https://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162018-03-29T12:45:18ZpfSense bugtrackerpfSense - Feature #7767: OCSP support for OpenVPN serverhttps://redmine.pfsense.org/issues/7767?journal_id=361362018-03-29T12:45:18ZJim Pingle
<ul><li><strong>Category</strong> set to <i>OpenVPN</i></li><li><strong>Assignee</strong> set to <i>Jim Pingle</i></li></ul> pfSense - Feature #7767: OCSP support for OpenVPN serverhttps://redmine.pfsense.org/issues/7767?journal_id=363292018-04-10T15:42:34ZJim Pingle
<ul><li><strong>Target version</strong> set to <i>2.4.4</i></li></ul> pfSense - Feature #7767: OCSP support for OpenVPN serverhttps://redmine.pfsense.org/issues/7767?journal_id=373022018-07-27T12:16:40ZAnonymous
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>13</i></li></ul> pfSense - Feature #7767: OCSP support for OpenVPN serverhttps://redmine.pfsense.org/issues/7767?journal_id=373042018-07-27T12:18:06ZAnonymous
<ul><li><strong>Status</strong> changed from <i>13</i> to <i>New</i></li></ul> pfSense - Feature #7767: OCSP support for OpenVPN serverhttps://redmine.pfsense.org/issues/7767?journal_id=376502018-08-13T13:51:55ZJim Pingle
<ul><li><strong>Target version</strong> changed from <i>2.4.4</i> to <i>48</i></li></ul> pfSense - Feature #7767: OCSP support for OpenVPN serverhttps://redmine.pfsense.org/issues/7767?journal_id=401262019-03-12T10:54:58ZJim Pingle
<ul><li><strong>Target version</strong> changed from <i>48</i> to <i>2.5.0</i></li></ul> pfSense - Feature #7767: OCSP support for OpenVPN serverhttps://redmine.pfsense.org/issues/7767?journal_id=422572019-09-06T10:54:07ZJim Pingle
<ul></ul><p>The link above seems to be dead, but there is an example script in <a class="external" href="https://github.com/OpenVPN/openvpn/blob/master/contrib/OCSP_check/OCSP_check.sh">https://github.com/OpenVPN/openvpn/blob/master/contrib/OCSP_check/OCSP_check.sh</a></p>
<p>The example check could be adapted and added to <a class="source" href="https://redmine.pfsense.org/projects/pfsense/repository/2/entry/src/usr/local/sbin/ovpn_auth_verify">source:src/usr/local/sbin/ovpn_auth_verify</a> and <a class="source" href="https://redmine.pfsense.org/projects/pfsense/repository/2/entry/src/etc/inc/openvpn.tls-verify.php">source:src/etc/inc/openvpn.tls-verify.php</a></p> pfSense - Feature #7767: OCSP support for OpenVPN serverhttps://redmine.pfsense.org/issues/7767?journal_id=439282020-01-02T09:14:38ZViktor Gurov
<ul></ul><p><a class="external" href="https://github.com/pfsense/pfsense/pull/4145">https://github.com/pfsense/pfsense/pull/4145</a></p> pfSense - Feature #7767: OCSP support for OpenVPN serverhttps://redmine.pfsense.org/issues/7767?journal_id=439292020-01-02T09:24:30ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Pull Request Review</i></li></ul> pfSense - Feature #7767: OCSP support for OpenVPN serverhttps://redmine.pfsense.org/issues/7767?journal_id=440822020-01-08T06:15:40ZRenato Botelhorenato@netgate.com
<ul><li><strong>Status</strong> changed from <i>Pull Request Review</i> to <i>Feedback</i></li><li><strong>% Done</strong> changed from <i>0</i> to <i>100</i></li></ul><p>PR has been merged. Thanks!</p> pfSense - Feature #7767: OCSP support for OpenVPN serverhttps://redmine.pfsense.org/issues/7767?journal_id=441322020-01-10T08:52:43ZRonald Schellberg
<ul></ul><p>I think this PR caused my OpenVPN TLS handshake to start failing. The openvpn.tls-verify.php call results in a "2" return code.</p> pfSense - Feature #7767: OCSP support for OpenVPN serverhttps://redmine.pfsense.org/issues/7767?journal_id=441332020-01-10T09:23:58ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>New</i></li></ul><p>Can you provide any additional detail about your settings and certificate structure?</p> pfSense - Feature #7767: OCSP support for OpenVPN serverhttps://redmine.pfsense.org/issues/7767?journal_id=441352020-01-10T10:58:11ZSteve Wilson
<ul></ul><p>OpenVPN TLS handshake also failing here after update. OCSP Verify box is unchecked, Certificate Depth check set to "One (Client+Server)". Changing Certificate Depth dropdown to "Do Not Check" allows handshake to complete successfully.</p>
<p>Reverting the patch using System Patches package allows successful handshake with Certificate Depth back on original setting of "One". So it seems like the patch is stepping on the Certificate Depth check setting even when the OCSP Verify selection box is unchecked.</p> pfSense - Feature #7767: OCSP support for OpenVPN serverhttps://redmine.pfsense.org/issues/7767?journal_id=441362020-01-10T11:10:55ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>In Progress</i></li></ul><p>OK, I see this now as well after updating a VM here. I'll look into it ASAP.</p> pfSense - Feature #7767: OCSP support for OpenVPN serverhttps://redmine.pfsense.org/issues/7767?journal_id=441372020-01-10T11:27:35ZJim Pingle
<ul></ul><p>I see the problems, push coming shortly.</p> pfSense - Feature #7767: OCSP support for OpenVPN serverhttps://redmine.pfsense.org/issues/7767?journal_id=441382020-01-10T11:35:18ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>In Progress</i> to <i>Feedback</i></li></ul><p>Applied in changeset <a class="changeset" title="Use correct syntax for /bin/sh for loop in ovpn_auth_verify Fixes #7767 It's not bash." href="https://redmine.pfsense.org/projects/pfsense/repository/2/revisions/175f3ac6b671182e2cf9968f5e820188d9e1573f">175f3ac6b671182e2cf9968f5e820188d9e1573f</a>.</p> pfSense - Feature #7767: OCSP support for OpenVPN serverhttps://redmine.pfsense.org/issues/7767?journal_id=441392020-01-10T12:00:10ZRonald Schellberg
<ul><li><strong>File</strong> <a href="/attachments/2904">Capture.PNG</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/2904/Capture.PNG">Capture.PNG</a> added</li></ul><p>See attached. The Certificate depth is set to One. The CA is a self signed pfsense with a number of certificates created in 2017. The OpenVPN log, with two sites attempting to connect, shows:</p>
<p><code>Jan 10 10:56:21 openvpn 85280 xxx.xxx.xxx.xxx:xxxxxx TLS Error: TLS handshake failed<br />Jan 10 10:56:21 openvpn 85280 xxx.xxx.xxx.xxx:xxxxxx TLS Error: TLS object -> incoming plaintext read error<br />Jan 10 10:56:21 openvpn 85280 xxx.xxx.xxx.xxx:xxxxxx TLS_ERROR: BIO read tls_read_plaintext error<br />Jan 10 10:56:21 openvpn 85280 xxx.xxx.xxx.xxx:xxxxxx OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed<br />Jan 10 10:56:21 openvpn 85280 xxx.xxx.xxx.xxx:xxxxxx WARNING: Failed running command (--tls-verify script): external program exited with error status: 2<br />Jan 10 10:56:17 openvpn 85280 xxx.xxx.xxx.xxx:xxxxxx TLS Error: TLS handshake failed<br />Jan 10 10:56:17 openvpn 85280 xxx.xxx.xxx.xxx:xxxxxx TLS Error: TLS object -> incoming plaintext read error<br />Jan 10 10:56:17 openvpn 85280 xxx.xxx.xxx.xxx:xxxxxx TLS_ERROR: BIO read tls_read_plaintext error<br />Jan 10 10:56:17 openvpn 85280 xxx.xxx.xxx.xxx:xxxxxx OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed<br />Jan 10 10:56:17 openvpn 85280 xxx.xxx.xxx.xxx:xxxxxx WARNING: Failed running command (--tls-verify script): external program exited with error status: 2<br />Jan 10 10:55:45 openvpn 85280 Initialization Sequence Completed </code></p> pfSense - Feature #7767: OCSP support for OpenVPN serverhttps://redmine.pfsense.org/issues/7767?journal_id=441432020-01-10T12:35:29ZRonald Schellberg
<ul></ul><p>hand applied the changeset, didn't fix the problem. Log now shows:</p>
<p><code>Jan 10 11:32:51 openvpn 64931 xxx.xxx.xxx.xxx:xxxxxx TLS Error: TLS handshake failed<br />Jan 10 11:32:51 openvpn 64931 xxx.xxx.xxx.xxx:xxxxxx TLS Error: TLS object -> incoming plaintext read error<br />Jan 10 11:32:51 openvpn 64931 xxx.xxx.xxx.xxx:xxxxxx TLS_ERROR: BIO read tls_read_plaintext error<br />Jan 10 11:32:51 openvpn 64931 xxx.xxx.xxx.xxx:xxxxxx OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed<br />Jan 10 11:32:51 openvpn 64931 xxx.xxx.xxx.xxx:xxxxxx WARNING: Failed running command (--tls-verify script): external program exited with error status: 1<br />Jan 10 11:32:40 openvpn 64931 xxx.xxx.xxx.xxx:xxxxxx TLS Error: TLS handshake failed<br /></code></p> pfSense - Feature #7767: OCSP support for OpenVPN serverhttps://redmine.pfsense.org/issues/7767?journal_id=441442020-01-10T12:46:19ZJim Pingle
<ul></ul><p>Did you apply all three commits? It works for me with all current changes. I tested it on three different lab boxes. All failed before, all work now.</p> pfSense - Feature #7767: OCSP support for OpenVPN serverhttps://redmine.pfsense.org/issues/7767?journal_id=441452020-01-10T12:55:00ZRonald Schellberg
<ul></ul><p>only saw one. I'll check again.</p> pfSense - Feature #7767: OCSP support for OpenVPN serverhttps://redmine.pfsense.org/issues/7767?journal_id=441462020-01-10T12:59:31ZJim Pingle
<ul></ul><p>You will need <a class="changeset" title="Fix openvpn.tls-verify.php whitespace. Issue #7767" href="https://redmine.pfsense.org/projects/pfsense/repository/2/revisions/3db110612dbf30cbb5855490525f03e4742dfe6e">3db110612dbf30cbb5855490525f03e4742dfe6e</a> , <a class="changeset" title="openvpn.tls-verify.php syntax fixes. Issue #7767" href="https://redmine.pfsense.org/projects/pfsense/repository/2/revisions/ffc44c36d9ac001bbebcc6334e014dde8a11c8f4">ffc44c36d9ac001bbebcc6334e014dde8a11c8f4</a> , and <a class="changeset" title="Use correct syntax for /bin/sh for loop in ovpn_auth_verify Fixes #7767 It's not bash." href="https://redmine.pfsense.org/projects/pfsense/repository/2/revisions/175f3ac6b671182e2cf9968f5e820188d9e1573f">175f3ac6b671182e2cf9968f5e820188d9e1573f</a> (in that order). Or gitsync to master from the latest snapshot.</p> pfSense - Feature #7767: OCSP support for OpenVPN serverhttps://redmine.pfsense.org/issues/7767?journal_id=441472020-01-10T13:03:40ZRonald Schellberg
<ul></ul><p>confirmed working now with all three patches.</p> pfSense - Feature #7767: OCSP support for OpenVPN serverhttps://redmine.pfsense.org/issues/7767?journal_id=441482020-01-10T13:11:30ZJim Pingle
<ul></ul><p>Great, thanks!</p>
<p>I'm leaving this on feedback for now since the original functionality added here (OCSP support) still requires testing.</p> pfSense - Feature #7767: OCSP support for OpenVPN serverhttps://redmine.pfsense.org/issues/7767?journal_id=441492020-01-10T13:11:52ZSteve Wilson
<ul></ul><p>Also working here after all patches applied - server and client logs are clean. Thanks for the quick fix Jim!</p> pfSense - Feature #7767: OCSP support for OpenVPN serverhttps://redmine.pfsense.org/issues/7767?journal_id=484012020-10-06T10:21:56ZAnonymous
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>Resolved</i></li></ul> pfSense - Feature #7767: OCSP support for OpenVPN serverhttps://redmine.pfsense.org/issues/7767?journal_id=498682020-12-07T12:38:21ZOrion Poplawskiorion@nwra.com
<ul></ul><p>I'm poking around the code for this and have a question - is it possible to have both OCSP checking and user/password authentication at the same time? As near as I can tell, the answer is no as ovpn_auth_verify only calls openvpn.tls-verify.php or openvpn.auth-user.php. However, it seems to me that they are complementary - we want to both verify the validity of the certificate (including OCSP checks) and verify the user/password.</p>