OpenVPN (SSL/TLS + User Auth.) strange login behavior
-
That is the current intended behavior, the cn of the certificate isn't checked for authentication.
That could be changed, though. It seems that the openvpn auth script should allow us to check if the cn of the certificate matches the username given.
-
Thanks for the information.
Do you think to change that in the near future?
I made some other tests. I was able to log in with a certificate of a deleted user and the credentials of an existing user. I think this could be a security issue?Thank you!
-
We don't yet have a CRL GUI (I'm working on that right now) - once we do, it will revoke certificates of deleted users and prevent them from getting in.
I opened a ticket to add the more strict auth setting as an option: http://redmine.pfsense.org/issues/887
Not sure when it will go in, but it shouldn't take too long.
-
great! You do a fantastic work!! 8)
-
Very eager to see this feature implemented!! We would definitely make heavy use of it.
-
Just checking in on this feature, I'm chomping at the bit for it… ;)
Possible ETA of implementation?
-
No ETA, just that it will happen before 2.0.
If a commercial support subscriber were to request it be done with some of their support time, or if a suitable bounty was offered, it might speed things up, but as-is it will happen when time allows. Updates will happen on the ticket when any progress is made.
-
Fair enough! Thanks again.
-
I just checked in the last bits of code to do this in the GUI. The next snapshot should include this option.
When you are in SSL/TLS+User Auth mode, a checkbox will show up to enable the strict username/cn matching.
-
Yep, I just updated and checked this, works like a charm. Thanks a million!
-
Great!!! ;D thank you so much…
