: openssl_x509_parse(): illegal ASN1 data type for timestamp in /etc/inc/certs.inc on line 394 Warning: openssl_x509_parse(): illegal ASN1 data type for timestamp in /etc/inc/certs.inc on line 444 Warning: openssl_x509_parse(): illegal ASN1 data type for timestamp in /etc/inc/certs.inc on line 490

    Maybe it is, because the name for the Cert. that I wrongly entered, was the same that was already in use?

    I can not export any Client or Certificates anymore, like elemay mentioned.

    Is there any possibility to get more details where the problem is caused by?

    Maybe some one could help me how to fix it.

    BR and many thanks indvance.


Log in to reply