Project

General

Profile

Actions

Bug #4521

closed

OpenVPN authentication and certificate validation fail due to size of data passed through ``fcgicli``

Added by David Durrleman over 6 years ago. Updated 6 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
OpenVPN
Target version:
Start date:
03/14/2015
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

There seems to be an issue in pfsense's custom certificate depth verification for OpenVPN connections. When long certificate subjects are used, the validation fails. Here is how to repro:

Create three certificate with subjects:

A) C=US, ST=New York, L=New York City, O=Acme Inc, emailAddress=, CN=myvpn.mylongsubdomainname.mylongdomainname.com
B) C=US, ST=New York, L=New York City, O=Acme Inc, emailAddress=, CN=myclient.mylongsubdomainname.mylongdomainname.com
C) C=US, ST=New York, L=New York City, O=Acme Inc, emailAddress=, CN=myclient2.mylongsubdomainname.mylongdomainname.com

Create a vpn server using certificate A, turn on depth validation, and try to authenticate with clients using certificates B and C. Certificate B will be recognized by the server, but certificate C won't.
If depth validation is turned off, both certificates will be recognized correctly.

I have tracked this down to a failure to execute /usr/local/sbin/ovpn_auth_verify. My intuition (not verified) is that /usr/local/sbin/fcgicli doesn't like it when the url parameters are too long. But here, "long" is less than 250 chars, which is a pretty low limit.

Per the mailing list, it may be related to https://redmine.pfsense.org/issues/4329, although I was not able to confirm it is exactly the same issue, so I chose to open a new one. I'm guessing it would be easier for maintainers to merge if they are duplicates, than to split if they aren't.


Files

154.diff (1.4 KB) 154.diff Viktor Gurov, 02/26/2021 08:41 AM
ovpn-auth-verify-async-use-phpcgi.diff (713 Bytes) ovpn-auth-verify-async-use-phpcgi.diff Thomas Högemann, 03/04/2021 08:11 AM

Related issues

Related to Regression #12382: Certificate Depth checking creates OpenVPN micro-outages every time a user authenticates after 2.5.2 upgradeNew

Actions
Actions #1

Updated by Jim Pingle almost 2 years ago

  • Assignee set to Jim Pingle
  • Target version set to 2.5.0

This is likely less of an issue now that emailAddress is no longer usable in the subject, but might still be hit with long enough state/city/org/org unit/cn contents

Actions #2

Updated by Viktor Gurov over 1 year ago

  • Status changed from New to Confirmed

same issue on pfSense 2.5.0.a.20200212.1057

it fails if subject string > 128

https://github.com/pfsense/FreeBSD-ports/blob/devel/sysutils/check_reload_status/files/fcgicli.c
It seems there is an error in build_nvpair(), this part:

    if (lvalue < 128 || lvalue > 65535)
        sbuf_putc(sb, lvalue);
    else
        sbuf_printf(sb, "%c%c%c%c", (u_char)((lvalue >> 24) | 0x80), (u_char)((lvalue >> 16) & 0xFF), (u_char)((lvalue >> 16) & 0xFF), (u_char)(lvalue & 0xFF));

Actions #3

Updated by Jim Pingle over 1 year ago

  • Assignee deleted (Jim Pingle)
Actions #4

Updated by Viktor Gurov over 1 year ago

short subject test:

/usr/local/sbin/fcgicli -f /etc/inc/openvpn.tls-verify.php -d "servercn=aaa&depth=1&certdepth=1&certsubject=shortline&serial=123"                                                                                                       OK

long subject:

/usr/local/sbin/fcgicli -f /etc/inc/openvpn.tls-verify.php -d "servercn=aaa&depth=2&certdepth=2&certsubject=qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq&serial=123" 
Something wrong happened while reading request

Actions #5

Updated by Steve Beaver 11 months ago

  • Target version changed from 2.5.0 to CE-Next
Actions #6

Updated by Viktor Gurov 8 months ago

another php-cgi issue: #9460

Actions #7

Updated by Jim Pingle 8 months ago

That other issue is old/closed, not likely to be the same. Even so, if it came up again, it needs a fresh issue with current details/test results and marked as a regression.

Actions #8

Updated by Rick Frey 8 months ago

Ran into this issue after updating pfsense (+) to 21.02 so appears problem still exists in latest version. Have a self generated CA with a longer subject and fails with "Something wrong happened while reading request" when value for certsubject key is > 103 chars. Looks like /etc/inc/openvpn.tls-verify.php doesn't really even use the certsubject (converts to CN with comment about future use).
Mainly wanted to confirm that failure from subject length is still a problem.

Actions #10

Updated by Jim Pingle 8 months ago

  • Status changed from Confirmed to Pull Request Review
  • Affected Version deleted (2.2)
Actions #11

Updated by Viktor Gurov 8 months ago

Rick Frey wrote:

Ran into this issue after updating pfsense (+) to 21.02 so appears problem still exists in latest version. Have a self generated CA with a longer subject and fails with "Something wrong happened while reading request" when value for certsubject key is > 103 chars. Looks like /etc/inc/openvpn.tls-verify.php doesn't really even use the certsubject (converts to CN with comment about future use).
Mainly wanted to confirm that failure from subject length is still a problem.

Could you test this patch?

Actions #12

Updated by Robert Rumold 8 months ago

Nice! Thank you! Worked for me :)

// RESULT=$(/usr/local/sbin/fcgicli -f /etc/inc/openvpn.tls-verify.php -d "servercn=$2&depth=$3&certdepth=$4&certsubject=$5&serial=$serial&config=$config")
RESULT=$(/usr/local/bin/php-cgi -q /etc/inc/openvpn.tls-verify.php "servercn=$2&depth=$3&certdepth=$4&certsubject=$5&serial=$serial&config=$config")

RESULT=$(/usr/local/bin/php-cgi -q /etc/inc/openvpn.auth-user.php "username=$username&password=$password&cn=$common_name&strictcn=$3&authcfg=$2&modeid=$4&nas_port=$5")
// RESULT=$(/usr/local/sbin/fcgicli -f /etc/inc/openvpn.auth-user.php -d "username=$username&password=$password&cn=$common_name&strictcn=$3&authcfg=$2&modeid=$4&nas_port=$5")

Actions #13

Updated by Rick Frey 8 months ago

Replacing fcgicli with php-cgi works for me as well when using self generated cert, intermediate and root CA with lengthy subjects. I added logging statement to log output of each command. fcgicli returns "_Something wrong happened while reading request_" whereas php-cgi returns "OK". Note that I only tested cert depth as I don't use user credentials.

Thanks Viktor.

Actions #14

Updated by Summer Sea 8 months ago

In the pfsense FE 21.02 the issue is still present, but I don't get how to fix it:

```
[21.02-RELEASE]/root: /usr/local/sbin/fcgicli -f /etc/inc/openvpn.tls-verify.php -d "servercn=aaa&depth=1&certdepth=1&certsubject=shortline&serial=123"
OK
[21.02-RELEASE]/root: /usr/local/sbin/fcgicli -f /etc/inc/openvpn.tls-verify.php -d "servercn=aaa&depth=2&certdepth=2&certsubject=qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq&serial=123"
Something wrong happened while reading request
```

the link: https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/154 is broken

```
[21.02-RELEASE]/root: /usr/local/bin/php-cgi -f /etc/inc/openvpn.tls-verify.php -d "servercn=aaa&depth=2&certdepth=2&certsubject=qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq&serial=123"
PHP: syntax error, unexpected '=' in Unknown on line 1
```

What and where exactly the fcgicli should be replaced?
Thanks, BR

Actions #15

Updated by Viktor Gurov 8 months ago

Summer Sea wrote:

In the pfsense FE 21.02 the issue is still present, but I don't get how to fix it:

Please try to apply patch 154.diff

Actions #16

Updated by Alex P 8 months ago

I'm having the same exact issue after updating aws pfsense appliance to 21.02_1. The only branches I see on the System Update page are "Latest stable 21.02.x", "Previous stable 2.4.5 DEPRECATED" and "Latest dev snapshot". Apparently, v2.4.5 didn't have this problem, but it's been deprecation and I can't install any packages on it.

What is the recommended way to apply the patch? Do I just ssh and edit ovpn_auth_verify? Or there's a better way?

And does anyone know when this is going to be fixed in stable branch?

Actions #17

Updated by Foo Bar 8 months ago

Thanks a lot for the patch! After updating to 21.02-RELEASE-p1, the OpenVPN failed to connect. I use an own CA with depth 2 and no user/pass. I applied the patch (154.diff), which replaces fcgicli with php-cgi and the VPN works again. My CNs have spaces, but the additional escaping (\\$5\\) as discussed in the forum (https://forum.netgate.com/topic/161208/openvpn-2-5-0-certificate-verification-fails/24) was not necessary. Just the patch has to be applied.

Actions #18

Updated by Summer Sea 8 months ago

Viktor Gurov wrote:

Summer Sea wrote:

In the pfsense FE 21.02 the issue is still present, but I don't get how to fix it:

Please try to apply patch 154.diff

Please be patient, I've seen the rows that should be changed, but looking for the file on the pfsense box I cannot find it, how can I apply the patch?

/root: vi +27 /usr/local/sbin/openvpn
openvpn*                  openvpn-client*           openvpn.attributes.sh*    openvpn.learn-address.sh*

Actions #19

Updated by Viktor Gurov 8 months ago

Summer Sea wrote:

Viktor Gurov wrote:

Summer Sea wrote:

In the pfsense FE 21.02 the issue is still present, but I don't get how to fix it:

Please try to apply patch 154.diff

Please be patient, I've seen the rows that should be changed, but looking for the file on the pfsense box I cannot find it, how can I apply the patch?
[...]

You need to install the System Patches package and paste the content of 154.diff
see https://docs.netgate.com/pfsense/en/latest/development/system-patches.html

Actions #20

Updated by Summer Sea 8 months ago

Viktor Gurov wrote:

You need to install the System Patches package and paste the content of 154.diff
see https://docs.netgate.com/pfsense/en/latest/development/system-patches.html

Thank you, I've installed the package, started with another patch but it says:

/usr/bin/patch --directory=/ -t -p2 -i /var/patches/6040bbebd1153.patch --check --forward --ignore-whitespace

Hmm...  Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|From bdaa35dcf31def521ba8c60c0aa9c41bf5005311 Mon Sep 17 00:00:00 2001
|From: jim-p 
|Date: Tue, 23 Feb 2021 16:24:49 -0500
|Subject: [PATCH] Try parsing four digit years in cert timestamps. Fixes #11504
|
|---
| src/etc/inc/certs.inc | 4 ++++
| 1 file changed, 4 insertions(+)
|
|diff --git a/src/etc/inc/certs.inc b/src/etc/inc/certs.inc
|index 050d1860026..42ebf8f74e5 100644
|--- a/src/etc/inc/certs.inc
|+++ b/src/etc/inc/certs.inc
--------------------------
Patching file etc/inc/certs.inc using Plan A...
Hunk #1 failed at 707.
1 out of 1 hunks failed while patching etc/inc/certs.inc
done
Actions #21

Updated by Viktor Gurov 8 months ago

Summer Sea wrote:

Viktor Gurov wrote:

You need to install the System Patches package and paste the content of 154.diff
see https://docs.netgate.com/pfsense/en/latest/development/system-patches.html

Thank you, I've installed the package, started with another patch but it says:

[...]

This site is not for support or diagnostic discussion.

For assistance in solving problems, please post on the Netgate Forum or the pfSense Subreddit .

See Reporting Issues with pfSense Software for more information.

Actions #22

Updated by Thomas Högemann 8 months ago

This patch should also take ovpn_auth_verify_async into consideration, right? i do have the issue, but not because of long certificate subjects, but because of a very long 2nd factor that is appended to the password.

a working fix is already here: https://redmine.pfsense.org/projects/pfsense/repository/revisions/ce76f299853dccb036de229f08a30013593c98fd/diff

also attached for system patches, i verified this fixes the issue in my situation.

Actions #23

Updated by Jim Pingle 7 months ago

  • Target version changed from CE-Next to 2.5.1
Actions #24

Updated by Jim Pingle 7 months ago

  • Subject changed from Issue with OpenVPN certificate depth validation and long certificate subjects to OpenVPN authentication and certificate validation fail due to size of data passed through ``fcgicli``

Updating subject for release notes.

Actions #25

Updated by Haraldinho D 7 months ago

I use both certs and authentication in my setup. The 154.diff patch has solved the cert issue, but the next hurdle now is the authentication. See below verbose snippet from Tunnelblick. I am sure the credentials are correct. The password is very long, 64 chars. Is this a similar data size length issue as the cert issue?

2021-03-14 11:57:28.396197 AUTH: Received control message: AUTH_FAILED
2021-03-14 11:57:28.396225 PKCS#11: pkcs11h_logout entry
2021-03-14 11:57:28.396274 PKCS#11: pkcs11h_logout return rv=0-'CKR_OK'
2021-03-14 11:57:28.396349 PKCS#11: __pkcs11h_openssl_ex_data_free entered - parent=0x7f8e1d70c7f0, ptr=0x0, ad=0x7f8e1d70c858, idx=1, argl=0, argp=0x10efb58d8
2021-03-14 11:57:28.396381 PKCS#11: __pkcs11h_openssl_ex_data_free entered - parent=0x7f8e1d70df00, ptr=0x0, ad=0x7f8e1d70df68, idx=1, argl=0, argp=0x10efb58d8
2021-03-14 11:57:28.396431 PKCS#11: __pkcs11h_openssl_ex_data_free entered - parent=0x7f8e1d70b0f0, ptr=0x0, ad=0x7f8e1d70b158, idx=1, argl=0, argp=0x10efb58d8
2021-03-14 11:57:28.396472 TCP/UDP: Closing socket
2021-03-14 11:57:28.396538 SIGUSR1[soft,auth-failure] received, process restarting
2021-03-14 11:57:28.396553 MANAGEMENT: >STATE:1615719448,RECONNECTING,auth-failure,,,,,
2021-03-14 11:57:30.954090 *Tunnelblick: Disconnecting; user cancelled authorization or there was an error obtaining authorization
2021-03-14 11:57:31.098966 *Tunnelblick: Disconnecting using 'kill'
2021-03-14 11:57:31.246501 MANAGEMENT: CMD 'hold release'
2021-03-14 11:57:31.246617 MANAGEMENT: CMD 'hold release'
2021-03-14 11:57:31.263455 MANAGEMENT: Client disconnected
2021-03-14 11:57:31.263498 ERROR: could not read Auth username/password/ok/string from management interface
2021-03-14 11:57:31.263528 Exiting due to fatal error
2021-03-14 11:57:33.682618 *Tunnelblick: Expected disconnection occurred.

Actions #26

Updated by Haraldinho D 7 months ago

After re-reading the thread I interpreted Thomas' fix as potentially fixing my issue too. And it did. I can confirm the OVPN setup now works for me on pfSense 21.02.P1. Will both fixes be included in the next release of pfSense?

Actions #27

Updated by Jim Pingle 7 months ago

  • Status changed from Pull Request Review to Feedback

I pushed a change for both ovpn_auth_verify and ovpn_auth_verify_async to use php-cgi for the time being, the commit should show up shortly.

Eventually we need to address the underlying problem in fcgicli but I'm not sure that is viable to fix before the next point release.

Actions #28

Updated by Jim Pingle 7 months ago

  • % Done changed from 0 to 100
Actions #29

Updated by Renato Botelho 6 months ago

  • Assignee set to Jim Pingle
Actions #30

Updated by Jim Pingle 6 months ago

  • Status changed from Feedback to Closed
Actions #31

Updated by Viktor Gurov about 1 month ago

  • Related to Regression #12382: Certificate Depth checking creates OpenVPN micro-outages every time a user authenticates after 2.5.2 upgrade added
Actions

Also available in: Atom PDF