Project

General

Profile

Bug #3602

OpenVPN can authenticate via a broken certificate

Added by B. Derman about 6 years ago. Updated about 6 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
VPN (Multiple Types)
Target version:
-
Start date:
04/12/2014
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.1
Affected Architecture:

Description

History

#1 Updated by Doktor Notor about 6 years ago

I am not sure what's the bug here? AFAICT OpenVPN only tries to match user against Common Name (not SAN!) in the client certificate (and forcing that is not even enabled by default, there is a Strict User/CN Matching checkbox for this purpose.) Other than that, as long as the certificate has been issued by the peer CA you configured and is not on the CRL, it will be accepted.

It really would be better to start some forum thread before filing bugs like this.

#2 Updated by Jim Pingle about 6 years ago

  • Status changed from New to Rejected

That is correct. OpenVPN only checks that the cert is a valid cert (not expired, not revoked) from the same CA as the server. The strict user/CN matching should only match the CN against the authenticated username. There is no bug here as described.

Also available in: Atom PDF