pfSense » pfSense Packages

Hi,

The openvpn client configuration exporter doesn't enforce TLS subject verification. This leads to a security vulnerability whereby if an attacker is in possession of any certificate signed by the CA, he can perform an active MitM attack against other peers. "clients" of the server are in that situation and can man-in-the-middle each other.

The proper way of doing things is to use "tls-remote" to ensure no MITM is taking place and the server the client is connecting to is the right one.

Something like the following should be added to /usr/local/pkg/openvpn-client-export.inc ... except it requires the CN and not the full subject (my php sucks)

$conf .= "tls-remote ".cert_get_subject($server_cert['crt'])."\n";