AW: OpenVPNGui 2.4.7 fails: format error in certificate's notAfter field

Wolfgang Knauf <WKnauf@xxxxxxxxxxxx> · Mon, 4 Mar 2019 09:21:11 +0000

Hi,

the output is this:

C:\Program Files\OpenVPN\bin>openssl.exe asn1parse -i -in ..\config\SSL_HUG1@xxxxxxxxxxxxxxxxxxxxxxx\l1139218.vt-security.de.user.crt
Error: offset too large

Would it be OK if I send the crt file to only your mail adress? I don't feel save by posting it to the mailing list ;-)?

I did not try to convert the date - still have the hope that it is an OpenSSL issue and can be fixed there ;-).

Best regards

Wolfgang

-----Ursprüngliche Nachricht-----
Von: openssl-users <openssl-users-bounces@xxxxxxxxxxx> Im Auftrag von Richard Levitte
Gesendet: Montag, 4. März 2019 10:02
An: openssl-users@xxxxxxxxxxx
Betreff: Re: OpenVPNGui 2.4.7 fails: format error in certificate's notAfter field

The format error refers to how the numbers are encoded in the certificate.  The best way to see for ourselves is if you can run 'openssl asn1parse' on the certificate and show us the sequence that contains the notBefore and notAfter time-stamps.  The are seen together between the issuer name and the subject name.

As an example, here's the 'openssl asn1parse' output for
test/testx509.pem:

    : ; openssl asn1parse -i -in test/testx509.pem 
        0:d=0  hl=4 l= 347 cons: SEQUENCE          
        4:d=1  hl=4 l= 262 cons:  SEQUENCE          
        8:d=2  hl=2 l=   1 prim:   INTEGER           :18
       11:d=2  hl=2 l=  13 cons:   SEQUENCE          
       13:d=3  hl=2 l=   9 prim:    OBJECT            :md5WithRSAEncryption
       24:d=3  hl=2 l=   0 prim:    NULL              
       26:d=2  hl=2 l=  56 cons:   SEQUENCE          
       28:d=3  hl=2 l=  11 cons:    SET               
       30:d=4  hl=2 l=   9 cons:     SEQUENCE          
       32:d=5  hl=2 l=   3 prim:      OBJECT            :countryName
       37:d=5  hl=2 l=   2 prim:      PRINTABLESTRING   :AU
       41:d=3  hl=2 l=  12 cons:    SET               
       43:d=4  hl=2 l=  10 cons:     SEQUENCE          
       45:d=5  hl=2 l=   3 prim:      OBJECT            :stateOrProvinceName
       50:d=5  hl=2 l=   3 prim:      PRINTABLESTRING   :QLD
       55:d=3  hl=2 l=  27 cons:    SET               
       57:d=4  hl=2 l=  25 cons:     SEQUENCE          
       59:d=5  hl=2 l=   3 prim:      OBJECT            :commonName
       64:d=5  hl=2 l=  18 prim:      PRINTABLESTRING   :SSLeay/rsa test CA
       84:d=2  hl=2 l=  30 cons:   SEQUENCE          
       86:d=3  hl=2 l=  13 prim:    UTCTIME           :950619233312Z
      101:d=3  hl=2 l=  13 prim:    UTCTIME           :950717233312Z
      116:d=2  hl=2 l=  58 cons:   SEQUENCE          
      118:d=3  hl=2 l=  11 cons:    SET               
      120:d=4  hl=2 l=   9 cons:     SEQUENCE          
      122:d=5  hl=2 l=   3 prim:      OBJECT            :countryName
      127:d=5  hl=2 l=   2 prim:      PRINTABLESTRING   :AU
      131:d=3  hl=2 l=  12 cons:    SET               
      133:d=4  hl=2 l=  10 cons:     SEQUENCE          
      135:d=5  hl=2 l=   3 prim:      OBJECT            :stateOrProvinceName
      140:d=5  hl=2 l=   3 prim:      PRINTABLESTRING   :QLD
      145:d=3  hl=2 l=  29 cons:    SET               
      147:d=4  hl=2 l=  27 cons:     SEQUENCE          
      149:d=5  hl=2 l=   3 prim:      OBJECT            :commonName
      154:d=5  hl=2 l=  20 prim:      PRINTABLESTRING   :SSLeay/rsa test cert
      176:d=2  hl=2 l=  92 cons:   SEQUENCE          
      178:d=3  hl=2 l=  13 cons:    SEQUENCE          
      180:d=4  hl=2 l=   9 prim:     OBJECT            :rsaEncryption
      191:d=4  hl=2 l=   0 prim:     NULL              
      193:d=3  hl=2 l=  75 prim:    BIT STRING        
      270:d=1  hl=2 l=  12 cons:  SEQUENCE          
      272:d=2  hl=2 l=   8 prim:   OBJECT            :md5
      282:d=2  hl=2 l=   0 prim:   NULL              
      284:d=1  hl=2 l=  65 prim:  BIT STRING        

Here, the notBefore and notAfter are the following lines:

       84:d=2  hl=2 l=  30 cons:   SEQUENCE          
       86:d=3  hl=2 l=  13 prim:    UTCTIME           :950619233312Z
      101:d=3  hl=2 l=  13 prim:    UTCTIME           :950717233312Z

For visualization, this is the text form output of the same:

    : ; openssl x509 -in test/testx509.pem -dates -noout
    notBefore=Jun 19 23:33:12 1995 GMT
    notAfter=Jul 17 23:33:12 1995 GMT

So now, for the encoding, RFC5280 has a few things to say (https://tools.ietf.org/html/rfc5280#section-4.1.2.5).  However, for the dates you display, it should be easy, the should be the following:

    UTCTIME	:091022132829Z
    UTCTIME	:370308132829Z

If you see something violently different (such as GeneralizedTime instead of UTCTIME), or the number of digits being wrong (12 for UTCTIME, 14 for GeneralizedTime), or there being something other than 'Z' at the end, then you know why you get that error.

(I encoded those numbers manually, so I hope I got them right)

Cheers,
Richard

On Mon, 04 Mar 2019 09:08:30 +0100,
Wolfgang Knauf wrote:
> 
> 
> Hi,
> 
> I first asked this question in the OpenVPNGui forum, and they 
> redirected me to here: OpenVPNGui
> 2.4.6 works with a customers server certificate, but it fails when using 2.4.7.
> 
> Here is the thread in the OpenVPNGui forum: 
> https://forums.openvpn.net/viewtopic.php?f=24&t=27976
> 
> The error is:
> 
> Thu Feb 28 08:48:50 2019 VERIFY ERROR: depth=0, error=format error in 
> certificate's notAfter field
> : C=de, L=Dortmund, O=Versatel, CN=ASG_1, emailAddress=...
> 
> The certificate has those fields:
> 
>         Validity
> 
>             Not Before: Oct 22 13:28:29 2009 GMT
> 
>             Not After : Mar  8 13:28:29 2037 GMT
> 
> The customer provided us with a „…..ca.crt“ file, a „….user.crt“ file 
> and a „user.key“ file. But I fear it is not smart to post those files in the internet ;-).
> 
> Best regards
> 
> Wolfgang
> 
> 
-- 
Richard Levitte         levitte@xxxxxxxxxxx
OpenSSL Project         http://www.openssl.org/~levitte/