OpenVPN (2.4.x?) fails with pfSense 2.4.0 if CRL is specified
-
I just did an upgrade from 2.3.4p1 to 2.4.0, and OpenVPN now refuses to connect.
My OpenVPN logs show the following:
Oct 18 23:07:23 openvpn 14312 xxx.yyy.zzz.ip:64615 TLS Error: TLS handshake failed Oct 18 23:07:23 openvpn 14312 xxx.yyy.zzz.ip:64615 TLS Error: TLS object -> incoming plaintext read error Oct 18 23:07:23 openvpn 14312 xxx.yyy.zzz.ip:64615 TLS_ERROR: BIO read tls_read_plaintext error Oct 18 23:07:23 openvpn 14312 xxx.yyy.zzz.ip:64615 OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed Oct 18 23:07:23 openvpn 14312 xxx.yyy.zzz.ip:64615 VERIFY ERROR: depth=0, error=CRL signature failure: C= <cert info="">Oct 18 23:07:23 openvpn 14312 xxx.yyy.zzz.ip:64615 TLS: Initial packet from [AF_INET]xxx.yyy.zzz.ip:64615, sid=291e8194 e929c34b</cert>A bit of googling on the OpenSSL error pointed me to OPNsense : https://github.com/opnsense/core/issues/1373
The bottom line: Changing the Certificate Revocation List to NONE (where I had one specified on the OpenVPN Server) allowed me to connect.
Anybody else see this?
-
Is that a CRL you made in the pfSense GUI or one you imported externally?
OpenVPN 2.4 changed CRL parsing so they are verified directly by OpenSSL and not OpenVPN so it's entirely possible that it's being more strict about some aspect of the CRL.
It almost sounds like the CRL wasn't made from the same CA as the OpenVPN server though.
-
To be more specific, pfSense is the OpenVPN server, I'm using a mobile client (Tunnelblick).
It's the local CRL, referencing the same (local) CA as the OpenVPN server. Both of these were from the pfSense GUI (after Heartbleed).
-
Could be related to this:
NOTE: OpenVPN 2.4 handles CRL verification differently than previous versions, passing through validation to the library rather than handling it internally. This can cause some certificates to fail validation that may have passed previously. In particular, if a certificate is removed from a CRL, it may still fail validation until all copies of the CRL have been rewritten.
-
I just did an upgrade from 2.3.4p1 to 2.4.0, and OpenVPN now refuses to connect.
My OpenVPN logs show the following:
Oct 18 23:07:23 openvpn 14312 xxx.yyy.zzz.ip:64615 TLS Error: TLS handshake failed Oct 18 23:07:23 openvpn 14312 xxx.yyy.zzz.ip:64615 TLS Error: TLS object -> incoming plaintext read error Oct 18 23:07:23 openvpn 14312 xxx.yyy.zzz.ip:64615 TLS_ERROR: BIO read tls_read_plaintext error Oct 18 23:07:23 openvpn 14312 xxx.yyy.zzz.ip:64615 OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed Oct 18 23:07:23 openvpn 14312 xxx.yyy.zzz.ip:64615 VERIFY ERROR: depth=0, error=CRL signature failure: C= <cert info="">Oct 18 23:07:23 openvpn 14312 xxx.yyy.zzz.ip:64615 TLS: Initial packet from [AF_INET]xxx.yyy.zzz.ip:64615, sid=291e8194 e929c34b</cert>A bit of googling on the OpenSSL error pointed me to OPNsense : https://github.com/opnsense/core/issues/1373
The bottom line: Changing the Certificate Revocation List to NONE (where I had one specified on the OpenVPN Server) allowed me to connect.
Anybody else see this?
Seeing it here on 2.4.0 as well. Haven't tested 2.4.1 yet.
-
At least on 2.4.2, I can't find any problems.
No CRL = Connects
Empty CRL = Connects
Cert in CRL = Doesn't connect (and it shouldn't)
Using a different cert not in the CRL = Still connects.Maybe it got fixed along the way with something else, but it doesn't seem to be an issue on 2.4.2.