Bug 13404

Summary:	Creating an OpenVPN connection with a duplicate CN fails, but certificate is still created
Product:	IPFire	Reporter:	Dominik Wnek <dominalien>
Component:	---	Assignee:	Adolf Belka <adolf.belka>
Status:	CLOSED FIXED	QA Contact:
Severity:	Minor Usability
Priority:	- Unknown -	CC:	adolf.belka, michael.tremer
Version:	2
Hardware:	unspecified
OS:	Unspecified

Description Dominik Wnek 2023-10-21 20:05:24 UTC

When creating a new OpenVPN connection with a client certificate, putting in a CN that already exists will fail to create the connection, but will create a certificate file and update index.txt in /var/ipfire/ovpn/certs.

Steps to reproduce:
1. Create a connection named abc. In the certificate part, put in abc for CN and abc for O. The file abc.p12 will be put in /var/ipfire/ovpn/certs, index.txt will be updated with the line

V bignumber smallnumber unknown /C=xx/O=abc/CN=abc

2. Create a connection called def. Put in abc for CN and def in O (different connection name, same CN, different O). The creation of the connection fails with the error “A connection with this common name already exists.”

/var/ipfire/ovpn/certs now also contains the file def.p12. index.txt contains the lines

V bignumber smallnumber unknown /C=xx/O=abc/CN=abc
V bignumber smallnumber unknown /C=xx/O=def/CN=abc

It seems to me if the connection is not created, the certificate file should not be created either and index.txt should not be updated with the new line.

As an aside (a different cosmetic bug perhaps?), the error message “A connection with this common name already exists.” is not very useful. CN is labeled "User's full name or system hostname:" in IPFire, the words "common name" don't appear anywhere. I thought "common name" was the connection name at first.

Comment 1 Adolf Belka 2023-10-23 12:30:45 UTC

Component for IPFire-2.x should always be ---

Specific component names are selected only for IPFire-3.x

https://wiki.ipfire.org/devel/bugzilla/workflow#assigned

Comment 2 Michael Tremer 2023-10-30 10:24:32 UTC

Adolf is this one for you, as you are already doing a deep dive into OpenVPN at the moment?

Comment 3 Adolf Belka 2023-10-30 17:40:34 UTC

(In reply to Michael Tremer from comment #2)
> Adolf is this one for you, as you are already doing a deep dive into OpenVPN
> at the moment?

Yes, I was planning on picking this up later in November.

Comment 4 Adolf Belka 2024-02-26 12:16:56 UTC

Sorry it has taken a bit longer than I had hoped to be able to get around to this but I am now starting to work on it.

I have followed the steps to reproduce and can confirm the issue as raised in this bug.

I will now look at the code and find what changes are needed to prevent the issue.

Comment 5 Adolf Belka 2024-02-26 15:12:08 UTC

Patch set submitted to the dev mailing list and to patchwork.

https://lists.ipfire.org/hyperkitty/list/development@lists.ipfire.org/thread/BQBGD345J7LT27AAHUVKSCIGG2XDMOWQ/

https://patchwork.ipfire.org/project/ipfire/list/?series=4170

Comment 6 Adolf Belka 2024-02-28 19:40:30 UTC

Patch has been merged into next (Will be CU185)

https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=f433fdcd90cb406f1095e6c3d2fa6af7cd85efb3

https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=c790899f7383dae7f734a44c1570da1c9246b778

Comment 7 Adolf Belka 2024-04-05 13:34:11 UTC

CU185 Testing has been released.

https://www.ipfire.org/blog/ipfire-2-29-core-update-185-is-available-for-testing

Comment 8 Adolf Belka 2024-04-05 13:53:51 UTC

Evaluated the creation of an openvpn connection with a duplicate CN. The creation fails with an error message and nothing is created in the directory.

This verifies the bug fix to be working.

Comment 9 Adolf Belka 2024-04-20 08:10:02 UTC

https://www.ipfire.org/blog/ipfire-2-29-core-update-185-released