Project

General

Profile

Actions

Bug #11829

closed

OpenVPN client certificate validation with OCSP always fails

Added by Konstantin Panchenko over 3 years ago. Updated almost 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Viktor Gurov
Category:
OpenVPN
Target version:
Start date:
04/20/2021
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
22.01
Release Notes:
Default
Affected Version:
Affected Architecture:
All

Description

Establishing OpenVPN tunnel will always fail if "Check client certificates with OCSP" enabled.
OpenVPN will call "ovpn_auth_veryfy" script for each certificate requires validation in the process creating variable "tls_serial_x" where x is certificate number in the chain however validating CA certificate fails as serial number for that certificate set as number 1 and number 0 is empty.
Script must have validation for empty string and ignore it as provided in OpenVPN example script, also validation must happen inside the loop and loop must exit on the first failure. Here's example of code modified by me and tested in my environment:

do
eval serial="\$tls_serial_${check_depth}"
if [ -n "$serial" ]; then
RESULT=$(/usr/local/bin/php-cgi -q /etc/inc/openvpn.tls-verify.php "servercn=$2&depth=$3&certdepth=$4&certsubject=$5&serial=$serial&config=$config")
if [ "${RESULT}" = "FAILED" ]; then
exit 1
fi
fi
done

In this case all the certificates in the chain will be validated and empty certificate serial number ignored and only if all checks are successful result will be 0.

Note: This issue is the same as #11557 (https://redmine.pfsense.org/issues/11557#change-51674), however that one was identified as a duplicate, it is not.


Files

openvpn.tls-verify.php (4.4 KB) openvpn.tls-verify.php Modified PHP script Konstantin Panchenko, 01/20/2022 03:39 AM
Actions #1

Updated by Viktor Gurov over 3 years ago

  • Status changed from New to Duplicate

Duplicate of #11830

Actions #2

Updated by Konstantin Panchenko over 3 years ago

Viktor Gurov wrote:

Duplicate of #11830

Actually it is not duplicate, I've opened two of them as fixes have to be done in two different scripts, both fixes need to be implemented.

Actions #3

Updated by Jim Pingle over 3 years ago

  • Status changed from Duplicate to New
Actions #5

Updated by Jim Pingle over 3 years ago

  • Status changed from New to Pull Request Review
  • Target version set to 2.6.0
Actions #6

Updated by Renato Botelho over 3 years ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Viktor Gurov
  • Plus Target Version set to 21.09

PR has been merged. Thanks!

Actions #7

Updated by Konstantin Panchenko over 3 years ago

Renato Botelho wrote:

PR has been merged. Thanks!

I'm not sure what was changed but this is still an issue in 2.5.2, I don't see any real changes in the code, no check for empty "serial" and no break from the loop.

Actions #8

Updated by Jim Pingle over 3 years ago

  • Subject changed from Certificate validation with OCSP always fail - ovpn_auth_verify to Certificate validation with OCSP always fails
Actions #9

Updated by Jim Pingle over 3 years ago

  • Subject changed from Certificate validation with OCSP always fails to OpenVPN client certificate validation with OCSP always fails
Actions #10

Updated by Jim Pingle about 3 years ago

  • Plus Target Version changed from 21.09 to 22.01
Actions #11

Updated by Marcos M about 3 years ago

Konstantin Panchenko wrote in #note-7:

Renato Botelho wrote:

PR has been merged. Thanks!

I'm not sure what was changed but this is still an issue in 2.5.2, I don't see any real changes in the code, no check for empty "serial" and no break from the loop.

The suggested code was added - you can see it here:
https://github.com/pfsense/pfsense/blob/master/src/usr/local/sbin/ovpn_auth_verify

As for #11830, it looks like the array isn't being imploded as the suggested fix does on that redmine entry.
https://github.com/pfsense/pfsense/blob/04fbf68cca7eaea834d5d69816a08f3365700675/src/etc/inc/openvpn.tls-verify.php#L89

Can you test again after adding that in?

Actions #12

Updated by Konstantin Panchenko almost 3 years ago

Sorry for the late reply, switched to some other projects.

The suggested code was added - you can see it here:
https://github.com/pfsense/pfsense/blob/master/src/usr/local/sbin/ovpn_auth_verify

Yes, code is fine now, it is exactly as the one I use on my pfsense and it works ok

As for #11830, it looks like the array isn't being imploded as the suggested fix does on that redmine entry.
https://github.com/pfsense/pfsense/blob/04fbf68cca7eaea834d5d69816a08f3365700675/src/etc/inc/openvpn.tls-verify.php#L89

Can you test again after adding that in?

I don't see any real changes in the code, so it wont work and will always return "FAILED". As I explained before and as it is explained in PHP / EXEC documentation here:

https://www.php.net/manual/en/function.exec.php

EXEC function will return only the last line of the output, to get the whole output additional parameter need to be provided to the function and array of output string will be returned, to easy search through output for required SUCCESS or FAILURE indicators array can be just imploded into one singe string. Without that code is just looking in the last line and will fail. I've attached my edit for review.

Actions #15

Updated by Jim Pingle almost 3 years ago

  • Status changed from Feedback to Pull Request Review
Actions #16

Updated by Scott Long almost 3 years ago

  • Status changed from Pull Request Review to Feedback
Actions #17

Updated by Viktor Gurov almost 3 years ago

Merged

Actions #18

Updated by Jim Pingle almost 3 years ago

  • Status changed from Feedback to Closed
Actions

Also available in: Atom PDF