Bug #11054: Check Client Certificate CN not working as described - pfSense Packages - pfSense bugtracker

Custom queries

Open package bugs
Package Feedback Issues

Actions

Copy link

Bug #11054

open

Check Client Certificate CN not working as described

Added by Anonymous about 4 years ago. Updated over 1 year ago.

Status:

Assigned

Priority:

Normal

Assignee:

Viktor Gurov

Category:

FreeRADIUS

Target version:

Start date:

11/11/2020

Due date:

% Done:

Estimated time:

Plus Target Version:

Affected Version:

2.4.5-p1

Affected Plus Version:

Affected Architecture:

All

Description

Page: Services / FreeRADIUS
Tab: EAP
Section: EAP-TLS
Option: Check Client Certificate CN

Actual result when enabled:

A user attempting TLS authentication with a certificate signed by the configured CA, and with a common name matching the user-provided identity, passes authentication even if that common name/identity is not a valid user configured under FreeRADIUS / Users. This option only seems to ensure the common name of the client certificate matches the user-provided identity.

Expected result when enabled:

A user attempting TLS authentication does not pass authentication unless the client certificate's common name is equal to the user-provided identity AND is a configured user under FreeRADIUS / Users, as alluded to by the description.

History
Notes
Property changes

Actions

Copy link

Updated by Viktor Gurov almost 4 years ago

see http://freeradius.1045715.n5.nabble.com/user-name-and-EAP-TLS-td5714550.html:

> On Sat, Aug 04, 2012 at 11:10:38AM +0200, Klaus Klein wrote:
>> Therefore I'm a bit puzzled that if no matching entry in users
>> is found that the authentication still takes place.
>

authorize {
        files
        if (notfound || noop) {
                reject
        }
}

Actions

Copy link

Updated by Viktor Gurov almost 4 years ago

fix:
https://gitlab.netgate.com/pfSense/FreeBSD-ports/-/merge_requests/33

Actions

Copy link

Updated by Renato Botelho almost 4 years ago

Status changed from New to Feedback
Assignee set to Viktor Gurov

PR has been merged. Thanks!

Actions

Copy link

Updated by Viktor Gurov almost 4 years ago

more fixes:
- Fixes SQL backend user existing check;
- Fixes counters issue (`$varsqlconfauthcounters` lines)
https://forum.netgate.com/topic/160323/freeradius-latest-package-upgrade/2:

(6) exec: Executing: /bin/sh /usr/local/etc/raddb/scripts/datacounter_auth.sh raduser1 daily:
(6) exec: ERROR: Program returned code (99) and output ''
(6) exec: ERROR: Program returned invalid code (greater than max rcode) (99 > 9)

https://gitlab.netgate.com/pfSense/FreeBSD-ports/-/merge_requests/38

Actions

Copy link

Updated by Jim Pingle almost 4 years ago

Status changed from Feedback to Pull Request Review

Actions

Copy link

Updated by Renato Botelho almost 4 years ago

Status changed from Pull Request Review to Feedback

PR has been merged. Thanks!

Actions

Copy link

Updated by Azamat Khakimyanov almost 3 years ago

Status changed from Feedback to Assigned

Tested on 21.05_2 and on 22.01-DEVELOPMENT (built on Tue Dec 14 06:23:27 UTC 2021)

I can't make EAP-TLS working for EAP-RADIUS Mobile IPsec with Ubuntu as a Client.
1. I created Mobile IPsec with local FreeRadius as an Authentication Server,
2. I create CA and Server and Client Certificates (used https://docs.netgate.com/pfsense/en/latest/recipes/ipsec-mobile-ikev2-eap-tls.html)
- Server Certificate had Server IP as a CN
- Client Certificate had client username as a CN

3. remote IPsec client was Ubuntu 21.10 with IKE2 module installed
4. whatever I was changing on client I always got
(5) eap: Peer sent packet with method EAP TLS (13)
(5) eap: Calling submodule eap_tls to process data
(5) eap_tls: (TLS) EAP Peer says that the final record size will be 157 bytes
(5) eap_tls: (TLS) EAP Got all data (157 bytes)
(5) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write server done
(5) eap_tls: (TLS) recv TLS 1.2 Handshake, Certificate
(5) eap_tls: (TLS) send TLS 1.2 Alert, fatal handshake_failure
(5) eap_tls: ERROR: (TLS) Alert write:fatal:handshake failure
(5) eap_tls: ERROR: (TLS) Server : Error in error
(5) eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate
(5) eap_tls: ERROR: (TLS) System call (I/O) error (-1)
(5) eap_tls: ERROR: (TLS) EAP Receive handshake failed during operation
(5) eap_tls: ERROR: [eaptls process] = fail
(5) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed
(5) eap: Sending EAP Failure (code 4) ID 5 length 4
(5) eap: Failed in EAP select
(5) [eap] = invalid
(5) } # authenticate = invalid
(5) Failed to authenticate the user
in log on FreeRadius Server.
and on Ubuntu
Dec 14 14:17:06 Ubuntu charon-nm: 09[TLS] received TLS cert request for 'CN=NewCA, C=RU, ST=Leningradskaya, L=Saint-Petersburg, O=Netgate, OU=Support TAC
Dec 14 12:22:21 Ubuntu charon-nm: 14[TLS] no TLS peer certificate found for 'newuser', skipping client authentication
Dec 14 12:22:22 Ubuntu charon-nm: 12[ENC] parsed IKE_AUTH response 7 [ EAP/FAIL ]
Dec 14 12:22:22 Ubuntu charon-nm: 12[IKE] received EAP_FAILURE, EAP authentication failed

I was able to initiate IPsec tunnel from Windows 10 by following this guide again: https://docs.netgate.com/pfsense/en/latest/recipes/ipsec-mobile-ikev2-eap-tls.html
but there were no difference if I checked on unchecked 'Validate the Client Certificate Common Name' - I was able to connect with any CN. For example there was no vpnuser1 in FreeRadius but I was able to authenticate successfully
(7) Login OK: [vpnuser1/<via Auth-Type = eap>] (from client radius port 12 cli 192.168.122.181⁴⁵⁰⁰)
(7) Sent Access-Accept Id 137 from 127.0.0.1:1812 to 127.0.0.1:6969 length 176
(7) MS-MPPE-Recv-Key = 0x9faff18c5724fe06f84022b8b4238c14a2c8ddeacbff90d03c143d0109c61f26
(7) MS-MPPE-Send-Key = 0xcb63c265dfdb820fb559667f71d3034fa3204f2694cf557ec2bf7ac2cb305494
(7) EAP-Message = 0x03070004
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) User-Name = "vpnuser1"
(7) Framed-MTU += 994
(7) Finished request
but yes, there were user certificate with CN: vpnuser1

Actions

Copy link

Updated by Greg Maub over 1 year ago

pfSense CE 2.6.0
FreeRADIUS package version 0.15.7_33

As of April 2023, I was able to recreate this issue on accident.

Original description applies perfectly:

"Actual result when enabled:

Expected result when enabled:

I re-created this issue by using EAP-TLS and the client certificate CN and the user-provided identity match, but there is literally not a corresponding user listed in FreeRADIUS > Users. I could delete all users there and my devices will still connect.

Edited to add:
Confirmed still an issue as of February 2024 with pfSense CE 2.7.2 and FreeRADIUS package version 0.15.10_1

Forum post with screenshot: https://forum.netgate.com/topic/184157/longstanding-freeradius-eap-tls-security-bug-on-validating-client-certificate-common-name

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense » pfSense Packages

Custom queries

Bug #11054

Check Client Certificate CN not working as described

Updated by Viktor Gurov almost 4 years ago

Updated by Viktor Gurov almost 4 years ago

Updated by Renato Botelho almost 4 years ago

Updated by Viktor Gurov almost 4 years ago

Updated by Jim Pingle almost 4 years ago

Updated by Renato Botelho almost 4 years ago

Updated by Azamat Khakimyanov almost 3 years ago

Updated by Greg Maub over 1 year ago