tls-export-cert does not export the correct client cert

[thanos-k]

In case the peer uses a certificate bundle that includes the root certificate and/or an intermediary certificates the certificate that is exported when tls-export-cert is defined is the root certificate of the bundle and not the actual client certificate

Version information (please complete the following information):

• OS: CentOS Linux release 7.9.2009 (Core)
• OpenVPN version: OpenVPN 2.4.12

[schwabe]

This feature is probably going to reimplemented from scratch to due license issues in the near future anyway. So please wait until that happens. Also you should check with a more recent version of OpenVPN if the bug still exists. 2.4.12 is really old by now.

[thanos-k]

I will set up a different OS since RHEL 8 derivatives all use that version as well.

One more bit of info: The behaviour is actually really inconsistent . On occasion I get the correct cert exported and on those occasions the correct env variables are exposed as well. ie all of the following:

X509_0_CN= X509_0_C= X509_0_L= X509_0_O=

X509_1_O= X509_1_C=

X509_2_C= X509_2_O= X509_2_L=

Ιn the cases where I only get the root certificate only the following

X509_2_C= X509_2_O= X509_2_L=

are exposed as environment variables in the tls_verify script

[flichtenheld]

Would be nice if you could test that issue with 2.6.9 which contains the reimplementation of the tls-export-cert feature @schwabe was talking about.

[ordex]

@thanos-k any news about testing on a recent release?