AW: AW: OpenVPNGui 2.4.7 fails: format error in certificate's notAfter field
WKnauf at hg-online.de
Mon Mar 4 13:24:40 UTC 2019
Might the reason for this error be some server certificate that I don't have locally but that is downloaded/checked during the OpenVPNGui connection?
Sorry is this is a dumb questions, but I am just a user of OpenVPNGui and don't have knowledge about the internals...
Von: Jan Just Keijser <janjust at nikhef.nl>
Gesendet: Montag, 4. März 2019 14:16
An: Wolfgang Knauf <WKnauf at hg-online.de>; openssl-users at openssl.org
Betreff: Re: AW: OpenVPNGui 2.4.7 fails: format error in certificate's notAfter field
On 04/03/19 10:21, Wolfgang Knauf wrote:
> the output is this:
> C:\Program Files\OpenVPN\bin>openssl.exe asn1parse -i -in
> ..\config\SSL_HUG1 at l1139218.vt-security.de\l1139218.vt-security.de.use
> Error: offset too large
> Would it be OK if I send the crt file to only your mail adress? I don't feel save by posting it to the mailing list ;-)?
I ran into the "offset too large" problem myself with my own certs as well. It turns out the 'asn1parse' util only likes PEM blobs, i.e. the parts starting with --BEGIN CERTIFICATE--
You can use
openssl x509 -in l1139218.vt-security.de.user.crt -out | openssl ans1parse to work around this.
For your certificates this results in
0:d=0 hl=4 l= 942 cons: SEQUENCE
4:d=1 hl=4 l= 791 cons: SEQUENCE
8:d=2 hl=2 l= 3 cons: cont [ 0 ]
10:d=3 hl=2 l= 1 prim: INTEGER :02
13:d=2 hl=2 l= 9 prim: INTEGER :C604316CD0321FA1
24:d=2 hl=2 l= 13 cons: SEQUENCE
26:d=3 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
37:d=3 hl=2 l= 0 prim: NULL
155:d=2 hl=2 l= 30 cons: SEQUENCE
157:d=3 hl=2 l= 13 prim: UTCTIME :160418140054Z
172:d=3 hl=2 l= 13 prim: UTCTIME :370308132808Z
187:d=2 hl=2 l= 88 cons: SEQUENCE
189:d=3 hl=2 l= 11 cons: SET
191:d=4 hl=2 l= 9 cons: SEQUENCE
193:d=5 hl=2 l= 3 prim: OBJECT :countryName
198:d=5 hl=2 l= 2 prim: PRINTABLESTRING :de
In other words, the dates look OK to me.
Also, I've thrown my own verification code against the certificate and everything checks out OK.
I'll see if I can reproduce the issue in my own OpenVPN setup.
JJK / Jan Just Keijser
More information about the openssl-users