Bug 13404

Summary: Creating an OpenVPN connection with a duplicate CN fails, but certificate is still created
Product: IPFire Reporter: Dominik Wnek <dominalien>
Component: ---Assignee: Adolf Belka <adolf.belka>
Status: CLOSED FIXED QA Contact:
Severity: Minor Usability    
Priority: - Unknown - CC: adolf.belka, michael.tremer
Version: 2   
Hardware: unspecified   
OS: Unspecified   

Description Dominik Wnek 2023-10-21 20:05:24 UTC
When creating a new OpenVPN connection with a client certificate, putting in a CN that already exists will fail to create the connection, but will create a certificate file and update index.txt in /var/ipfire/ovpn/certs.

Steps to reproduce:
1. Create a connection named abc. In the certificate part, put in abc for CN and abc for O. The file abc.p12 will be put in /var/ipfire/ovpn/certs, index.txt will be updated with the line

V bignumber smallnumber unknown /C=xx/O=abc/CN=abc

2. Create a connection called def. Put in abc for CN and def in O (different connection name, same CN, different O). The creation of the connection fails with the error “A connection with this common name already exists.”

/var/ipfire/ovpn/certs now also contains the file def.p12. index.txt contains the lines

V bignumber smallnumber unknown /C=xx/O=abc/CN=abc
V bignumber smallnumber unknown /C=xx/O=def/CN=abc

It seems to me if the connection is not created, the certificate file should not be created either and index.txt should not be updated with the new line.

As an aside (a different cosmetic bug perhaps?), the error message “A connection with this common name already exists.” is not very useful. CN is labeled "User's full name or system hostname:" in IPFire, the words "common name" don't appear anywhere. I thought "common name" was the connection name at first.
Comment 1 Adolf Belka 2023-10-23 12:30:45 UTC
Component for IPFire-2.x should always be ---

Specific component names are selected only for IPFire-3.x

https://wiki.ipfire.org/devel/bugzilla/workflow#assigned
Comment 2 Michael Tremer 2023-10-30 10:24:32 UTC
Adolf is this one for you, as you are already doing a deep dive into OpenVPN at the moment?
Comment 3 Adolf Belka 2023-10-30 17:40:34 UTC
(In reply to Michael Tremer from comment #2)
> Adolf is this one for you, as you are already doing a deep dive into OpenVPN
> at the moment?

Yes, I was planning on picking this up later in November.
Comment 4 Adolf Belka 2024-02-26 12:16:56 UTC
Sorry it has taken a bit longer than I had hoped to be able to get around to this but I am now starting to work on it.

I have followed the steps to reproduce and can confirm the issue as raised in this bug.

I will now look at the code and find what changes are needed to prevent the issue.
Comment 7 Adolf Belka 2024-04-05 13:34:11 UTC
CU185 Testing has been released.

https://www.ipfire.org/blog/ipfire-2-29-core-update-185-is-available-for-testing
Comment 8 Adolf Belka 2024-04-05 13:53:51 UTC
Evaluated the creation of an openvpn connection with a duplicate CN. The creation fails with an error message and nothing is created in the directory.

This verifies the bug fix to be working.