Project

General

Profile

Bug #11830

Certificate validation with OCSP always fails in ``openvpn.tls-verify.php``

Added by Konstantin Panchenko about 2 months ago. Updated 12 days ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
OpenVPN
Target version:
Start date:
04/20/2021
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
21.05
Release Notes:
Default
Affected Version:
Affected Architecture:
All

Description

Certificate validation by the script will always fail:
1. exec function used to call "openssl ocsp" returns only the last line of the output, which contains only date of the next update of OCSP, parsing of the line will fail.
2. without option -resp_text openssl returns only certificate serial with addition of "good/revoked" and OCSP update date. Line "Response verify OK" is on the console but not captured in the return.

To resolve both issues additional array parameter must be passed to exec function to accumulate complete "openssl ocsp" output and analyze it. To simplify array can be imploded to a single string and regx used to validate output. The following code tested and works in my environment:

$status = exec("/usr/bin/openssl ocsp -resp_text -issuer " . escapeshellarg($issuer)
. " -no_nonce"
. " -CApath " . escapeshellarg($capath)
. " -url " . escapeshellarg($ovpns['ocspurl'])
. " -serial " . escapeshellarg($serial), $status_out);
$status = implode(",", $status_out);
if (preg_match('/(error|fail)/', $status)) {
echo "FAILED";
closelog();
return;
} else if (preg_match('/Cert Status: good/', $status)) {
if (preg_match('/OCSP Response Status: successful \(0x0\)/', $status)) {
break;
}
} else {
echo "FAILED";
closelog();
return;
}

I would also suggest to add additional logging for success / failure.

Associated revisions

Revision 126944b7 (diff)
Added by Viktor Gurov about 1 month ago

openvpn.tls-verify.php fixes. Issue #11830

History

#1 Updated by Viktor Gurov about 2 months ago

see also #11829

#2 Updated by Viktor Gurov about 1 month ago

openssl ocsp response sample without '-resp_text' (google.com):

Response verify OK
tmpcert: good
    This Update: May  4 12:29:55 2021 GMT
    Next Update: May 11 11:29:54 2021 GMT

with '-resp_text':

OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: 98D1F86E10EBCF9BEC609F18901BA0EB7D09FD2B
    Produced At: May  4 12:29:57 2021 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 424630C22719DBDE70F08FFC73E5A65F663817BC
      Issuer Key Hash: 98D1F86E10EBCF9BEC609F18901BA0EB7D09FD2B
      Serial Number: 168BE0E7D3A7E7870300000000CBF759
    Cert Status: good
    This Update: May  4 12:29:55 2021 GMT
    Next Update: May 11 11:29:54 2021 GMT

    Signature Algorithm: sha256WithRSAEncryption
         42:ec:2a:b9:e1:aa:15:8e:fb:13:8f:7f:65:0c:0e:07:f6:af:
         59:a6:32:f5:79:07:a7:84:70:ee:91:b4:7a:d0:6e:8f:30:e7:
         b4:35:1c:bc:fc:c8:7b:0c:35:f9:1d:64:92:9a:8a:56:0f:65:
         f8:8d:99:87:b2:5b:e7:6a:f1:a1:13:c9:a2:02:8e:fe:50:80:
         67:c9:54:24:f9:34:a7:2d:b8:18:2d:62:79:2e:31:bb:0f:b9:
         49:a1:3c:49:85:9b:70:d3:76:d8:79:fe:4c:02:b0:28:ec:d5:
         1c:79:19:45:f9:00:1f:07:89:a8:b3:3d:e1:14:3b:b7:b6:dc:
         d2:2f:17:b0:67:3b:dd:6c:54:4d:32:ca:7d:e3:c8:42:60:ce:
         b7:91:c0:f0:75:0f:34:7a:a7:9f:7c:e7:33:95:68:61:2b:94:
         54:4a:a8:fd:7c:85:b7:ef:f0:1f:14:ea:d5:73:46:91:cc:d1:
         04:35:27:bc:8e:10:7e:49:dc:41:62:bd:5d:f9:f3:d9:99:16:
         5f:f4:eb:48:81:40:9f:7b:1f:05:b8:b8:6f:a6:49:49:29:eb:
         92:99:d1:63:0e:b8:fe:4a:28:11:b6:79:d9:f3:23:a3:8e:ab:
         0e:96:43:3c:71:22:d5:b6:d5:26:31:1e:08:89:97:dc:8d:0f:
         de:ed:9c:5c
Response verify OK
tmpcert: good
    This Update: May  4 12:29:55 2021 GMT
    Next Update: May 11 11:29:54 2021 GMT

https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/238

#3 Updated by Jim Pingle about 1 month ago

  • Status changed from New to Pull Request Review
  • Target version set to 2.6.0

#4 Updated by Jim Pingle about 1 month ago

  • Plus Target Version set to 21.05

#5 Updated by Konstantin Panchenko about 1 month ago

Viktor Gurov wrote:

openssl ocsp response sample without '-resp_text' (google.com):
[...]

with '-resp_text':
[...]

https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/238

Please note that line "Response verify OK" is shown only on the screen and not captured (at least in my testing) in the capture, that's why I suggested to use full output and parse other success lines from it.

#6 Updated by Steve Beaver about 1 month ago

  • Status changed from Pull Request Review to Feedback

#7 Updated by Jim Pingle about 1 month ago

  • Subject changed from Certificate validation with OCSP always fail - openvpn.tls-verify.php to Certificate validation with OCSP always fails in ``openvpn.tls-verify.php``

Updating subject for release notes.

#8 Updated by Jim Pingle 19 days ago

  • Target version changed from 2.6.0 to 2.5.2

#9 Updated by Jim Pingle 12 days ago

  • Status changed from Feedback to Closed

Also available in: Atom PDF