OpenVPN: Disabled "Client Certificate Key Usage Validation" Not Always Honored
I have noticed an issue with OpenVPN in version 2.6.0.
I have a remote access VPN with UDP in tap mode.
When PfSense is rebooted, clients cannot connect because of this error:
VERIFY EKU ERROR
However, the "Client Certificate Key Usage Validation" flag is disabled in the OpenVPN configuration.
If I enable the flag, save, then disable the flag again and save again, clients can connect again.
I can trigger the issue also by just changing the verbosity level and not touching the disabled "Client Certificate Key Usage Validation" flag: clients will not connect again, I need to use the same trick described above to resolve.
My impression is that the disabled "Client Certificate Key Usage Validation" flag is honored only right after disabling this flag and saving, but if any other change is done, or if the system comes back after a reboot, it seems OpenVPN behaves as if this check is enabled, even though it's explicitly disabled in the conf.