AW: OpenVPNGui 2.4.7 fails: format error in certificate's notAfter field

Hubert Kario hkario at redhat.com
Mon Mar 4 15:22:32 UTC 2019 

On Monday, 4 March 2019 15:20:36 CET Jan Just Keijser wrote:
> Hi Matt,
> 
> On 04/03/19 14:24, Matt Caswell wrote:
> > On 04/03/2019 13:16, Jan Just Keijser wrote:
> >> On 04/03/19 10:21, Wolfgang Knauf wrote:
> >>> Hi,
> >>> 
> >>> the output is this:
> >>> 
> >>> C:\Program Files\OpenVPN\bin>openssl.exe asn1parse -i -in
> >>> ..\config\SSL_HUG1 at l1139218.vt-security.de\l1139218.vt-security.de.user.
> >>> crt
> >>> Error: offset too large
> >>> 
> >>> Would it be OK if I send the crt file to only your mail adress? I don't
> >>> feel save by posting it to the mailing list ;-)?
> >> 
> >> I ran into the "offset too large" problem myself with my own certs as
> >> well. It turns out the 'asn1parse' util only likes PEM blobs, i.e. the
> >> parts starting with --BEGIN CERTIFICATE--
> > 
> > asn1parse will expect PEM by default but is perfectly capable of
> > processing raw DER too. Just use the "-inform DER" option.
> 
> 100% true but that is not what I was referring to; my certs usually look
> like this:
> 
> Certificate:
>      Data:
>          Version: 3 (0x2)
>          Serial Number: 5338 (0x14da)
>          Signature Algorithm: sha256WithRSAEncryption
> [...]
> -----BEGIN CERTIFICATE-----
> MIIEmjCCA4KgAwIBAgICFNowDQYJKoZIhvcNAQELBQAwUjELMAkGA1UEBhMCTkwx
> 
> 
> it's that part *before* the --BEGIN CERTIFICATE--  on which the
> asn1parse command chokes. You can feed it either a DER file or a PEM
> blob - but not a certificate file with the certificate info listed in it.

ah, yes, that's https://github.com/openssl/openssl/issues/7317

that should be possible to workaround with -strictpem option

-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190304/8b1ee47b/attachment.sig>

More information about the openssl-users mailing list