Project

General

Profile

Bug #4521

Issue with OpenVPN certificate depth validation and long certificate subjects

Added by David Durrleman over 5 years ago. Updated 8 months ago.

Status:
Confirmed
Priority:
Normal
Assignee:
-
Category:
OpenVPN
Target version:
Start date:
03/14/2015
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.2
Affected Architecture:

Description

There seems to be an issue in pfsense's custom certificate depth verification for OpenVPN connections. When long certificate subjects are used, the validation fails. Here is how to repro:

Create three certificate with subjects:

A) C=US, ST=New York, L=New York City, O=Acme Inc, emailAddress=, CN=myvpn.mylongsubdomainname.mylongdomainname.com
B) C=US, ST=New York, L=New York City, O=Acme Inc, emailAddress=, CN=myclient.mylongsubdomainname.mylongdomainname.com
C) C=US, ST=New York, L=New York City, O=Acme Inc, emailAddress=, CN=myclient2.mylongsubdomainname.mylongdomainname.com

Create a vpn server using certificate A, turn on depth validation, and try to authenticate with clients using certificates B and C. Certificate B will be recognized by the server, but certificate C won't.
If depth validation is turned off, both certificates will be recognized correctly.

I have tracked this down to a failure to execute /usr/local/sbin/ovpn_auth_verify. My intuition (not verified) is that /usr/local/sbin/fcgicli doesn't like it when the url parameters are too long. But here, "long" is less than 250 chars, which is a pretty low limit.

Per the mailing list, it may be related to https://redmine.pfsense.org/issues/4329, although I was not able to confirm it is exactly the same issue, so I chose to open a new one. I'm guessing it would be easier for maintainers to merge if they are duplicates, than to split if they aren't.

History

#1 Updated by Jim Pingle 11 months ago

  • Assignee set to Jim Pingle
  • Target version set to 2.5.0

This is likely less of an issue now that emailAddress is no longer usable in the subject, but might still be hit with long enough state/city/org/org unit/cn contents

#2 Updated by Viktor Gurov 9 months ago

  • Status changed from New to Confirmed

same issue on pfSense 2.5.0.a.20200212.1057

it fails if subject string > 128

https://github.com/pfsense/FreeBSD-ports/blob/devel/sysutils/check_reload_status/files/fcgicli.c
It seems there is an error in build_nvpair(), this part:

    if (lvalue < 128 || lvalue > 65535)
        sbuf_putc(sb, lvalue);
    else
        sbuf_printf(sb, "%c%c%c%c", (u_char)((lvalue >> 24) | 0x80), (u_char)((lvalue >> 16) & 0xFF), (u_char)((lvalue >> 16) & 0xFF), (u_char)(lvalue & 0xFF));

#3 Updated by Jim Pingle 9 months ago

  • Assignee deleted (Jim Pingle)

#4 Updated by Viktor Gurov 8 months ago

short subject test:

/usr/local/sbin/fcgicli -f /etc/inc/openvpn.tls-verify.php -d "servercn=aaa&depth=1&certdepth=1&certsubject=shortline&serial=123"                                                                                                       OK

long subject:

/usr/local/sbin/fcgicli -f /etc/inc/openvpn.tls-verify.php -d "servercn=aaa&depth=2&certdepth=2&certsubject=qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq&serial=123" 
Something wrong happened while reading request

Also available in: Atom PDF