Bug #3694: Some certificates not in CRL is also blocked - pfSense - pfSense bugtracker

Actions

Copy link

Bug #3694

closed

Some certificates not in CRL is also blocked

Added by Laurent Legendre over 10 years ago. Updated over 10 years ago.

Status:

Rejected

Priority:

Normal

Assignee:

Category:

OpenVPN

Target version:

Start date:

06/05/2014

Due date:

% Done:

Estimated time:

Plus Target Version:

Release Notes:

Affected Version:

2.1.2

Affected Architecture:

Description

Hi,

I've an OpenVPN server with many users. 3 of them are in a CRL which is used by the openvpn server.
Another user, which is NOT in the CRL, is also blocked.

When I try to connect, the server stops sending data / answering requests (like it does for all legitimately blocked users)

Thu Jun  5 15:47:54 2014 us=299224 UDPv4 READ [50] from [AF_INET]XXX.XXX.XXX.XXX:1194: P_ACK_V1 kid=0 pid=[ #50 ] [ 19 ]
Thu Jun  5 15:47:54 2014 us=299276 UDPv4 WRITE [142] to [AF_INET]XXX.XXX.XXX.XXX:1194: P_CONTROL_V1 kid=0 pid=[ #55 ] [ ] pid=23 DATA len=100
Thu Jun  5 15:47:54 2014 us=316243 UDPv4 READ [50] from [AF_INET]XXX.XXX.XXX.XXX:1194: P_ACK_V1 kid=0 pid=[ #51 ] [ 20 ]
Thu Jun  5 15:47:54 2014 us=316329 UDPv4 WRITE [142] to [AF_INET]XXX.XXX.XXX.XXX:1194: P_CONTROL_V1 kid=0 pid=[ #56 ] [ ] pid=24 DATA len=100
Thu Jun  5 15:47:54 2014 us=322205 UDPv4 READ [50] from [AF_INET]XXX.XXX.XXX.XXX:1194: P_ACK_V1 kid=0 pid=[ #52 ] [ 21 ]
Thu Jun  5 15:47:54 2014 us=322289 UDPv4 WRITE [142] to [AF_INET]XXX.XXX.XXX.XXX:1194: P_CONTROL_V1 kid=0 pid=[ #57 ] [ ] pid=25 DATA len=100
Thu Jun  5 15:47:54 2014 us=325393 UDPv4 READ [50] from [AF_INET]XXX.XXX.XXX.XXX:1194: P_ACK_V1 kid=0 pid=[ #53 ] [ 22 ]
Thu Jun  5 15:47:54 2014 us=325555 UDPv4 WRITE [142] to [AF_INET]XXX.XXX.XXX.XXX:1194: P_CONTROL_V1 kid=0 pid=[ #58 ] [ ] pid=26 DATA len=100
Thu Jun  5 15:47:54 2014 us=331031 UDPv4 READ [50] from [AF_INET]XXX.XXX.XXX.XXX:1194: P_ACK_V1 kid=0 pid=[ #54 ] [ 23 ]
Thu Jun  5 15:47:54 2014 us=331083 UDPv4 WRITE [142] to [AF_INET]XXX.XXX.XXX.XXX:1194: P_CONTROL_V1 kid=0 pid=[ #59 ] [ ] pid=27 DATA len=100
Thu Jun  5 15:47:54 2014 us=350127 UDPv4 READ [50] from [AF_INET]XXX.XXX.XXX.XXX:1194: P_ACK_V1 kid=0 pid=[ #55 ] [ 24 ]
Thu Jun  5 15:47:54 2014 us=350234 UDPv4 WRITE [142] to [AF_INET]XXX.XXX.XXX.XXX:1194: P_CONTROL_V1 kid=0 pid=[ #60 ] [ ] pid=28 DATA len=100
Thu Jun  5 15:47:54 2014 us=356120 UDPv4 READ [50] from [AF_INET]XXX.XXX.XXX.XXX:1194: P_ACK_V1 kid=0 pid=[ #56 ] [ 25 ]
Thu Jun  5 15:47:54 2014 us=356200 UDPv4 WRITE [142] to [AF_INET]XXX.XXX.XXX.XXX:1194: P_CONTROL_V1 kid=0 pid=[ #61 ] [ ] pid=29 DATA len=100
Thu Jun  5 15:47:56 2014 us=810121 UDPv4 WRITE [142] to [AF_INET]XXX.XXX.XXX.XXX:1194: P_CONTROL_V1 kid=0 pid=[ #62 ] [ ] pid=28 DATA len=100
Thu Jun  5 15:47:58 2014 us=37638 UDPv4 WRITE [142] to [AF_INET]XXX.XXX.XXX.XXX:1194: P_CONTROL_V1 kid=0 pid=[ #63 ] [ ] pid=26 DATA len=100
Thu Jun  5 15:47:58 2014 us=37790 UDPv4 WRITE [142] to [AF_INET]XXX.XXX.XXX.XXX:1194: P_CONTROL_V1 kid=0 pid=[ #64 ] [ ] pid=29 DATA len=100
Thu Jun  5 15:47:59 2014 us=265235 UDPv4 WRITE [142] to [AF_INET]XXX.XXX.XXX.XXX:1194: P_CONTROL_V1 kid=0 pid=[ #65 ] [ ] pid=27 DATA len=100
Thu Jun  5 15:48:00 2014 us=492755 UDPv4 WRITE [142] to [AF_INET]XXX.XXX.XXX.XXX:1194: P_CONTROL_V1 kid=0 pid=[ #66 ] [ ] pid=28 DATA len=100
Thu Jun  5 15:48:02 2014 us=947535 UDPv4 WRITE [142] to [AF_INET]XXX.XXX.XXX.XXX:1194: P_CONTROL_V1 kid=0 pid=[ #67 ] [ ] pid=26 DATA len=100
Thu Jun  5 15:48:04 2014 us=174930 UDPv4 WRITE [142] to [AF_INET]XXX.XXX.XXX.XXX:1194: P_CONTROL_V1 kid=0 pid=[ #68 ] [ ] pid=27 DATA len=100
Thu Jun  5 15:48:04 2014 us=175050 UDPv4 WRITE [142] to [AF_INET]XXX.XXX.XXX.XXX:1194: P_CONTROL_V1 kid=0 pid=[ #69 ] [ ] pid=29 DATA len=100
Thu Jun  5 15:48:08 2014 us=443733 UDPv4 WRITE [142] to [AF_INET]XXX.XXX.XXX.XXX:1194: P_CONTROL_V1 kid=0 pid=[ #70 ] [ ] pid=28 DATA len=100
Thu Jun  5 15:48:10 2014 us=578226 UDPv4 WRITE [142] to [AF_INET]XXX.XXX.XXX.XXX:1194: P_CONTROL_V1 kid=0 pid=[ #71 ] [ ] pid=26 DATA len=100
Thu Jun  5 15:48:12 2014 us=712743 UDPv4 WRITE [142] to [AF_INET]XXX.XXX.XXX.XXX:1194: P_CONTROL_V1 kid=0 pid=[ #72 ] [ ] pid=27 DATA len=100
Thu Jun  5 15:48:13 2014 us=780101 UDPv4 WRITE [142] to [AF_INET]XXX.XXX.XXX.XXX:1194: P_CONTROL_V1 kid=0 pid=[ #73 ] [ ] pid=29 DATA len=100

Other users are not affected...

If I set the "Peer Certificate Revocation List" setting back to "none", he can connect (as all of the users in the CRL).

I've verified the config.xml for a potential misconfiguration but CN and private key are unique and specific to each user.

Any ideas ?

Actions

Copy link

Updated by Jim Pingle over 10 years ago

Status changed from New to Rejected

Most likely explanation is that you somehow have a serial number collision, so both certs have the same serial number. Certificates are revoked by serial number, so that's the most common way that a revocation would affect multiple certificates. Follow up on the forum for discussion, but there's no bug here.

Actions

Copy link

Updated by Laurent Legendre over 10 years ago

OK, thanks for your quick answer.

You're right, 2 certificates have the same serial number.
Forum topic for further discussion https://forum.pfsense.org/index.php?topic=77863.0

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense

Custom queries

Bug #3694

Some certificates not in CRL is also blocked

Updated by Jim Pingle over 10 years ago

Updated by Laurent Legendre over 10 years ago