Project

General

Profile

Actions
Copy link

Bug #3602

closed

OpenVPN can authenticate via a broken certificate

Added by B. Derman about 10 years ago. Updated about 10 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
VPN (Multiple Types)
Target version:
-
Start date:
04/12/2014
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.1
Affected Architecture:

Description

See bug 3470 (https://redmine.pfsense.org/issues/3470).

Actions
Copy link
 #1

Updated by Doktor Notor about 10 years ago

I am not sure what's the bug here? AFAICT OpenVPN only tries to match user against Common Name (not SAN!) in the client certificate (and forcing that is not even enabled by default, there is a Strict User/CN Matching checkbox for this purpose.) Other than that, as long as the certificate has been issued by the peer CA you configured and is not on the CRL, it will be accepted.

It really would be better to start some forum thread before filing bugs like this.

Actions
Copy link
 #2

Updated by Jim Pingle about 10 years ago

  • Status changed from New to Rejected

That is correct. OpenVPN only checks that the cert is a valid cert (not expired, not revoked) from the same CA as the server. The strict user/CN matching should only match the CN against the authenticated username. There is no bug here as described.

Actions
Copy link

Also available in: Atom PDF