Project

General

Profile

Actions

Bug #11830

closed

Certificate validation with OCSP always fails in ``openvpn.tls-verify.php``

Added by Konstantin Panchenko 5 months ago. Updated 2 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
OpenVPN
Target version:
Start date:
04/20/2021
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
21.05
Release Notes:
Default
Affected Version:
Affected Architecture:
All

Description

Certificate validation by the script will always fail:
1. exec function used to call "openssl ocsp" returns only the last line of the output, which contains only date of the next update of OCSP, parsing of the line will fail.
2. without option -resp_text openssl returns only certificate serial with addition of "good/revoked" and OCSP update date. Line "Response verify OK" is on the console but not captured in the return.

To resolve both issues additional array parameter must be passed to exec function to accumulate complete "openssl ocsp" output and analyze it. To simplify array can be imploded to a single string and regx used to validate output. The following code tested and works in my environment:

$status = exec("/usr/bin/openssl ocsp -resp_text -issuer " . escapeshellarg($issuer)
. " -no_nonce"
. " -CApath " . escapeshellarg($capath)
. " -url " . escapeshellarg($ovpns['ocspurl'])
. " -serial " . escapeshellarg($serial), $status_out);
$status = implode(",", $status_out);
if (preg_match('/(error|fail)/', $status)) {
echo "FAILED";
closelog();
return;
} else if (preg_match('/Cert Status: good/', $status)) {
if (preg_match('/OCSP Response Status: successful \(0x0\)/', $status)) {
break;
}
} else {
echo "FAILED";
closelog();
return;
}

I would also suggest to add additional logging for success / failure.

Actions #1

Updated by Viktor Gurov 5 months ago

see also #11829

Actions #2

Updated by Viktor Gurov 5 months ago

openssl ocsp response sample without '-resp_text' (google.com):

Response verify OK
tmpcert: good
    This Update: May  4 12:29:55 2021 GMT
    Next Update: May 11 11:29:54 2021 GMT

with '-resp_text':

OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: 98D1F86E10EBCF9BEC609F18901BA0EB7D09FD2B
    Produced At: May  4 12:29:57 2021 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 424630C22719DBDE70F08FFC73E5A65F663817BC
      Issuer Key Hash: 98D1F86E10EBCF9BEC609F18901BA0EB7D09FD2B
      Serial Number: 168BE0E7D3A7E7870300000000CBF759
    Cert Status: good
    This Update: May  4 12:29:55 2021 GMT
    Next Update: May 11 11:29:54 2021 GMT

    Signature Algorithm: sha256WithRSAEncryption
         42:ec:2a:b9:e1:aa:15:8e:fb:13:8f:7f:65:0c:0e:07:f6:af:
         59:a6:32:f5:79:07:a7:84:70:ee:91:b4:7a:d0:6e:8f:30:e7:
         b4:35:1c:bc:fc:c8:7b:0c:35:f9:1d:64:92:9a:8a:56:0f:65:
         f8:8d:99:87:b2:5b:e7:6a:f1:a1:13:c9:a2:02:8e:fe:50:80:
         67:c9:54:24:f9:34:a7:2d:b8:18:2d:62:79:2e:31:bb:0f:b9:
         49:a1:3c:49:85:9b:70:d3:76:d8:79:fe:4c:02:b0:28:ec:d5:
         1c:79:19:45:f9:00:1f:07:89:a8:b3:3d:e1:14:3b:b7:b6:dc:
         d2:2f:17:b0:67:3b:dd:6c:54:4d:32:ca:7d:e3:c8:42:60:ce:
         b7:91:c0:f0:75:0f:34:7a:a7:9f:7c:e7:33:95:68:61:2b:94:
         54:4a:a8:fd:7c:85:b7:ef:f0:1f:14:ea:d5:73:46:91:cc:d1:
         04:35:27:bc:8e:10:7e:49:dc:41:62:bd:5d:f9:f3:d9:99:16:
         5f:f4:eb:48:81:40:9f:7b:1f:05:b8:b8:6f:a6:49:49:29:eb:
         92:99:d1:63:0e:b8:fe:4a:28:11:b6:79:d9:f3:23:a3:8e:ab:
         0e:96:43:3c:71:22:d5:b6:d5:26:31:1e:08:89:97:dc:8d:0f:
         de:ed:9c:5c
Response verify OK
tmpcert: good
    This Update: May  4 12:29:55 2021 GMT
    Next Update: May 11 11:29:54 2021 GMT

https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/238

Actions #3

Updated by Jim Pingle 5 months ago

  • Status changed from New to Pull Request Review
  • Target version set to 2.6.0
Actions #4

Updated by Jim Pingle 5 months ago

  • Plus Target Version set to 21.05
Actions #5

Updated by Konstantin Panchenko 5 months ago

Viktor Gurov wrote:

openssl ocsp response sample without '-resp_text' (google.com):
[...]

with '-resp_text':
[...]

https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/238

Please note that line "Response verify OK" is shown only on the screen and not captured (at least in my testing) in the capture, that's why I suggested to use full output and parse other success lines from it.

Actions #6

Updated by Steve Beaver 5 months ago

  • Status changed from Pull Request Review to Feedback
Actions #7

Updated by Jim Pingle 5 months ago

  • Subject changed from Certificate validation with OCSP always fail - openvpn.tls-verify.php to Certificate validation with OCSP always fails in ``openvpn.tls-verify.php``

Updating subject for release notes.

Actions #8

Updated by Jim Pingle 4 months ago

  • Target version changed from 2.6.0 to 2.5.2
Actions #9

Updated by Jim Pingle 4 months ago

  • Status changed from Feedback to Closed
Actions #10

Updated by Renato Botelho 3 months ago

  • Assignee set to Viktor Gurov
Actions #11

Updated by Konstantin Panchenko 2 months ago

This is still an issue in 2.5.2, validation code still checking only for the last line returned from "openssl", documentation for exec command states that output parameter must be used to get the full output and that would be array. Last line analysed in current code would look only "Next Update: May 11 11:29:54 2021 GMT", see above.
https://www.php.net/manual/en/function.exec.php

Actions

Also available in: Atom PDF