Regression #13056: OpenVPN ``remote_cert_tls`` option does not behave correctly when enabled and later disabled - pfSense - pfSense bugtracker

Custom queries

2.4.5-p1 - Resolved/Closed
2.5.0 - Resolved/Closed
2.5.1 - Resolved/Closed
2.5.2 - Resolved/Closed
2.6.0 - Resolved/Closed
2.7.0 - Resolved/Closed
2.7.1 - All Open Issues
2.7.1 - Resolved/Closed
2.7.2 - Resolved/Closed
2.8.0 - All Open Bugs
2.8.0 - All Open Features
2.8.0 - All Open Issues
2.8.0 - All Open Regressions
2.8.0 - Feedback
2.8.0 - Needs Attention
2.8.0 - New/Confirmed
2.8.0 - Pull Requests
2.8.0 - Regressions affecting 2.7.0
2.8.0 - Resolved/Closed
21.02.2/2.5.1 - Resolved/Closed
21.05 Plus - All Closed Issues
21.05.1 Plus Target - All Closed Issues
21.05.1 Target - All Closed Issues
22.01 Plus - All Closed Issues
22.01 Target - All Closed Issues
22.05 Plus - All Closed Issues
22.05 Target - All Closed Issues
23.01 Plus - All Closed Issues
23.01 Target - All Closed Issues
23.05 Plus - All Closed Issues
23.05 Target - All Closed Issues
23.05.1 Plus - All Closed Issues
23.05.1 Target - All Closed Issues
23.09 Plus - All Closed Issues
23.09 Target - All Closed Issues
23.09.1 Plus - All Closed Issues
23.09.1 Target - All Closed Issues
24.03 Plus - All Closed Issues
24.03 Target - All Closed Issues
24.11 Plus - All Closed Issues
24.11 Plus - All Open Issues
24.11 Plus - Feedback Issues
24.11 Plus - Needs Attention/Work
24.11 Plus - New/Confirmed/In Progress Issues
24.11 Target - All Closed Issues
24.11 Target - All Open Issues
25.01 Plus - All Closed Issues
25.01 Plus - All Open Issues
25.01 Plus - Feedback Issues
25.01 Plus - Needs Attention/Work
25.01 Plus - New/Confirmed/In Progress Issues
25.01 Plus - Pull Request Review
25.01 Plus - Waiting on Merge
25.01 Target - All Closed Issues
25.01 Target - All Open Issues
All Open Issues assigned to Me
All Open Pull Requests
Any Target - All Open Regressions
Any Target - Feedback Issues
CE-Next - All Closed Issues (Move to specific target)
CE-Next - All Open Issues
CE-Next - Feedback (Likely needs target changed)
New Issues by Category - Future Target
New Issues by Category - No Target
New Issues by Category - No Target+Future
No Target - All Open Issues (Base Only)
No Target - New Issues (Base Only)
No Target - New Issues (Base and Packages)
Release Notes - Plus Target Version (DO NOT EDIT)
Release Notes - Target Version (DO NOT EDIT)

Actions

Copy link

Regression #13056

closed

OpenVPN ``remote_cert_tls`` option does not behave correctly when enabled and later disabled

Added by Thorsten Zitterell over 2 years ago. Updated over 2 years ago.

Status:

Resolved

Priority:

Normal

Assignee:

Viktor Gurov

Category:

OpenVPN

Target version:

2.7.0

Start date:

Due date:

% Done:

Estimated time:

Plus Target Version:

22.05

Release Notes:

Default

Affected Version:

2.6.0

Affected Architecture:

amd64

Description

I have a OpenVPN server running on a pfsense with version 22.01 for some month now.
Multiple clients connect to the server.

Since the update to 22.01, I guess, client connections break with errors like:

Apr 13 11:01:57 192.168.253.1 openvpn⁵⁶²⁷⁰: x.x.x.x:y VERIFY KU ERROR
Apr 13 11:01:57 192.168.253.1 openvpn⁵⁶²⁷⁰: x.x.x.x:y TLS_ERROR: BIO read tls_read_plaintext error

Then, when I reload the OpenVPN server the problem persists.
However, when I open the configuration and save it again the problem disappears.

After some research I figured out that this problem probably occurs after rc.renewwanip[v6] was executed.

I compared the config.ovpn after the problem occured and after I saved the OpenVPN server configuration again and there was the option remote-cert-tls client in this file.

Currently, I am not using TLS auth, however there seems a script (openvpn.inc?) which adds the unwanted option remote-cert-tls client.

I am not sure if relevant but there are the following custom options:
mode server; client-config-dir /var/etc/openvpn/server6/csc; ccd-exclusive; ifconfig 10.8.1.254 255.255.255.0; push "route-gateway 10.8.1.254"; route 10.5.1.0 255.255.255.0 10.8.1.1; route 10.5.2.0 255.255.255.0 10.8.1.2;

Related issues

Related to Feature #11865: Option to validate OpenVPN peer TLS certificate key usage

Resolved

Viktor Gurov

04/28/2021

Actions

Is duplicate of Bug #13077: remote-cert-tls client set in configuration regardless of Client Certificate Key Usage Validation option (after server restart only!)

Duplicate

Actions

Issue # Delay: days Cancel

History
Notes
Property changes
Associated revisions

Actions

Copy link

Updated by Jim Pingle over 2 years ago

Status changed from New to Not a Bug
Plus Target Version deleted (~~22.01~~)

That setting won't prevent clients from connecting on auth-only VPNs. There must be something else happening in your environment (could be your custom options setting up incompatible settings) but there isn't nearly enough information here to say what that might be. This site is not for support or diagnostic discussion, however, so it's not the place to debug it.

For assistance in solving problems, please post on the Netgate Forum or the pfSense Subreddit .

See Reporting Issues with pfSense Software for more information.

Actions

Copy link

Updated by Michael Ruder over 2 years ago

I think this is a bug: Regardless of the newly introduced setting "Client Certificate Key Usage Validation", the @remote-cert-tls client" ends up in the configuration if the OpenVPN server instance is restarted (via Status=>OpenVPN or other means).

However, when saving the configuration from VPN=>OpenVPN (after changing anything, for instance only the log level) the line is not there, unless the option is ticked.

Actions

Copy link

Updated by Viktor Gurov over 2 years ago

Tracker changed from Bug to Regression
Status changed from Not a Bug to New
Assignee set to Viktor Gurov
Target version set to 2.7.0
Plus Target Version set to 22.05
Affected Version set to 2.6.0

fix:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/733

Actions

Copy link

Updated by Viktor Gurov over 2 years ago

Related to Feature #11865: Option to validate OpenVPN peer TLS certificate key usage added

Actions

Copy link

Updated by Viktor Gurov over 2 years ago

Is duplicate of Bug #13077: remote-cert-tls client set in configuration regardless of Client Certificate Key Usage Validation option (after server restart only!) added

Actions

Copy link

Updated by Michael Ruder over 2 years ago

Works for me now as expected. I however noticed, that with the patch now in config.xml there is either <remote_cert_tls></remote_cert_tls> if the option is active or nothing if it is not. Before when the problem occured, the option was always in the config.xml, either empty (as above) or with yes between the tags: <remote_cert_tls>yes</remote_cert_tls>

Other boolean options (like passtos) are handled also with the tags always being present and either yes or empty and they do not show the faulty behaviour. So the remote_cert_tls option seems to be implemented somehow differently than the others.

As I have a (very) limited understanding on how the config is parsed etc., just ignore this comment if this is the intended way of doing things here. :)

Thanks for the quick fix.

Actions

Copy link

Updated by Viktor Gurov over 2 years ago

Status changed from New to Feedback

Merged:
https://github.com/pfsense/pfsense/commit/48cf54f850c5bf4fe26a8e33deb449807e71c204

Actions

Copy link

Updated by Viktor Gurov over 2 years ago

Michael Ruder wrote in #note-6:

Works for me now as expected. I however noticed, that with the patch now in config.xml there is either <remote_cert_tls></remote_cert_tls> if the option is active or nothing if it is not. Before when the problem occured, the option was always in the config.xml, either empty (as above) or with yes between the tags: <remote_cert_tls>yes</remote_cert_tls>

That's fine. Some parts of the config.xml use such behavior.

Actions

Copy link

Updated by Thorsten Zitterell over 2 years ago

Viktor Gurov wrote in #note-7:

Merged:
https://github.com/pfsense/pfsense/commit/48cf54f850c5bf4fe26a8e33deb449807e71c204

Sure, this patch is right?

In src/usr/local/www/vpn_openvpn_client.php, line 588
- $client['remote_cert_tls'] = $pconfig['remote_cert_tls']; + if (isset($client['remote_cert_tls'])) { + $client['remote_cert_tls'] = true; + }

Shouldn't it be
- $client['remote_cert_tls'] = $pconfig['remote_cert_tls']; + if (isset($pconfig['remote_cert_tls'])) { + $client['remote_cert_tls'] = true; + }

(analogous to src/usr/local/www/vpn_openvpn_server.php:751)

Actions

Copy link

#10

Updated by Viktor Gurov over 2 years ago

Status changed from Feedback to New

Thorsten Zitterell wrote in #note-9:

Viktor Gurov wrote in #note-7:

Merged:
https://github.com/pfsense/pfsense/commit/48cf54f850c5bf4fe26a8e33deb449807e71c204

Sure, this patch is right?

In src/usr/local/www/vpn_openvpn_client.php, line 588
- $client['remote_cert_tls'] = $pconfig['remote_cert_tls']; + if (isset($client['remote_cert_tls'])) { + $client['remote_cert_tls'] = true; + }

Shouldn't it be
- $client['remote_cert_tls'] = $pconfig['remote_cert_tls']; + if (isset($pconfig['remote_cert_tls'])) { + $client['remote_cert_tls'] = true; + }

(analogous to src/usr/local/www/vpn_openvpn_server.php:751)

Thank you!

fix:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/735

Actions

Copy link

#11

Updated by Jim Pingle over 2 years ago

Status changed from New to Pull Request Review

Actions

Copy link

#12

Updated by Viktor Gurov over 2 years ago

Status changed from Pull Request Review to Feedback

Merged:
https://github.com/pfsense/pfsense/commit/47f2f4060d9e5b71c5c69356b61191fd2931383c

Actions

Copy link

#13

Updated by Jim Pingle over 2 years ago

Subject changed from OpenVPN Server configuration altered when interface is renewed to OpenVPN ``remote_cert_tls`` option does not behave correctly when enabled and later disabled

Updating subject for release notes.

Actions

Copy link

#14

Updated by Jim Pingle over 2 years ago

Status changed from Feedback to Resolved

Option toggles correctly now. I can enable it and the option goes into the config. Disable it and it comes out.

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense

Custom queries

Regression #13056

OpenVPN ``remote_cert_tls`` option does not behave correctly when enabled and later disabled

Updated by Jim Pingle over 2 years ago

Updated by Michael Ruder over 2 years ago

Updated by Viktor Gurov over 2 years ago

Updated by Viktor Gurov over 2 years ago

Updated by Viktor Gurov over 2 years ago

Updated by Michael Ruder over 2 years ago

Updated by Viktor Gurov over 2 years ago

Updated by Viktor Gurov over 2 years ago

Updated by Thorsten Zitterell over 2 years ago

Updated by Viktor Gurov over 2 years ago

Updated by Jim Pingle over 2 years ago

Updated by Viktor Gurov over 2 years ago

Updated by Jim Pingle over 2 years ago

Updated by Jim Pingle over 2 years ago