Bug #11830
closed
Certificate validation with OCSP always fails in ``openvpn.tls-verify.php``
0%
Description
Certificate validation by the script will always fail:
1. exec function used to call "openssl ocsp" returns only the last line of the output, which contains only date of the next update of OCSP, parsing of the line will fail.
2. without option -resp_text openssl returns only certificate serial with addition of "good/revoked" and OCSP update date. Line "Response verify OK" is on the console but not captured in the return.
To resolve both issues additional array parameter must be passed to exec function to accumulate complete "openssl ocsp" output and analyze it. To simplify array can be imploded to a single string and regx used to validate output. The following code tested and works in my environment:
$status = exec("/usr/bin/openssl ocsp -resp_text -issuer " . escapeshellarg($issuer)
. " -no_nonce"
. " -CApath " . escapeshellarg($capath)
. " -url " . escapeshellarg($ovpns['ocspurl'])
. " -serial " . escapeshellarg($serial), $status_out);
$status = implode(",", $status_out);
if (preg_match('/(error|fail)/', $status)) {
echo "FAILED";
closelog();
return;
} else if (preg_match('/Cert Status: good/', $status)) {
if (preg_match('/OCSP Response Status: successful \(0x0\)/', $status)) {
break;
}
} else {
echo "FAILED";
closelog();
return;
}
I would also suggest to add additional logging for success / failure.
Files
Updated by Viktor Gurov over 3 years ago
openssl ocsp response sample without '-resp_text' (google.com):
Response verify OK
tmpcert: good
This Update: May 4 12:29:55 2021 GMT
Next Update: May 11 11:29:54 2021 GMT
with '-resp_text':
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: 98D1F86E10EBCF9BEC609F18901BA0EB7D09FD2B
Produced At: May 4 12:29:57 2021 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 424630C22719DBDE70F08FFC73E5A65F663817BC
Issuer Key Hash: 98D1F86E10EBCF9BEC609F18901BA0EB7D09FD2B
Serial Number: 168BE0E7D3A7E7870300000000CBF759
Cert Status: good
This Update: May 4 12:29:55 2021 GMT
Next Update: May 11 11:29:54 2021 GMT
Signature Algorithm: sha256WithRSAEncryption
42:ec:2a:b9:e1:aa:15:8e:fb:13:8f:7f:65:0c:0e:07:f6:af:
59:a6:32:f5:79:07:a7:84:70:ee:91:b4:7a:d0:6e:8f:30:e7:
b4:35:1c:bc:fc:c8:7b:0c:35:f9:1d:64:92:9a:8a:56:0f:65:
f8:8d:99:87:b2:5b:e7:6a:f1:a1:13:c9:a2:02:8e:fe:50:80:
67:c9:54:24:f9:34:a7:2d:b8:18:2d:62:79:2e:31:bb:0f:b9:
49:a1:3c:49:85:9b:70:d3:76:d8:79:fe:4c:02:b0:28:ec:d5:
1c:79:19:45:f9:00:1f:07:89:a8:b3:3d:e1:14:3b:b7:b6:dc:
d2:2f:17:b0:67:3b:dd:6c:54:4d:32:ca:7d:e3:c8:42:60:ce:
b7:91:c0:f0:75:0f:34:7a:a7:9f:7c:e7:33:95:68:61:2b:94:
54:4a:a8:fd:7c:85:b7:ef:f0:1f:14:ea:d5:73:46:91:cc:d1:
04:35:27:bc:8e:10:7e:49:dc:41:62:bd:5d:f9:f3:d9:99:16:
5f:f4:eb:48:81:40:9f:7b:1f:05:b8:b8:6f:a6:49:49:29:eb:
92:99:d1:63:0e:b8:fe:4a:28:11:b6:79:d9:f3:23:a3:8e:ab:
0e:96:43:3c:71:22:d5:b6:d5:26:31:1e:08:89:97:dc:8d:0f:
de:ed:9c:5c
Response verify OK
tmpcert: good
This Update: May 4 12:29:55 2021 GMT
Next Update: May 11 11:29:54 2021 GMT
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/238
Updated by Jim Pingle over 3 years ago
- Status changed from New to Pull Request Review
- Target version set to 2.6.0
Updated by Konstantin Panchenko over 3 years ago
Viktor Gurov wrote:
openssl ocsp response sample without '-resp_text' (google.com):
[...]with '-resp_text':
[...]https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/238
Please note that line "Response verify OK" is shown only on the screen and not captured (at least in my testing) in the capture, that's why I suggested to use full output and parse other success lines from it.
Updated by Anonymous over 3 years ago
- Status changed from Pull Request Review to Feedback
Updated by Jim Pingle over 3 years ago
- Subject changed from Certificate validation with OCSP always fail - openvpn.tls-verify.php to Certificate validation with OCSP always fails in ``openvpn.tls-verify.php``
Updating subject for release notes.
Updated by Jim Pingle over 3 years ago
- Target version changed from 2.6.0 to 2.5.2
Updated by
Updated by Konstantin Panchenko over 3 years ago
This is still an issue in 2.5.2, validation code still checking only for the last line returned from "openssl", documentation for exec command states that output parameter must be used to get the full output and that would be array. Last line analysed in current code would look only "Next Update: May 11 11:29:54 2021 GMT", see above.
https://www.php.net/manual/en/function.exec.php
Updated by Konstantin Panchenko almost 3 years ago
- File openvpn.tls-verify.php openvpn.tls-verify.php added
Konstantin Panchenko wrote in #note-11:
This is still an issue in 2.5.2, validation code still checking only for the last line returned from "openssl", documentation for exec command states that output parameter must be used to get the full output and that would be array. Last line analysed in current code would look only "Next Update: May 11 11:29:54 2021 GMT", see above.
https://www.php.net/manual/en/function.exec.php
I see the issue was closed by adding "-resp_text" option, however without analysing the whole outpup of the EXEC / Openssl function this won't work. I've attached my edit for review.
Updated by Viktor Gurov over 2 years ago
Konstantin Panchenko wrote in #note-12:
Konstantin Panchenko wrote in #note-11:
This is still an issue in 2.5.2, validation code still checking only for the last line returned from "openssl", documentation for exec command states that output parameter must be used to get the full output and that would be array. Last line analysed in current code would look only "Next Update: May 11 11:29:54 2021 GMT", see above.
https://www.php.net/manual/en/function.exec.phpI see the issue was closed by adding "-resp_text" option, however without analysing the whole outpup of the EXEC / Openssl function this won't work. I've attached my edit for review.
I don't see a significant difference between your edit and https://github.com/pfsense/pfsense/blob/master/src/etc/inc/openvpn.tls-verify.php (except debug output)
Updated by Marcos M over 2 years ago
Konstantin Panchenko wrote in #note-12:
I see the issue was closed by adding "-resp_text" option, however without analysing the whole outpup of the EXEC / Openssl function this won't work. I've attached my edit for review.
I confirm that the full output is analyzed. The exec function takes in the additional $status_out variable which stores the full response that is then checked with preg_match.