| Summary: | if the certificate is too long valid roadwarrior won't work | ||
|---|---|---|---|
| Product: | IPFire | Reporter: | Daniel Weismüller <daniel.weismueller> |
| Component: | openvpn | Assignee: | Erik Kapfer <ummeegge> |
| Status: | CLOSED FIXED | QA Contact: | |
| Severity: | - Unknown - | ||
| Priority: | - Unknown - | CC: | michael.tremer, peter.mueller, ummeegge |
| Version: | 2 | Keywords: | GoodFirstBug |
| Hardware: | unspecified | ||
| OS: | Unspecified | ||
| Attachments: | OpenVPN - valid til days maximum patch | ||
|
Description
Daniel Weismüller
2014-02-27 10:05:31 UTC
Created attachment 524 [details]
OpenVPN - valid til days maximum patch
This patch checks that the "Valid till (days):" option won´t be set above 6 digits.
Hi Daniel, have tested this short time ago and found your bug in here, so i wanted to give you a brief answer to you and show you my results. I think your "(TLS handshake error)" comes from another problem cause - if you enter a higher value for the "DAYS_VALID" option like OpenSSL can handle, you will get an "OpenSSL produced an error 256" in the WUI. - If i go over the OpenSSL maximum which is '999999' --> http://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=config/ovpn/openssl/ovpn.cnf;h=ab026c10951f98afa6e35d15b3ea7620501532ef;hb=refs/heads/next#l22 (in ovpn.cnf the default_days are also the OpenSSL maximum) Apaches error_log throws the following errors: [Thu Jun 15 18:54:19 2017] [error] [client 192.168.1.1] unable to load certificates, referer: https://192.168.75.18:444/cgi-bin/ovpnmain.cgi [Thu Jun 15 18:54:19 2017] [error] [client 192.168.1.1] 2673669768:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:157:, referer: https://192.168.75.18:444/cgi-bin/ovpnmain.cgi [Thu Jun 15 18:54:19 2017] [error] [client 192.168.1.1] 2673669768:error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object header:tasn_dec.c:1188:, referer: https://192.168.75.18:444/cgi-bin/ovpnmain.cgi [Thu Jun 15 18:54:19 2017] [error] [client 192.168.1.1] 2673669768:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:219:Type=ASN1_TIME, referer: https://192.168.75.18:444/cgi-bin/ovpnmain.cgi [Thu Jun 15 18:54:19 2017] [error] [client 192.168.1.1] 2673669768:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:700:Field=notAfter, Type=X509_VAL, referer: https://192.168.75.18:444/cgi-bin/ovpnmain.cgi [Thu Jun 15 18:54:19 2017] [error] [client 192.168.1.1] 2673669768:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:700:Field=validity, Type=X509_CINF, referer: https://192.168.75.18:444/cgi-bin/ovpnmain.cgi [Thu Jun 15 18:54:19 2017] [error] [client 192.168.1.1] 2673669768:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:700:Field=cert_info, Type=X509, referer: https://192.168.75.18:444/cgi-bin/ovpnmain.cgi [Thu Jun 15 18:54:19 2017] [error] [client 192.168.1.1] 2673669768:error:0907400D:PEM routines:PEM_X509_INFO_read_bio:ASN1 lib:pem_info.c:249:, which is a bigger problem for OpenVPNs database (index.txt) which looks then similar to this: V 47550507073544Z 01 unknown /C=AF/O=test/CN=192.168.1.100 V 47550510081207Z 02 unknown /C=AF/O=test/CN=ohnePWD V 47550510081249Z 03 unknown /C=AF/O=test/CN=mitPWD V 47550512171552Z 05 unknown /C=AF/O=test/CN=testExpiryDay V 06 unknown /C=AF/O=test/CN=testZweiExpiryDay so the OpenVPN database crashes with this format and from now on, you need to delete this faulty entry (06) manually otherwise it is not possible to create new clients. This was my experience so i made a patch (findable in the attachment) which checks for the user input and restricts the user entry for "DAYS_VALID" in the WUI to 6 digits. Some infos from here. Greetings, Erik Comment on attachment 524 [details] OpenVPN - valid til days maximum patch >--- /srv/web/ipfire/cgi-bin/ovpnmain.cgi_core111 2017-06-15 19:30:38.673939484 +0200 >+++ /srv/web/ipfire/cgi-bin/ovpnmain.cgi 2017-06-15 20:31:42.417424615 +0200 >@@ -4015,6 +4015,13 @@ > rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; > goto VPNCONF_ERROR; > } >+ # Check that OpenSSL maximum of valid days won´t be exceeded >+ if ($cgiparams{'TYPE'} eq 'net') { >+ if (length($cgiparams{'DAYS_VALID'}) > 6) { >+ $errormessage = $Lang::tr{'invalid input for valid till days'}; >+ unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; >+ rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; >+ goto VPNCONF_ERROR; >+ } >+ } > > if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) { > $errormessage = $Lang::tr{'invalid input'}; >@@ -4197,7 +4204,11 @@ > $errormessage = $Lang::tr{'invalid input for valid till days'}; > goto VPNCONF_ERROR; > } >- >+ # Check that OpenSSL maximum of valid days won´t be exceeded >+ if (length($cgiparams{'DAYS_VALID'}) > 6) { >+ $errormessage = $Lang::tr{'invalid input for valid till days'}; >+ goto VPNCONF_ERROR; >+ } > # Replace empty strings with a . > (my $ou = $cgiparams{'CERT_OU'}) =~ s/^\s*$/\./; > (my $city = $cgiparams{'CERT_CITY'}) =~ s/^\s*$/\./; Comment on attachment 524 [details] OpenVPN - valid til days maximum patch >--- /srv/web/ipfire/cgi-bin/ovpnmain.cgi_core111 2017-06-15 19:30:38.673939484 +0200 >+++ /srv/web/ipfire/cgi-bin/ovpnmain.cgi 2017-06-15 20:31:42.417424615 +0200 >@@ -4015,6 +4015,13 @@ > rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; > goto VPNCONF_ERROR; > } >+ # Check that OpenSSL maximum of valid days won´t be exceeded + if ($cgiparams{'TYPE'} eq 'net') { >+ if (length($cgiparams{'DAYS_VALID'}) > 6) { >+ $errormessage = $Lang::tr{'invalid input for valid till days'}; >+ unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; >+ rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; >+ goto VPNCONF_ERROR; >+ } >+ } > > if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) { > $errormessage = $Lang::tr{'invalid input'}; >@@ -4197,7 +4204,11 @@ > $errormessage = $Lang::tr{'invalid input for valid till days'}; > goto VPNCONF_ERROR; > } >- >+ # Check that OpenSSL maximum of valid days won´t be exceeded >+ if (length($cgiparams{'DAYS_VALID'}) > 6) { >+ $errormessage = $Lang::tr{'invalid input for valid till days'}; >+ goto VPNCONF_ERROR; >+ } > # Replace empty strings with a . > (my $ou = $cgiparams{'CERT_OU'}) =~ s/^\s*$/\./; > (my $city = $cgiparams{'CERT_CITY'}) =~ s/^\s*$/\./; Sorry Daniel, i kind a crashed comment 4. Patch needed a fix which differentiates if a RW or a N2N connection reached the mentioned limit. Comment 3 is the current state. Greetings, Erik This bug should be solved with this patch --> https://patchwork.ipfire.org/patch/1804/ . Greetings, Erik I assume this is fixed by now. If it is not, please reopen. |