Feature #9005
closed
Allow to define allowed x509 client certs by having CN in openvpn server (tls-verify)
0%
Description
We're having enterprise internal CA and imported CA into pfsense. Having a single CA allows all certs that are not revoked from this CA to be used as login mechanism on openvpn server.
Revoking a cert to block it from be used in openvpn is no solution as this renders the cert itself unusable for other things when CRL is published (802.1x and, https auth...)
Please create an extra field in openvpn server config to allow specifying allowed cert common names (CN).
this can be done manually with openvpn but i do not want to fiddle with with files on console in following form:
openvpn server.conf:
+tls_verify "./verify-cn allowed-certs.txt"
verify-cn is a script shipped with openvpn.
allowed-certs.txt contains just the common names from x509 CA.
Updated by Jim Pingle over 6 years ago
- Status changed from New to Rejected
You can already do this with overrides.
VPN > OpenVPN, Client Specific Overrides tab. Add a new entry with the Common Name to block, set the server(s) it applies to in the Server List, and check Connection Blocking. Repeat for each CN.
Making a separate control in the OpenVPN server settings would be fiddly/awkward and prone to errors and misuse.
Updated by Stefan Bauer over 6 years ago
Your overwrite idea is generally good, but a blacklisting makes no sense in this case. Only whitelisting is secure. With blacklisting, we have to blacklist all that are not allowed and always keep this list updated which is prone to error or clients slipping through. The other way around, we just grant permissions - what is best practice when talking about security.
Updated by Jim Pingle over 6 years ago
You can still do that by making an override named DEFAULT with blocking checked, and then define overrides for the clients you want.
Follow up on the forum if you still have questions.
Updated by Stefan Bauer over 6 years ago
Sir, you're awesome! This is exactly what i was looking for! ;) You deserve a cookie!
thank you very much!
Updated by Stefan Bauer over 6 years ago
Too bad. Pfsense has problems with common names containing umlauts (ö ä ü) this way. Is this a known problem and workarounds available?
Oct 4 17:42:39 php-fpm 1184 /vpn_openvpn_csc.php: XML error: Undeclared entity error at line 1178 in /conf/config.xml
Oct 4 17:42:39 php-fpm 1184 /vpn_openvpn_csc.php: pfSense is restoring the configuration /cf/conf/backup/config-1538667748.xml
Oct 4 17:42:39 php-fpm 1184 /vpn_openvpn_csc.php: New alert found: pfSense is restoring the configuration /cf/conf/backup/config-1538667748.xml
Updated by Jim Pingle over 6 years ago
Not a known issue I'm aware of but probably not difficult to solve in a future release. Open a new issue with the specifics, including the full text of any errors messages you encounter. Probably that field is not CDATA encoded so it causes the XML change to be rejected.