Bug #7472
closedExternal Authentication servers with names longer than 48 characters fail to authenticate with OpenVPN server configured for TLS + User Auth
0%
Description
Configure an external LDAP Authentication Server
Give it a name that exceeds 48 characters like 1234567890123456789012345678901234567890123456789
Configure OpenVPN Server with TLS+User Auth
Export a client config and try to connect
The client will fail to connect with this error in the pfSense OpenVPN log
Apr 14 12:12:31 openvpn 97925 redacted_ip:port SIGUSR1[soft,connection-reset] received, client-instance restarting Apr 14 12:12:31 openvpn 97925 redacted_ip:port Connection reset, restarting [0] Apr 14 12:12:31 openvpn 97925 redacted_ip:port SENT CONTROL [redacted.hostname]: 'AUTH_FAILED' (status=1) Apr 14 12:12:31 openvpn 97925 redacted_ip:port Delayed exit in 5 seconds Apr 14 12:12:31 openvpn 97925 redacted_ip:port PUSH: Received control message: 'PUSH_REQUEST' Apr 14 12:12:28 openvpn 97925 redacted_ip:port [redacted.hostname] Peer Connection Initiated with [AF_INET]redacted_ip:port Apr 14 12:12:28 openvpn 97925 redacted_ip:port Control Channel: TLSv1.1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA Apr 14 12:12:28 openvpn 97925 redacted_ip:port TLS Auth Error: Auth Username/Password verification failed for peer Apr 14 12:12:28 openvpn 97925 redacted_ip:port WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 1
Configure an external LDAP Authentication Server
Give it a name with 48 characters (or less) like 123456789012345678901234567890123456789012345678
Configure OpenVPN Server with TLS+User Auth
Export a client config and try to connect
The client will connect
Updated by Jim Pingle about 7 years ago
- Category set to OpenVPN
- Status changed from New to Feedback
I can't reproduce this on 2.3.3-p1 or 2.4 snapshots. I can use an LDAP name 50+ characters long and it still works in TLS+User Auth mode.
The exact auth server name is base64-encoded on the command line since #7002 was fixed for 2.3.3, so the contents of the name shouldn't matter. I will need to see the exact config.xml entry for a failing auth server along with the contents of the OpenVPN server configuration file from /etc/inc/openvpn/ to look deeper. It would also help to see an auth server config.xml entry for the similar entry that works to compare with one that failed.
Updated by Jim Pingle almost 7 years ago
- Status changed from Feedback to Not a Bug
This turned out to be a symptom of a different problem specific to that specific device, not a bug.