Project

General

Profile

Bug #11829

Certificate validation with OCSP always fail - ovpn_auth_verify

Added by Konstantin Panchenko about 2 months ago. Updated about 1 month ago.

Status:
Pull Request Review
Priority:
Normal
Assignee:
-
Category:
OpenVPN
Target version:
Start date:
04/20/2021
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
Affected Architecture:
All

Description

Establishing OpenVPN tunnel will always fail if "Check client certificates with OCSP" enabled.
OpenVPN will call "ovpn_auth_veryfy" script for each certificate requires validation in the process creating variable "tls_serial_x" where x is certificate number in the chain however validating CA certificate fails as serial number for that certificate set as number 1 and number 0 is empty.
Script must have validation for empty string and ignore it as provided in OpenVPN example script, also validation must happen inside the loop and loop must exit on the first failure. Here's example of code modified by me and tested in my environment:

do
eval serial="\$tls_serial_${check_depth}"
if [ -n "$serial" ]; then
RESULT=$(/usr/local/bin/php-cgi -q /etc/inc/openvpn.tls-verify.php "servercn=$2&depth=$3&certdepth=$4&certsubject=$5&serial=$serial&config=$config")
if [ "${RESULT}" = "FAILED" ]; then
exit 1
fi
fi
done

In this case all the certificates in the chain will be validated and empty certificate serial number ignored and only if all checks are successful result will be 0.

Note: This issue is the same as #11557 (https://redmine.pfsense.org/issues/11557#change-51674), however that one was identified as a duplicate, it is not.

History

#1 Updated by Viktor Gurov about 2 months ago

  • Status changed from New to Duplicate

Duplicate of #11830

#2 Updated by Konstantin Panchenko about 2 months ago

Viktor Gurov wrote:

Duplicate of #11830

Actually it is not duplicate, I've opened two of them as fixes have to be done in two different scripts, both fixes need to be implemented.

#3 Updated by Jim Pingle about 2 months ago

  • Status changed from Duplicate to New

#5 Updated by Jim Pingle about 1 month ago

  • Status changed from New to Pull Request Review
  • Target version set to 2.6.0

Also available in: Atom PDF