Bug 13404 - Creating an OpenVPN connection with a duplicate CN fails, but certificate is still created
Summary: Creating an OpenVPN connection with a duplicate CN fails, but certificate is ...
Status: CLOSED FIXED
Alias: None
Product: IPFire
Classification: Unclassified
Component: --- (show other bugs)
Version: 2
Hardware: unspecified Unspecified
: - Unknown - Minor Usability
Assignee: Adolf Belka
QA Contact:
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-10-21 20:05 UTC by Dominik Wnek
Modified: 2024-04-20 08:10 UTC (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Dominik Wnek 2023-10-21 20:05:24 UTC 
When creating a new OpenVPN connection with a client certificate, putting in a CN that already exists will fail to create the connection, but will create a certificate file and update index.txt in /var/ipfire/ovpn/certs.

Steps to reproduce:
1. Create a connection named abc. In the certificate part, put in abc for CN and abc for O. The file abc.p12 will be put in /var/ipfire/ovpn/certs, index.txt will be updated with the line

V bignumber smallnumber unknown /C=xx/O=abc/CN=abc

2. Create a connection called def. Put in abc for CN and def in O (different connection name, same CN, different O). The creation of the connection fails with the error “A connection with this common name already exists.”

/var/ipfire/ovpn/certs now also contains the file def.p12. index.txt contains the lines

V bignumber smallnumber unknown /C=xx/O=abc/CN=abc
V bignumber smallnumber unknown /C=xx/O=def/CN=abc

It seems to me if the connection is not created, the certificate file should not be created either and index.txt should not be updated with the new line.

As an aside (a different cosmetic bug perhaps?), the error message “A connection with this common name already exists.” is not very useful. CN is labeled "User's full name or system hostname:" in IPFire, the words "common name" don't appear anywhere. I thought "common name" was the connection name at first.
Comment 1 Adolf Belka 2023-10-23 12:30:45 UTC 
Component for IPFire-2.x should always be ---

Specific component names are selected only for IPFire-3.x

https://wiki.ipfire.org/devel/bugzilla/workflow#assigned
Comment 2 Michael Tremer 2023-10-30 10:24:32 UTC 
Adolf is this one for you, as you are already doing a deep dive into OpenVPN at the moment?
Comment 3 Adolf Belka 2023-10-30 17:40:34 UTC 
(In reply to Michael Tremer from comment #2)
> Adolf is this one for you, as you are already doing a deep dive into OpenVPN
> at the moment?

Yes, I was planning on picking this up later in November.
Comment 4 Adolf Belka 2024-02-26 12:16:56 UTC 
Sorry it has taken a bit longer than I had hoped to be able to get around to this but I am now starting to work on it.

I have followed the steps to reproduce and can confirm the issue as raised in this bug.

I will now look at the code and find what changes are needed to prevent the issue.
Comment 7 Adolf Belka 2024-04-05 13:34:11 UTC 
CU185 Testing has been released.

https://www.ipfire.org/blog/ipfire-2-29-core-update-185-is-available-for-testing
Comment 8 Adolf Belka 2024-04-05 13:53:51 UTC 
Evaluated the creation of an openvpn connection with a duplicate CN. The creation fails with an error message and nothing is created in the directory.

This verifies the bug fix to be working.