Bug 10482 - if the certificate is too long valid roadwarrior won't work
Summary: if the certificate is too long valid roadwarrior won't work
Status: CLOSED FIXED
Alias: None
Product: IPFire
Classification: Unclassified
Component: openvpn (show other bugs)
Version: 2
Hardware: unspecified Unspecified
: - Unknown - - Unknown -
Assignee: Erik Kapfer
QA Contact:
URL:
Keywords: GoodFirstBug
Depends on:
Blocks:
 
Reported: 2014-02-27 10:05 UTC by Daniel Weismüller
Modified: 2019-10-13 10:19 UTC (History)
3 users (show)

See Also:


Attachments
OpenVPN - valid til days maximum patch (1.32 KB, patch)
2017-06-15 20:54 UTC, Erik Kapfer
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Weismüller 2014-02-27 10:05:31 UTC
I've created an new openvpn roadwarrior and declared the certificate should be 9999 days vaild.

No error or message were displayed so I thought everything was fine.

But the roadwarrior wasn't able to connect. (TLS handshake error).

I think there must be an maximum valid time and we have to check the number which were typed in if it is larger than the allowed maximum.
Comment 1 Erik Kapfer 2017-06-15 20:54:45 UTC
Created attachment 524 [details]
OpenVPN - valid til days maximum patch

This patch checks that the "Valid till (days):" option won´t be set above 6 digits.
Comment 2 Erik Kapfer 2017-06-15 21:08:30 UTC
Hi Daniel,
have tested this short time ago and found your bug in here, so i wanted to give you a brief answer to you and show you my results.

I think your "(TLS handshake error)" comes from another problem cause 
- if you enter a higher value for the "DAYS_VALID" option like OpenSSL can handle, you will get an "OpenSSL produced an error 256" in the WUI.
- If i go over the OpenSSL maximum which is '999999' --> http://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=config/ovpn/openssl/ovpn.cnf;h=ab026c10951f98afa6e35d15b3ea7620501532ef;hb=refs/heads/next#l22 (in ovpn.cnf the default_days are also the OpenSSL maximum) Apaches error_log throws the following errors:

[Thu Jun 15 18:54:19 2017] [error] [client 192.168.1.1] unable to load certificates, referer: https://192.168.75.18:444/cgi-bin/ovpnmain.cgi
[Thu Jun 15 18:54:19 2017] [error] [client 192.168.1.1] 2673669768:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:157:, referer: https://192.168.75.18:444/cgi-bin/ovpnmain.cgi
[Thu Jun 15 18:54:19 2017] [error] [client 192.168.1.1] 2673669768:error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object header:tasn_dec.c:1188:, referer: https://192.168.75.18:444/cgi-bin/ovpnmain.cgi
[Thu Jun 15 18:54:19 2017] [error] [client 192.168.1.1] 2673669768:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:219:Type=ASN1_TIME, referer: https://192.168.75.18:444/cgi-bin/ovpnmain.cgi
[Thu Jun 15 18:54:19 2017] [error] [client 192.168.1.1] 2673669768:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:700:Field=notAfter, Type=X509_VAL, referer: https://192.168.75.18:444/cgi-bin/ovpnmain.cgi
[Thu Jun 15 18:54:19 2017] [error] [client 192.168.1.1] 2673669768:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:700:Field=validity, Type=X509_CINF, referer: https://192.168.75.18:444/cgi-bin/ovpnmain.cgi
[Thu Jun 15 18:54:19 2017] [error] [client 192.168.1.1] 2673669768:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:700:Field=cert_info, Type=X509, referer: https://192.168.75.18:444/cgi-bin/ovpnmain.cgi
[Thu Jun 15 18:54:19 2017] [error] [client 192.168.1.1] 2673669768:error:0907400D:PEM routines:PEM_X509_INFO_read_bio:ASN1 lib:pem_info.c:249:, 

which is a bigger problem for OpenVPNs database (index.txt) which looks then similar to this:

V       47550507073544Z         01      unknown /C=AF/O=test/CN=192.168.1.100
V       47550510081207Z         02      unknown /C=AF/O=test/CN=ohnePWD
V       47550510081249Z         03      unknown /C=AF/O=test/CN=mitPWD
V       47550512171552Z         05      unknown /C=AF/O=test/CN=testExpiryDay
V                       06      unknown /C=AF/O=test/CN=testZweiExpiryDay

so the OpenVPN database crashes with this format and from now on, you need to delete this faulty entry (06) manually otherwise it is not possible to create new clients.

This was my experience so i made a patch (findable in the attachment) which checks for the user input and restricts the user entry for "DAYS_VALID" in the WUI to 6 digits.

Some infos from here. 

Greetings,

Erik
Comment 3 Erik Kapfer 2017-06-19 12:01:42 UTC
Comment on attachment 524 [details]
OpenVPN - valid til days maximum patch

>--- /srv/web/ipfire/cgi-bin/ovpnmain.cgi_core111	2017-06-15 19:30:38.673939484 +0200
>+++ /srv/web/ipfire/cgi-bin/ovpnmain.cgi	2017-06-15 20:31:42.417424615 +0200
>@@ -4015,6 +4015,13 @@
> 	              rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
>       		goto VPNCONF_ERROR;
> 	}
>+	# Check that OpenSSL maximum of valid days won´t be exceeded
>+	if ($cgiparams{'TYPE'} eq 'net') {
>+	    if (length($cgiparams{'DAYS_VALID'}) > 6) {
>+		$errormessage = $Lang::tr{'invalid input for valid till days'};
>+		unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
>+		rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
>+		goto VPNCONF_ERROR;
>+	    }
>+	}
> 
> 	if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) {
> 	    $errormessage = $Lang::tr{'invalid input'};
>@@ -4197,7 +4204,11 @@
> 		$errormessage = $Lang::tr{'invalid input for valid till days'};
> 		goto VPNCONF_ERROR;
> 	    }
>-
>+		# Check that OpenSSL maximum of valid days won´t be exceeded
>+		if (length($cgiparams{'DAYS_VALID'}) > 6) {
>+			$errormessage = $Lang::tr{'invalid input for valid till days'};
>+			goto VPNCONF_ERROR;
>+		}
> 	    # Replace empty strings with a .
> 	    (my $ou = $cgiparams{'CERT_OU'}) =~ s/^\s*$/\./;
> 	    (my $city = $cgiparams{'CERT_CITY'}) =~ s/^\s*$/\./;
Comment 4 Erik Kapfer 2017-06-19 12:04:15 UTC
Comment on attachment 524 [details]
OpenVPN - valid til days maximum patch

>--- /srv/web/ipfire/cgi-bin/ovpnmain.cgi_core111	2017-06-15 19:30:38.673939484 +0200
>+++ /srv/web/ipfire/cgi-bin/ovpnmain.cgi	2017-06-15 20:31:42.417424615 +0200
>@@ -4015,6 +4015,13 @@
> 	              rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
>       		goto VPNCONF_ERROR;
> 	}
>+	# Check that OpenSSL maximum of valid days won´t be exceeded
+	if ($cgiparams{'TYPE'} eq 'net') {
>+	    if (length($cgiparams{'DAYS_VALID'}) > 6) {
>+		$errormessage = $Lang::tr{'invalid input for valid till days'};
>+		unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
>+		rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
>+		goto VPNCONF_ERROR;
>+	    }
>+	}
> 
> 	if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) {
> 	    $errormessage = $Lang::tr{'invalid input'};
>@@ -4197,7 +4204,11 @@
> 		$errormessage = $Lang::tr{'invalid input for valid till days'};
> 		goto VPNCONF_ERROR;
> 	    }
>-
>+		# Check that OpenSSL maximum of valid days won´t be exceeded
>+		if (length($cgiparams{'DAYS_VALID'}) > 6) {
>+			$errormessage = $Lang::tr{'invalid input for valid till days'};
>+			goto VPNCONF_ERROR;
>+		}
> 	    # Replace empty strings with a .
> 	    (my $ou = $cgiparams{'CERT_OU'}) =~ s/^\s*$/\./;
> 	    (my $city = $cgiparams{'CERT_CITY'}) =~ s/^\s*$/\./;
Comment 5 Erik Kapfer 2017-06-19 12:08:41 UTC
Sorry Daniel,
i kind a crashed comment 4. 
Patch needed a fix which differentiates if a RW or a N2N connection reached the mentioned limit.
Comment 3 is the current state.

Greetings,

Erik
Comment 6 Erik Kapfer 2018-06-18 15:25:27 UTC
This bug should be solved with this patch --> https://patchwork.ipfire.org/patch/1804/ .

Greetings,

Erik
Comment 7 Peter Müller 2019-10-13 10:19:20 UTC
I assume this is fixed by now. If it is not, please reopen.