Bug #11829
closedOpenVPN client certificate validation with OCSP always fails
0%
Description
Establishing OpenVPN tunnel will always fail if "Check client certificates with OCSP" enabled.
OpenVPN will call "ovpn_auth_veryfy" script for each certificate requires validation in the process creating variable "tls_serial_x" where x is certificate number in the chain however validating CA certificate fails as serial number for that certificate set as number 1 and number 0 is empty.
Script must have validation for empty string and ignore it as provided in OpenVPN example script, also validation must happen inside the loop and loop must exit on the first failure. Here's example of code modified by me and tested in my environment:
do
eval serial="\$tls_serial_${check_depth}"
if [ -n "$serial" ]; then
RESULT=$(/usr/local/bin/php-cgi -q /etc/inc/openvpn.tls-verify.php "servercn=$2&depth=$3&certdepth=$4&certsubject=$5&serial=$serial&config=$config")
if [ "${RESULT}" = "FAILED" ]; then
exit 1
fi
fi
done
In this case all the certificates in the chain will be validated and empty certificate serial number ignored and only if all checks are successful result will be 0.
Note: This issue is the same as #11557 (https://redmine.pfsense.org/issues/11557#change-51674), however that one was identified as a duplicate, it is not.
Files
Updated by Konstantin Panchenko over 3 years ago
Viktor Gurov wrote:
Duplicate of #11830
Actually it is not duplicate, I've opened two of them as fixes have to be done in two different scripts, both fixes need to be implemented.
Updated by Viktor Gurov over 3 years ago
Updated by Jim Pingle over 3 years ago
- Status changed from New to Pull Request Review
- Target version set to 2.6.0
Updated by Renato Botelho over 3 years ago
- Status changed from Pull Request Review to Feedback
- Assignee set to Viktor Gurov
- Plus Target Version set to 21.09
PR has been merged. Thanks!
Updated by Konstantin Panchenko over 3 years ago
Renato Botelho wrote:
PR has been merged. Thanks!
I'm not sure what was changed but this is still an issue in 2.5.2, I don't see any real changes in the code, no check for empty "serial" and no break from the loop.
Updated by Jim Pingle over 3 years ago
- Subject changed from Certificate validation with OCSP always fail - ovpn_auth_verify to Certificate validation with OCSP always fails
Updated by Jim Pingle over 3 years ago
- Subject changed from Certificate validation with OCSP always fails to OpenVPN client certificate validation with OCSP always fails
Updated by Jim Pingle about 3 years ago
- Plus Target Version changed from 21.09 to 22.01
Updated by Marcos M about 3 years ago
Konstantin Panchenko wrote in #note-7:
Renato Botelho wrote:
PR has been merged. Thanks!
I'm not sure what was changed but this is still an issue in 2.5.2, I don't see any real changes in the code, no check for empty "serial" and no break from the loop.
The suggested code was added - you can see it here:
https://github.com/pfsense/pfsense/blob/master/src/usr/local/sbin/ovpn_auth_verify
As for #11830, it looks like the array isn't being imploded as the suggested fix does on that redmine entry.
https://github.com/pfsense/pfsense/blob/04fbf68cca7eaea834d5d69816a08f3365700675/src/etc/inc/openvpn.tls-verify.php#L89
Can you test again after adding that in?
Updated by Konstantin Panchenko almost 3 years ago
- File openvpn.tls-verify.php openvpn.tls-verify.php added
Sorry for the late reply, switched to some other projects.
The suggested code was added - you can see it here:
https://github.com/pfsense/pfsense/blob/master/src/usr/local/sbin/ovpn_auth_verify
Yes, code is fine now, it is exactly as the one I use on my pfsense and it works ok
As for #11830, it looks like the array isn't being imploded as the suggested fix does on that redmine entry.
https://github.com/pfsense/pfsense/blob/04fbf68cca7eaea834d5d69816a08f3365700675/src/etc/inc/openvpn.tls-verify.php#L89Can you test again after adding that in?
I don't see any real changes in the code, so it wont work and will always return "FAILED". As I explained before and as it is explained in PHP / EXEC documentation here:
https://www.php.net/manual/en/function.exec.php
EXEC function will return only the last line of the output, to get the whole output additional parameter need to be provided to the function and array of output string will be returned, to easy search through output for required SUCCESS or FAILURE indicators array can be just imploded into one singe string. Without that code is just looking in the last line and will fail. I've attached my edit for review.
Updated by Viktor Gurov almost 3 years ago
Updated by Jim Pingle almost 3 years ago
- Status changed from Feedback to Pull Request Review
Updated by Scott Long almost 3 years ago
- Status changed from Pull Request Review to Feedback
Updated by Jim Pingle almost 3 years ago
- Status changed from Feedback to Closed