Project

General

Profile

Feature #7767

OCSP support for OpenVPN server

Added by Michael Voetter over 2 years ago. Updated about 1 month ago.

Status:
Feedback
Priority:
Normal
Assignee:
Category:
OpenVPN
Target version:
Start date:
08/11/2017
Due date:
% Done:

100%

Estimated time:

Description

It would be great to have a possibility to enable OCSP checking for OpenVPN Server included in pfSense. It seems to be possible to perform OCSP checks without modifying the OpenVPN implementation (http://permalink.gmane.org/gmane.network.openvpn.devel/2492) by just adding a script performing the checks. Therefore, it seems to be possible to implement this feature in a relatively short amount of time which in return would add value to the OpenVPN Server feature of pfSense.

Capture.PNG (99 KB) Capture.PNG Ronald Schellberg, 01/10/2020 11:34 AM

Associated revisions

Revision 3db11061 (diff)
Added by Jim Pingle about 1 month ago

Fix openvpn.tls-verify.php whitespace. Issue #7767

Revision ffc44c36 (diff)
Added by Jim Pingle about 1 month ago

openvpn.tls-verify.php syntax fixes. Issue #7767

Revision 175f3ac6 (diff)
Added by Jim Pingle about 1 month ago

Use correct syntax for /bin/sh for loop in ovpn_auth_verify Fixes #7767

It's not bash.

History

#1 Updated by Jim Pingle almost 2 years ago

  • Category set to OpenVPN
  • Assignee set to Jim Pingle

#2 Updated by Jim Pingle almost 2 years ago

  • Target version set to 2.4.4

#3 Updated by Steve Beaver over 1 year ago

  • Status changed from New to This Sprint

#4 Updated by Steve Beaver over 1 year ago

  • Status changed from This Sprint to New

#5 Updated by Jim Pingle over 1 year ago

  • Target version changed from 2.4.4 to 48

#6 Updated by Jim Pingle 11 months ago

  • Target version changed from 48 to 2.5.0

#7 Updated by Jim Pingle 6 months ago

The link above seems to be dead, but there is an example script in https://github.com/OpenVPN/openvpn/blob/master/contrib/OCSP_check/OCSP_check.sh

The example check could be adapted and added to source:src/usr/local/sbin/ovpn_auth_verify and source:src/etc/inc/openvpn.tls-verify.php

#9 Updated by Jim Pingle about 2 months ago

  • Status changed from New to Pull Request Review

#10 Updated by Renato Botelho about 1 month ago

  • Status changed from Pull Request Review to Feedback
  • % Done changed from 0 to 100

PR has been merged. Thanks!

#11 Updated by Ronald Schellberg about 1 month ago

I think this PR caused my OpenVPN TLS handshake to start failing. The openvpn.tls-verify.php call results in a "2" return code.

#12 Updated by Jim Pingle about 1 month ago

  • Status changed from Feedback to New

Can you provide any additional detail about your settings and certificate structure?

#13 Updated by Steve Wilson about 1 month ago

OpenVPN TLS handshake also failing here after update. OCSP Verify box is unchecked, Certificate Depth check set to "One (Client+Server)". Changing Certificate Depth dropdown to "Do Not Check" allows handshake to complete successfully.

Reverting the patch using System Patches package allows successful handshake with Certificate Depth back on original setting of "One". So it seems like the patch is stepping on the Certificate Depth check setting even when the OCSP Verify selection box is unchecked.

#14 Updated by Jim Pingle about 1 month ago

  • Status changed from New to In Progress

OK, I see this now as well after updating a VM here. I'll look into it ASAP.

#15 Updated by Jim Pingle about 1 month ago

I see the problems, push coming shortly.

#16 Updated by Jim Pingle about 1 month ago

  • Status changed from In Progress to Feedback

#17 Updated by Ronald Schellberg about 1 month ago

See attached. The Certificate depth is set to One. The CA is a self signed pfsense with a number of certificates created in 2017. The OpenVPN log, with two sites attempting to connect, shows:

Jan 10 10:56:21 openvpn 85280 xxx.xxx.xxx.xxx:xxxxxx TLS Error: TLS handshake failed
Jan 10 10:56:21 openvpn 85280 xxx.xxx.xxx.xxx:xxxxxx TLS Error: TLS object -> incoming plaintext read error
Jan 10 10:56:21 openvpn 85280 xxx.xxx.xxx.xxx:xxxxxx TLS_ERROR: BIO read tls_read_plaintext error
Jan 10 10:56:21 openvpn 85280 xxx.xxx.xxx.xxx:xxxxxx OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
Jan 10 10:56:21 openvpn 85280 xxx.xxx.xxx.xxx:xxxxxx WARNING: Failed running command (--tls-verify script): external program exited with error status: 2
Jan 10 10:56:17 openvpn 85280 xxx.xxx.xxx.xxx:xxxxxx TLS Error: TLS handshake failed
Jan 10 10:56:17 openvpn 85280 xxx.xxx.xxx.xxx:xxxxxx TLS Error: TLS object -> incoming plaintext read error
Jan 10 10:56:17 openvpn 85280 xxx.xxx.xxx.xxx:xxxxxx TLS_ERROR: BIO read tls_read_plaintext error
Jan 10 10:56:17 openvpn 85280 xxx.xxx.xxx.xxx:xxxxxx OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
Jan 10 10:56:17 openvpn 85280 xxx.xxx.xxx.xxx:xxxxxx WARNING: Failed running command (--tls-verify script): external program exited with error status: 2
Jan 10 10:55:45 openvpn 85280 Initialization Sequence Completed

#18 Updated by Ronald Schellberg about 1 month ago

hand applied the changeset, didn't fix the problem. Log now shows:

Jan 10 11:32:51 openvpn 64931 xxx.xxx.xxx.xxx:xxxxxx TLS Error: TLS handshake failed
Jan 10 11:32:51 openvpn 64931 xxx.xxx.xxx.xxx:xxxxxx TLS Error: TLS object -> incoming plaintext read error
Jan 10 11:32:51 openvpn 64931 xxx.xxx.xxx.xxx:xxxxxx TLS_ERROR: BIO read tls_read_plaintext error
Jan 10 11:32:51 openvpn 64931 xxx.xxx.xxx.xxx:xxxxxx OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
Jan 10 11:32:51 openvpn 64931 xxx.xxx.xxx.xxx:xxxxxx WARNING: Failed running command (--tls-verify script): external program exited with error status: 1
Jan 10 11:32:40 openvpn 64931 xxx.xxx.xxx.xxx:xxxxxx TLS Error: TLS handshake failed

#19 Updated by Jim Pingle about 1 month ago

Did you apply all three commits? It works for me with all current changes. I tested it on three different lab boxes. All failed before, all work now.

#20 Updated by Ronald Schellberg about 1 month ago

only saw one. I'll check again.

#21 Updated by Jim Pingle about 1 month ago

You will need 3db110612dbf30cbb5855490525f03e4742dfe6e , ffc44c36d9ac001bbebcc6334e014dde8a11c8f4 , and 175f3ac6b671182e2cf9968f5e820188d9e1573f (in that order). Or gitsync to master from the latest snapshot.

#22 Updated by Ronald Schellberg about 1 month ago

confirmed working now with all three patches.

#23 Updated by Jim Pingle about 1 month ago

Great, thanks!

I'm leaving this on feedback for now since the original functionality added here (OCSP support) still requires testing.

#24 Updated by Steve Wilson about 1 month ago

Also working here after all patches applied - server and client logs are clean. Thanks for the quick fix Jim!

Also available in: Atom PDF