Actions
Bug #3602
closedOpenVPN can authenticate via a broken certificate
Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
VPN (Multiple Types)
Target version:
-
Start date:
04/12/2014
Due date:
% Done:
0%
Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.1
Affected Architecture:
Updated by Doktor Notor about 10 years ago
I am not sure what's the bug here? AFAICT OpenVPN only tries to match user against Common Name (not SAN!) in the client certificate (and forcing that is not even enabled by default, there is a Strict User/CN Matching checkbox for this purpose.) Other than that, as long as the certificate has been issued by the peer CA you configured and is not on the CRL, it will be accepted.
It really would be better to start some forum thread before filing bugs like this.
Updated by Jim Pingle about 10 years ago
- Status changed from New to Rejected
That is correct. OpenVPN only checks that the cert is a valid cert (not expired, not revoked) from the same CA as the server. The strict user/CN matching should only match the CN against the authenticated username. There is no bug here as described.
Actions