Project

General

Profile

Actions

Bug #12927

open

OpenVPN with OCSP enabled allows connections with revoked certificates

Added by Danilo Zrenjanin about 2 years ago. Updated 10 months ago.

Status:
Incomplete
Priority:
Normal
Assignee:
-
Category:
OpenVPN
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
2.6.0
Affected Architecture:

Description

OpenVPN doesn't honor certificate validity status against the site listed in the OCSP URL field.

See:
https://redmine.pfsense.org/issues/11830

Konstantin Panchenko wrote in #note-11:

    This is still an issue in 2.5.2, validation code still checking only for the last line returned from "openssl", documentation for exec command states that output parameter must be used to get the full output and that would be array. Last line analysed in current code would look only "Next Update: May 11 11:29:54 2021 GMT", see above.
    https://www.php.net/manual/en/function.exec.php

I see the issue was closed by adding "-resp_text" option, however without analysing the whole outpup of the EXEC / Openssl function this won't work. I've attached my edit for review.
Actions

Also available in: Atom PDF