Project

General

Profile

Actions

Bug #11830

closed

Certificate validation with OCSP always fails in ``openvpn.tls-verify.php``

Added by Konstantin Panchenko over 3 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Viktor Gurov
Category:
OpenVPN
Target version:
Start date:
04/20/2021
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
21.05
Release Notes:
Default
Affected Version:
Affected Architecture:
All

Description

Certificate validation by the script will always fail:
1. exec function used to call "openssl ocsp" returns only the last line of the output, which contains only date of the next update of OCSP, parsing of the line will fail.
2. without option -resp_text openssl returns only certificate serial with addition of "good/revoked" and OCSP update date. Line "Response verify OK" is on the console but not captured in the return.

To resolve both issues additional array parameter must be passed to exec function to accumulate complete "openssl ocsp" output and analyze it. To simplify array can be imploded to a single string and regx used to validate output. The following code tested and works in my environment:

$status = exec("/usr/bin/openssl ocsp -resp_text -issuer " . escapeshellarg($issuer)
. " -no_nonce"
. " -CApath " . escapeshellarg($capath)
. " -url " . escapeshellarg($ovpns['ocspurl'])
. " -serial " . escapeshellarg($serial), $status_out);
$status = implode(",", $status_out);
if (preg_match('/(error|fail)/', $status)) {
echo "FAILED";
closelog();
return;
} else if (preg_match('/Cert Status: good/', $status)) {
if (preg_match('/OCSP Response Status: successful \(0x0\)/', $status)) {
break;
}
} else {
echo "FAILED";
closelog();
return;
}

I would also suggest to add additional logging for success / failure.


Files

openvpn.tls-verify.php (4.4 KB) openvpn.tls-verify.php Konstantin Panchenko, 01/20/2022 03:47 AM
Actions #1

Updated by Viktor Gurov over 3 years ago

see also #11829

Actions #2

Updated by Viktor Gurov over 3 years ago

openssl ocsp response sample without '-resp_text' (google.com):

Response verify OK
tmpcert: good
    This Update: May  4 12:29:55 2021 GMT
    Next Update: May 11 11:29:54 2021 GMT

with '-resp_text':

OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: 98D1F86E10EBCF9BEC609F18901BA0EB7D09FD2B
    Produced At: May  4 12:29:57 2021 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 424630C22719DBDE70F08FFC73E5A65F663817BC
      Issuer Key Hash: 98D1F86E10EBCF9BEC609F18901BA0EB7D09FD2B
      Serial Number: 168BE0E7D3A7E7870300000000CBF759
    Cert Status: good
    This Update: May  4 12:29:55 2021 GMT
    Next Update: May 11 11:29:54 2021 GMT

    Signature Algorithm: sha256WithRSAEncryption
         42:ec:2a:b9:e1:aa:15:8e:fb:13:8f:7f:65:0c:0e:07:f6:af:
         59:a6:32:f5:79:07:a7:84:70:ee:91:b4:7a:d0:6e:8f:30:e7:
         b4:35:1c:bc:fc:c8:7b:0c:35:f9:1d:64:92:9a:8a:56:0f:65:
         f8:8d:99:87:b2:5b:e7:6a:f1:a1:13:c9:a2:02:8e:fe:50:80:
         67:c9:54:24:f9:34:a7:2d:b8:18:2d:62:79:2e:31:bb:0f:b9:
         49:a1:3c:49:85:9b:70:d3:76:d8:79:fe:4c:02:b0:28:ec:d5:
         1c:79:19:45:f9:00:1f:07:89:a8:b3:3d:e1:14:3b:b7:b6:dc:
         d2:2f:17:b0:67:3b:dd:6c:54:4d:32:ca:7d:e3:c8:42:60:ce:
         b7:91:c0:f0:75:0f:34:7a:a7:9f:7c:e7:33:95:68:61:2b:94:
         54:4a:a8:fd:7c:85:b7:ef:f0:1f:14:ea:d5:73:46:91:cc:d1:
         04:35:27:bc:8e:10:7e:49:dc:41:62:bd:5d:f9:f3:d9:99:16:
         5f:f4:eb:48:81:40:9f:7b:1f:05:b8:b8:6f:a6:49:49:29:eb:
         92:99:d1:63:0e:b8:fe:4a:28:11:b6:79:d9:f3:23:a3:8e:ab:
         0e:96:43:3c:71:22:d5:b6:d5:26:31:1e:08:89:97:dc:8d:0f:
         de:ed:9c:5c
Response verify OK
tmpcert: good
    This Update: May  4 12:29:55 2021 GMT
    Next Update: May 11 11:29:54 2021 GMT

https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/238

Actions #3

Updated by Jim Pingle over 3 years ago

  • Status changed from New to Pull Request Review
  • Target version set to 2.6.0
Actions #4

Updated by Jim Pingle over 3 years ago

  • Plus Target Version set to 21.05
Actions #5

Updated by Konstantin Panchenko over 3 years ago

Viktor Gurov wrote:

openssl ocsp response sample without '-resp_text' (google.com):
[...]

with '-resp_text':
[...]

https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/238

Please note that line "Response verify OK" is shown only on the screen and not captured (at least in my testing) in the capture, that's why I suggested to use full output and parse other success lines from it.

Actions #6

Updated by Anonymous over 3 years ago

  • Status changed from Pull Request Review to Feedback
Actions #7

Updated by Jim Pingle over 3 years ago

  • Subject changed from Certificate validation with OCSP always fail - openvpn.tls-verify.php to Certificate validation with OCSP always fails in ``openvpn.tls-verify.php``

Updating subject for release notes.

Actions #8

Updated by Jim Pingle over 3 years ago

  • Target version changed from 2.6.0 to 2.5.2
Actions #9

Updated by Jim Pingle over 3 years ago

  • Status changed from Feedback to Closed
Actions #10

Updated by Renato Botelho over 3 years ago

  • Assignee set to Viktor Gurov
Actions #11

Updated by Konstantin Panchenko over 3 years ago

This is still an issue in 2.5.2, validation code still checking only for the last line returned from "openssl", documentation for exec command states that output parameter must be used to get the full output and that would be array. Last line analysed in current code would look only "Next Update: May 11 11:29:54 2021 GMT", see above.
https://www.php.net/manual/en/function.exec.php

Actions #12

Updated by Konstantin Panchenko almost 3 years ago

Konstantin Panchenko wrote in #note-11:

This is still an issue in 2.5.2, validation code still checking only for the last line returned from "openssl", documentation for exec command states that output parameter must be used to get the full output and that would be array. Last line analysed in current code would look only "Next Update: May 11 11:29:54 2021 GMT", see above.
https://www.php.net/manual/en/function.exec.php

I see the issue was closed by adding "-resp_text" option, however without analysing the whole outpup of the EXEC / Openssl function this won't work. I've attached my edit for review.

Actions #14

Updated by Viktor Gurov over 2 years ago

Konstantin Panchenko wrote in #note-12:

Konstantin Panchenko wrote in #note-11:

This is still an issue in 2.5.2, validation code still checking only for the last line returned from "openssl", documentation for exec command states that output parameter must be used to get the full output and that would be array. Last line analysed in current code would look only "Next Update: May 11 11:29:54 2021 GMT", see above.
https://www.php.net/manual/en/function.exec.php

I see the issue was closed by adding "-resp_text" option, however without analysing the whole outpup of the EXEC / Openssl function this won't work. I've attached my edit for review.

I don't see a significant difference between your edit and https://github.com/pfsense/pfsense/blob/master/src/etc/inc/openvpn.tls-verify.php (except debug output)

Actions #15

Updated by Marcos M over 2 years ago

Konstantin Panchenko wrote in #note-12:

I see the issue was closed by adding "-resp_text" option, however without analysing the whole outpup of the EXEC / Openssl function this won't work. I've attached my edit for review.

I confirm that the full output is analyzed. The exec function takes in the additional $status_out variable which stores the full response that is then checked with preg_match.

Actions

Also available in: Atom PDF