AW: AW: OpenVPNGui 2.4.7 fails: format error in certificate's notAfter field

Wolfgang Knauf WKnauf at hg-online.de
Mon Mar 4 13:24:40 UTC 2019 

Might the reason for this error be some server certificate that I don't have locally but that is downloaded/checked during the OpenVPNGui connection?

Sorry is this is a dumb questions, but I am just a user of OpenVPNGui and don't have knowledge about the internals...

Wolfgang

-----Ursprüngliche Nachricht-----
Von: Jan Just Keijser <janjust at nikhef.nl> 
Gesendet: Montag, 4. März 2019 14:16
An: Wolfgang Knauf <WKnauf at hg-online.de>; openssl-users at openssl.org
Betreff: Re: AW: OpenVPNGui 2.4.7 fails: format error in certificate's notAfter field

On 04/03/19 10:21, Wolfgang Knauf wrote:
> Hi,
>
> the output is this:
>
> C:\Program Files\OpenVPN\bin>openssl.exe asn1parse -i -in 
> ..\config\SSL_HUG1 at l1139218.vt-security.de\l1139218.vt-security.de.use
> r.crt
> Error: offset too large
>
> Would it be OK if I send the crt file to only your mail adress? I don't feel save by posting it to the mailing list ;-)?
>
>
I ran into the "offset too large" problem myself with my own certs as well. It turns out the 'asn1parse' util only likes PEM blobs, i.e. the parts starting with --BEGIN CERTIFICATE--

You can use
   openssl x509 -in l1139218.vt-security.de.user.crt -out | openssl ans1parse to work around this.
For your certificates this results in

     0:d=0  hl=4 l= 942 cons: SEQUENCE
     4:d=1  hl=4 l= 791 cons: SEQUENCE
     8:d=2  hl=2 l=   3 cons: cont [ 0 ]
    10:d=3  hl=2 l=   1 prim: INTEGER           :02
    13:d=2  hl=2 l=   9 prim: INTEGER           :C604316CD0321FA1
    24:d=2  hl=2 l=  13 cons: SEQUENCE
    26:d=3  hl=2 l=   9 prim: OBJECT :sha256WithRSAEncryption
    37:d=3  hl=2 l=   0 prim: NULL
[...]
   155:d=2  hl=2 l=  30 cons: SEQUENCE
   157:d=3  hl=2 l=  13 prim: UTCTIME           :160418140054Z
   172:d=3  hl=2 l=  13 prim: UTCTIME           :370308132808Z
   187:d=2  hl=2 l=  88 cons: SEQUENCE
   189:d=3  hl=2 l=  11 cons: SET
   191:d=4  hl=2 l=   9 cons: SEQUENCE
   193:d=5  hl=2 l=   3 prim: OBJECT            :countryName
   198:d=5  hl=2 l=   2 prim: PRINTABLESTRING   :de

In other words, the dates look OK to me.
Also, I've thrown my own verification code against the certificate and everything checks out OK.
I'll see if I can reproduce the issue in my own OpenVPN setup.

HTH,

JJK / Jan Just Keijser

More information about the openssl-users mailing list