Project

General

Profile

Actions
Copy link

Bug #7472

closed

External Authentication servers with names longer than 48 characters fail to authenticate with OpenVPN server configured for TLS + User Auth

Added by Anonymous about 7 years ago. Updated almost 7 years ago.

Status:
Not a Bug
Priority:
Normal
Assignee:
Jim Pingle
Category:
OpenVPN
Target version:
-
Start date:
04/14/2017
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.3.3_1
Affected Architecture:

Description

Configure an external LDAP Authentication Server
Give it a name that exceeds 48 characters like 1234567890123456789012345678901234567890123456789
Configure OpenVPN Server with TLS+User Auth
Export a client config and try to connect
The client will fail to connect with this error in the pfSense OpenVPN log

Apr 14 12:12:31 openvpn 97925   redacted_ip:port SIGUSR1[soft,connection-reset] received, client-instance restarting
Apr 14 12:12:31 openvpn 97925   redacted_ip:port Connection reset, restarting [0]
Apr 14 12:12:31 openvpn 97925   redacted_ip:port SENT CONTROL [redacted.hostname]: 'AUTH_FAILED' (status=1)
Apr 14 12:12:31 openvpn 97925   redacted_ip:port Delayed exit in 5 seconds
Apr 14 12:12:31 openvpn 97925   redacted_ip:port PUSH: Received control message: 'PUSH_REQUEST'
Apr 14 12:12:28 openvpn 97925   redacted_ip:port [redacted.hostname] Peer Connection Initiated with [AF_INET]redacted_ip:port
Apr 14 12:12:28 openvpn 97925   redacted_ip:port Control Channel: TLSv1.1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Apr 14 12:12:28 openvpn 97925   redacted_ip:port TLS Auth Error: Auth Username/Password verification failed for peer
Apr 14 12:12:28 openvpn 97925   redacted_ip:port WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 1

Configure an external LDAP Authentication Server
Give it a name with 48 characters (or less) like 123456789012345678901234567890123456789012345678
Configure OpenVPN Server with TLS+User Auth
Export a client config and try to connect
The client will connect

Actions
Copy link
 #1

Updated by Jim Pingle about 7 years ago

  • Category set to OpenVPN
  • Status changed from New to Feedback

I can't reproduce this on 2.3.3-p1 or 2.4 snapshots. I can use an LDAP name 50+ characters long and it still works in TLS+User Auth mode.

The exact auth server name is base64-encoded on the command line since #7002 was fixed for 2.3.3, so the contents of the name shouldn't matter. I will need to see the exact config.xml entry for a failing auth server along with the contents of the OpenVPN server configuration file from /etc/inc/openvpn/ to look deeper. It would also help to see an auth server config.xml entry for the similar entry that works to compare with one that failed.

Actions
Copy link
 #2

Updated by Jim Pingle almost 7 years ago

  • Status changed from Feedback to Not a Bug

This turned out to be a symptom of a different problem specific to that specific device, not a bug.

Actions
Copy link

Also available in: Atom PDF