OpenVPN (SSL/TLS + User Auth.) strange login behavior

REDHELL

Thanks for the information.

Do you think to change that in the near future?
I made some other tests. I was able to log in with a certificate of a deleted user and the credentials of an existing user. I think this could be a security issue?

Thank you!

jimp

We don't yet have a CRL GUI (I'm working on that right now) - once we do, it will revoke certificates of deleted users and prevent them from getting in.

I opened a ticket to add the more strict auth setting as an option: http://redmine.pfsense.org/issues/887

Not sure when it will go in, but it shouldn't take too long.

REDHELL

great! You do a fantastic work!!  8)

bubble1975

Very eager to see this feature implemented!!  We would definitely make heavy use of it.

bubble1975

Just checking in on this feature, I'm chomping at the bit for it…  ;)

Possible ETA of implementation?

jimp

No ETA, just that it will happen before 2.0.

If a commercial support subscriber were to request it be done with some of their support time, or if a suitable bounty was offered, it might speed things up, but as-is it will happen when time allows. Updates will happen on the ticket when any progress is made.

bubble1975

Fair enough!  Thanks again.

jimp

I just checked in the last bits of code to do this in the GUI. The next snapshot should include this option.

When you are in SSL/TLS+User Auth mode, a checkbox will show up to enable the strict username/cn matching.

bubble1975

Yep, I just updated and checked this, works like a charm.  Thanks a million!

REDHELL

Great!!!  ;D thank you so much…