pfSense

short subject test:

/usr/local/sbin/fcgicli -f /etc/inc/openvpn.tls-verify.php -d "servercn=aaa&depth=1&certdepth=1&certsubject=shortline&serial=123"                                                                                                       OK

long subject:

/usr/local/sbin/fcgicli -f /etc/inc/openvpn.tls-verify.php -d "servercn=aaa&depth=2&certdepth=2&certsubject=qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq&serial=123" 
Something wrong happened while reading request

another php-cgi issue: #9460

That other issue is old/closed, not likely to be the same. Even so, if it came up again, it needs a fresh issue with current details/test results and marked as a regression.

Ran into this issue after updating pfsense (+) to 21.02 so appears problem still exists in latest version. Have a self generated CA with a longer subject and fails with "Something wrong happened while reading request" when value for certsubject key is > 103 chars. Looks like /etc/inc/openvpn.tls-verify.php doesn't really even use the certsubject (converts to CN with comment about future use).
Mainly wanted to confirm that failure from subject length is still a problem.

https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/154

Nice! Thank you! Worked for me :)

// RESULT=$(/usr/local/sbin/fcgicli -f /etc/inc/openvpn.tls-verify.php -d "servercn=$2&depth=$3&certdepth=$4&certsubject=$5&serial=$serial&config=$config")
RESULT=$(/usr/local/bin/php-cgi -q /etc/inc/openvpn.tls-verify.php "servercn=$2&depth=$3&certdepth=$4&certsubject=$5&serial=$serial&config=$config")

RESULT=$(/usr/local/bin/php-cgi -q /etc/inc/openvpn.auth-user.php "username=$username&password=$password&cn=$common_name&strictcn=$3&authcfg=$2&modeid=$4&nas_port=$5")
// RESULT=$(/usr/local/sbin/fcgicli -f /etc/inc/openvpn.auth-user.php -d "username=$username&password=$password&cn=$common_name&strictcn=$3&authcfg=$2&modeid=$4&nas_port=$5")

Replacing fcgicli with php-cgi works for me as well when using self generated cert, intermediate and root CA with lengthy subjects. I added logging statement to log output of each command. fcgicli returns "_Something wrong happened while reading request_" whereas php-cgi returns "OK". Note that I only tested cert depth as I don't use user credentials.

Thanks Viktor.

In the pfsense FE 21.02 the issue is still present, but I don't get how to fix it:

```
[21.02-RELEASE]/root: /usr/local/sbin/fcgicli -f /etc/inc/openvpn.tls-verify.php -d "servercn=aaa&depth=1&certdepth=1&certsubject=shortline&serial=123"
OK
[21.02-RELEASE]/root: /usr/local/sbin/fcgicli -f /etc/inc/openvpn.tls-verify.php -d "servercn=aaa&depth=2&certdepth=2&certsubject=qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq&serial=123"
Something wrong happened while reading request
```

the link: https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/154 is broken

```
[21.02-RELEASE]/root: /usr/local/bin/php-cgi -f /etc/inc/openvpn.tls-verify.php -d "servercn=aaa&depth=2&certdepth=2&certsubject=qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq&serial=123"
PHP: syntax error, unexpected '=' in Unknown on line 1
```

What and where exactly the fcgicli should be replaced?
Thanks, BR

Summer Sea wrote:

In the pfsense FE 21.02 the issue is still present, but I don't get how to fix it:

Please try to apply patch 154.diff

I'm having the same exact issue after updating aws pfsense appliance to 21.02_1. The only branches I see on the System Update page are "Latest stable 21.02.x", "Previous stable 2.4.5 DEPRECATED" and "Latest dev snapshot". Apparently, v2.4.5 didn't have this problem, but it's been deprecation and I can't install any packages on it.

What is the recommended way to apply the patch? Do I just ssh and edit ovpn_auth_verify? Or there's a better way?

And does anyone know when this is going to be fixed in stable branch?

Thanks a lot for the patch! After updating to 21.02-RELEASE-p1, the OpenVPN failed to connect. I use an own CA with depth 2 and no user/pass. I applied the patch (154.diff), which replaces fcgicli with php-cgi and the VPN works again. My CNs have spaces, but the additional escaping (\\$5\\) as discussed in the forum (https://forum.netgate.com/topic/161208/openvpn-2-5-0-certificate-verification-fails/24) was not necessary. Just the patch has to be applied.

Viktor Gurov wrote:

Summer Sea wrote:

In the pfsense FE 21.02 the issue is still present, but I don't get how to fix it:

Please try to apply patch 154.diff

Please be patient, I've seen the rows that should be changed, but looking for the file on the pfsense box I cannot find it, how can I apply the patch?

/root: vi +27 /usr/local/sbin/openvpn
openvpn*                  openvpn-client*           openvpn.attributes.sh*    openvpn.learn-address.sh*

Summer Sea wrote:

Viktor Gurov wrote:

Summer Sea wrote:

In the pfsense FE 21.02 the issue is still present, but I don't get how to fix it:

Please try to apply patch 154.diff

Please be patient, I've seen the rows that should be changed, but looking for the file on the pfsense box I cannot find it, how can I apply the patch?
[...]

You need to install the System Patches package and paste the content of 154.diff
see https://docs.netgate.com/pfsense/en/latest/development/system-patches.html

Viktor Gurov wrote:

You need to install the System Patches package and paste the content of 154.diff
see https://docs.netgate.com/pfsense/en/latest/development/system-patches.html

Thank you, I've installed the package, started with another patch but it says:

/usr/bin/patch --directory=/ -t -p2 -i /var/patches/6040bbebd1153.patch --check --forward --ignore-whitespace

Hmm...  Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|From bdaa35dcf31def521ba8c60c0aa9c41bf5005311 Mon Sep 17 00:00:00 2001
|From: jim-p 
|Date: Tue, 23 Feb 2021 16:24:49 -0500
|Subject: [PATCH] Try parsing four digit years in cert timestamps. Fixes #11504
|
|---
| src/etc/inc/certs.inc | 4 ++++
| 1 file changed, 4 insertions(+)
|
|diff --git a/src/etc/inc/certs.inc b/src/etc/inc/certs.inc
|index 050d1860026..42ebf8f74e5 100644
|--- a/src/etc/inc/certs.inc
|+++ b/src/etc/inc/certs.inc
--------------------------
Patching file etc/inc/certs.inc using Plan A...
Hunk #1 failed at 707.
1 out of 1 hunks failed while patching etc/inc/certs.inc
done

Summer Sea wrote:

Viktor Gurov wrote:

You need to install the System Patches package and paste the content of 154.diff
see https://docs.netgate.com/pfsense/en/latest/development/system-patches.html

Thank you, I've installed the package, started with another patch but it says:

[...]

This site is not for support or diagnostic discussion.

For assistance in solving problems, please post on the Netgate Forum or the pfSense Subreddit .

See Reporting Issues with pfSense Software for more information.

I use both certs and authentication in my setup. The 154.diff patch has solved the cert issue, but the next hurdle now is the authentication. See below verbose snippet from Tunnelblick. I am sure the credentials are correct. The password is very long, 64 chars. Is this a similar data size length issue as the cert issue?

2021-03-14 11:57:28.396197 AUTH: Received control message: AUTH_FAILED
2021-03-14 11:57:28.396225 PKCS#11: pkcs11h_logout entry
2021-03-14 11:57:28.396274 PKCS#11: pkcs11h_logout return rv=0-'CKR_OK'
2021-03-14 11:57:28.396349 PKCS#11: __pkcs11h_openssl_ex_data_free entered - parent=0x7f8e1d70c7f0, ptr=0x0, ad=0x7f8e1d70c858, idx=1, argl=0, argp=0x10efb58d8
2021-03-14 11:57:28.396381 PKCS#11: __pkcs11h_openssl_ex_data_free entered - parent=0x7f8e1d70df00, ptr=0x0, ad=0x7f8e1d70df68, idx=1, argl=0, argp=0x10efb58d8
2021-03-14 11:57:28.396431 PKCS#11: __pkcs11h_openssl_ex_data_free entered - parent=0x7f8e1d70b0f0, ptr=0x0, ad=0x7f8e1d70b158, idx=1, argl=0, argp=0x10efb58d8
2021-03-14 11:57:28.396472 TCP/UDP: Closing socket
2021-03-14 11:57:28.396538 SIGUSR1[soft,auth-failure] received, process restarting
2021-03-14 11:57:28.396553 MANAGEMENT: >STATE:1615719448,RECONNECTING,auth-failure,,,,,
2021-03-14 11:57:30.954090 *Tunnelblick: Disconnecting; user cancelled authorization or there was an error obtaining authorization
2021-03-14 11:57:31.098966 *Tunnelblick: Disconnecting using 'kill'
2021-03-14 11:57:31.246501 MANAGEMENT: CMD 'hold release'
2021-03-14 11:57:31.246617 MANAGEMENT: CMD 'hold release'
2021-03-14 11:57:31.263455 MANAGEMENT: Client disconnected
2021-03-14 11:57:31.263498 ERROR: could not read Auth username/password/ok/string from management interface
2021-03-14 11:57:31.263528 Exiting due to fatal error
2021-03-14 11:57:33.682618 *Tunnelblick: Expected disconnection occurred.

After re-reading the thread I interpreted Thomas' fix as potentially fixing my issue too. And it did. I can confirm the OVPN setup now works for me on pfSense 21.02.P1. Will both fixes be included in the next release of pfSense?

fcgicli bugs fixed in freebsd-ports/devel change 2993b0084175e2d998f0f294b985371989677d7d

fcgicli restored to execution of ovpn_auth_verify_* in 758ee42ae096fee8436efc89f2c9bcc4ae7ea23d