Package: openvpn Version: 2.0-1 Severity: wishlist If the CA's certificate was issued with a country code, and a client's certificate is build (with build-key from the easy-rsa CA script) for an other one, then openssl ca will silently fail. The result will be an empty .cert file for the client, that openvpn will obviously refuse to load.
I'm not sure it's not a bug of openssl to generate an empty certificate file instead of nothing, but anyway, it's not obvious to the user (although he/she won't be asked for confirmation of the certificate expiration date and so on....). Of course this situation is not really normal, but that may happen if a user won't edit vars for instance, and generate certificates by typing in the codes and making a mistake I think it would be great to have some kind of error checking on the openssl execution in the build-key script or maybe only invoking openssl ca with the -verbose option in that script Hope this helps. Best regards -- System Information: Debian Release: 3.1 Architecture: i386 (i686) Kernel: Linux 2.6.8-2-386 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages openvpn depends on: ii debconf 1.4.30.13 Debian configuration management sy ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an ii liblzo1 1.08-1.2 A real-time data compression libra ii libssl0.9.7 0.9.7e-3 SSL shared libraries -- debconf information: openvpn/change_init: true * openvpn/stop2upgrade: false * openvpn/default_port: * openvpn/create_tun: false -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
