Project

General

Profile

Actions

Bug #14048

closed

OpenVPN: Disabled "Client Certificate Key Usage Validation" Not Always Honored

Added by Federico Capoano over 1 year ago. Updated over 1 year ago.

Status:
Duplicate
Priority:
Normal
Assignee:
-
Category:
OpenVPN
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
2.6.0
Affected Architecture:

Description

I have noticed an issue with OpenVPN in version 2.6.0.

I have a remote access VPN with UDP in tap mode.
When PfSense is rebooted, clients cannot connect because of this error:

VERIFY EKU ERROR

However, the "Client Certificate Key Usage Validation" flag is disabled in the OpenVPN configuration.
If I enable the flag, save, then disable the flag again and save again, clients can connect again.

I can trigger the issue also by just changing the verbosity level and not touching the disabled "Client Certificate Key Usage Validation" flag: clients will not connect again, I need to use the same trick described above to resolve.

My impression is that the disabled "Client Certificate Key Usage Validation" flag is honored only right after disabling this flag and saving, but if any other change is done, or if the system comes back after a reboot, it seems OpenVPN behaves as if this check is enabled, even though it's explicitly disabled in the conf.

Actions

Also available in: Atom PDF