Project

General

Profile

Actions

Bug #4521

closed

OpenVPN authentication and certificate validation fail due to size of data passed through ``fcgicli``

Added by David Durrleman over 9 years ago. Updated almost 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
OpenVPN
Target version:
Start date:
03/14/2015
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

There seems to be an issue in pfsense's custom certificate depth verification for OpenVPN connections. When long certificate subjects are used, the validation fails. Here is how to repro:

Create three certificate with subjects:

A) C=US, ST=New York, L=New York City, O=Acme Inc, emailAddress=, CN=myvpn.mylongsubdomainname.mylongdomainname.com
B) C=US, ST=New York, L=New York City, O=Acme Inc, emailAddress=, CN=myclient.mylongsubdomainname.mylongdomainname.com
C) C=US, ST=New York, L=New York City, O=Acme Inc, emailAddress=, CN=myclient2.mylongsubdomainname.mylongdomainname.com

Create a vpn server using certificate A, turn on depth validation, and try to authenticate with clients using certificates B and C. Certificate B will be recognized by the server, but certificate C won't.
If depth validation is turned off, both certificates will be recognized correctly.

I have tracked this down to a failure to execute /usr/local/sbin/ovpn_auth_verify. My intuition (not verified) is that /usr/local/sbin/fcgicli doesn't like it when the url parameters are too long. But here, "long" is less than 250 chars, which is a pretty low limit.

Per the mailing list, it may be related to https://redmine.pfsense.org/issues/4329, although I was not able to confirm it is exactly the same issue, so I chose to open a new one. I'm guessing it would be easier for maintainers to merge if they are duplicates, than to split if they aren't.


Files

154.diff (1.4 KB) 154.diff Viktor Gurov, 02/26/2021 08:41 AM
ovpn-auth-verify-async-use-phpcgi.diff (713 Bytes) ovpn-auth-verify-async-use-phpcgi.diff Thomas Högemann, 03/04/2021 08:11 AM

Related issues

Related to Regression #12382: Certificate Depth checking creates OpenVPN micro-outages every time a user authenticates after 2.5.2 upgradeNew

Actions
Related to Bug #13638: ``fcgicli`` fails to write packets with ``nvpair`` values that exceed ``128`` bytesResolvedReid Linnemann

Actions
Actions

Also available in: Atom PDF