Project

General

Profile

Actions

Bug #11557

closed

OpenVPN fails in tls-validate after upgrading to PfSense 2.5

Added by Fold right almost 4 years ago. Updated almost 4 years ago.

Status:
Duplicate
Priority:
Normal
Assignee:
-
Category:
OpenVPN
Target version:
-
Start date:
02/26/2021
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.5.0
Affected Architecture:

Description

If OpenVPN server is configured with a "Certificate Depth" higher than 1, the /usr/local/sbin/ovpn_auth_verify will fail to verify the certificate. The for loop in ovpn_auth_verify script :

for check_depth in $(/usr/bin/seq ${3} -1 0)
do
eval serial="\$tls_serial_${check_depth}"
RESULT=$(/usr/local/sbin/fcgicli -f /etc/inc/openvpn.tls-verify.php -d "servercn=$2&depth=$3&certdepth=$4&certsubject=$5&serial=$serial&config=$config")
done

doesn't break on the first success (so if the depth is set to 3 it will still check depth 0).

Actions #1

Updated by Jim Pingle almost 4 years ago

  • Status changed from New to Duplicate

Same root cause as #4521 (and a couple other similar issues that already exist)

Actions #2

Updated by Fold right almost 4 years ago

I had the error fixed by setting a fixed "Certificate Depth" (check_depth=2) instead of looping over the sequence. I kept the same CA and same certificate so I don't think the long certificate subject is the issue here

Actions #3

Updated by Jim Pingle almost 4 years ago

It's not the cert subject per se but the underlying issue of the data from OpenVPN not passing through fcgicli to PHP which is affecting both

Actions

Also available in: Atom PDF