Externally Signed SSL Certificate Showing up as Server: No



  • Since 2.3.3 my OpenVPN server has not been functioning, i noticed that my externally signed SSL certificate shows up as Server: No. However when i install this in IIS on a windows box everthing is trusted.

    The certificate has the following attributes.

    Ensures the identity of a remote computer
    Proves your identity to a remote computer
    1.3.6.1.4.1.6449.1.2.2.7
    2.23.140.1.2.1

    Enhanced key usage:
    Server Authentication (1.3.6.1.5.5.7.3.1)
    Client Authentication (1.3.6.1.5.5.7.3.2)

    Key Usage:
    Digital Signature, Key Encipherment (a0)

    I do not remember having an issue with this in 2.3.2

    I even imported the externally signed Root, intermediate, and CRL.

    When selecting this for my openvpn i get "Warning: The selected server certificate was not created as an SSL Server certificate and may not work as expected"

    Getting the following on my openvpn client if i try to user it regardless. OpenVPN server certificate verification failed : PolarSSL:SSL read error:X509-Certificate verification Failed ,e.g CRL,CA or signature check failed

    https://www.sslshopper.com validates the SSL certificate..

    "The certificate should be trusted by all major web browsers (all the correct intermediate certificates are installed)."

    Thanks in advance.


  • Banned


  • Banned

    (And note that fixing that parsing issue will not fix your certificate verification. Chances are high there's no certificate bundle installed on the embedded PolarSSL/mbed TLS gear, in which case it won't ever verify.)



  • Ha, ok, i was just going to say that I added the line as show, but it did not resolve the issue.

    $crt_details = openssl_x509_parse($str_crt);
    $purpose = array();
    $purpose['ca'] = (stristr($crt_details['extensions']['basicConstraints'], 'CA:TRUE') === false) ? 'No': 'Yes';
    $purpose['server'] = ($crt_details['extensions']['nsCertType'] == "SSL Server") ? 'Yes': 'No';
    $purpose['server'] = (strpos($crt_details['extensions']['nsCertType'], 'SSL Server') !== FALSE) ? 'Yes': 'No';
    return $purpose;

    Total noob awaiting my gold membership info, what does this mean?  Thank you for you time.

    @doktornotor:

    (And note that fixing that parsing issue will not fix your certificate verification. Chances are high there's no certificate bundle installed on the embedded PolarSSL/mbed TLS gear, in which case it won't ever verify.)


  • Banned

    On the client, you need preinstalled root CA certificates so that things can be verified/trusted.



  • That's lame, that is why I bought an external cert. I don't think i can do this with Android Nougat.

    https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html

    I'll try..

    Thanks again.


  • Banned

    Well look, there's nothing broken with pfSense. If you client sucks so bad that cannot verify certs, then simply stop verifying them. Debugging Android VPN clients is not exactly a topic for this forum.


  • Rebel Alliance Global Moderator

    " that is why I bought an external cert."

    You bought an externally signed cert for your vpn connection.. This doesn't make much sense from a security point of view at all.. The only time an externally signed cert needs to be used is when there are lots of users that need to trust this cert out of the box.

    When is this the case for vpn users into your network?  Or am I misunderstanding your use of this cert?



  • @doktornotor:

    Well look, there's nothing broken with pfSense. If you client sucks so bad that cannot verify certs, then simply stop verifying them. Debugging Android VPN clients is not exactly a topic for this forum.

    I didn't mean to offend, or get anyone upset. My apologies.

    VPN client aside, and not trying to sounds rude, i'm still trying to learn this, Why is pfsense not seeing my externally signed cert as a Server cert? It seems that other apps and services see this as a valid SSL Server cert.


  • Banned

    Dude, this is NOT pfSense message! This log is from your client, using PolarSSL. OpenVPN on pfSense is compiled against OpenSSL, not PolarSSL. Your client with PolarSSL is unable to verify certs. Go fix that unknown client.

    Plus, as noted above, the whole idea of using a public CA for VPNs is completely twisted.

    And I already linked you exactly to the "issue" with parsing the cert, even with a fix. It's IRRELEVANT for your issue. Cosmetic display thing.



  • @johnpoz:

    " that is why I bought an external cert."

    You bought an externally signed cert for your vpn connection.. This doesn't make much sense from a security point of view at all.. The only time an externally signed cert needs to be used is when there are lots of users that need to trust this cert out of the box.

    When is this the case for vpn users into your network?  Or am I misunderstanding your use of this cert?

    Thank you for commenting, I guess the thought, although maybe ignorant and foolish, was that i would not need to import a root or intermediate onto my clients.

    Maybe this is just my misunderstanding, but i was hoping for touch less config, but if i have to deploy a ovpn or cert than so be it.

    Thank you both for your help. Sorry if i ruffled any feathers..



  • @doktornotor:

    Dude, this is NOT pfSense message! This log is from your client, using PolarSSL. OpenVPN on pfSense is compiled against OpenSSL, not PolarSSL. Your client with PolarSSL is unable to verify certs. Go fix that unknown client.

    Plus, as noted above, the whole idea of using a public CA for VPNs is completely twisted.

    And I already linked you exactly to the "issue" with parsing the cert, even with a fix. It's IRRELEVANT for your issue. Cosmetic display thing.

    Ok man, sorry…

    I appreciate the link, it didn't work for me.

    Again, a misunderstanding of how it works i guess, i'm new to vpn completely, I know when I attempt to access a website if the SSL cert presented doesn't match the fqdn you'll get a mismatch unless you had a SAN or other, I guess i thought this worked the same way.

    I am new to this, I asked a question attempted your "fix" and it didn't work.

    Thanks for the help. I guess i'll just forget it and give up on the effort.

    Go fix that unknown client.

    Sorry i left that out, it is the OpenVPN Connect client for Android.


  • Banned

    That fix works just fine. You are doing it wrong. It will NOT fix your certificate verification issue. It has nothing to do with that. I posted it because the thread topic you have chosen is "Externally Signed SSL Certificate Showing up as Server: No". That fix fixed that issue. Nothing else.

    Using certificates issued by public CAs for VPN clients is extremely dangerous.



  • @doktornotor:

    That fix works just fine. You are doing it wrong. It will NOT fix your certificate verification issue. It has nothing to do with that. I posted it because the thread topic you have chosen is "Externally Signed SSL Certificate Showing up as Server: No". That fix fixed that issue. Nothing else.

    Using certificates issued by public CAs for VPN clients is extremely dangerous.

    Assuming you mean from here https://github.com/pfsense/pfsense/pull/3233/commits/2f7c76cf03a2f040836d83f39e675f8dfac37a76

    I added

    $purpose['server'] = (strpos($crt_details['extensions']['nsCertType'], 'SSL Server') !== FALSE) ? 'Yes': 'No';

    to my certs.inc as shown below..

    $crt_details = openssl_x509_parse($str_crt);
      $purpose = array();
      $purpose['ca'] = (stristr($crt_details['extensions']['basicConstraints'], 'CA:TRUE') === false) ? 'No': 'Yes';
      $purpose['server'] = ($crt_details['extensions']['nsCertType'] == "SSL Server") ? 'Yes': 'No';
      $purpose['server'] = (strpos($crt_details['extensions']['nsCertType'], 'SSL Server') !== FALSE) ? 'Yes': 'No';
      return $purpose;

    Maybe I added this to the wrong certs.inc??

    Is using a publicly signed SSL cert dangerous since they could get compromised, easier to MITM?


  • Banned

    No, because when you don't configure things properly, you end up with everyone with a certificate issued by that CA being able to connect to your VPN.

    (As for the certificate purpose fix, kindly use 2.4 if you want it fixed.)



  • @doktornotor:

    No, because when you don't configure things properly, you end up with everyone with a certificate issued by that CA being able to connect to your VPN.

    (As for the certificate purpose fix, kindly use 2.4 if you want it fixed.)

    Ah i see, I think we may have been talking about different certificates, I am talking about the SSL Server cert for the OpenVPN server, the Server certificate.

    I was still issuing a client certificate from my internal private CA using Remote Access (SSL/TLS + User Auth)

    As I stated, I thought that my Server certificate had to match my public fqdn.

    Are you saying I should use pfsense Latest Base System 2.4 to fix this? I think knowing that the names don't need to match, and i don't need the public ssl server cert, i'll wait.

    The info here i

    Again, thanks for the help, i didn't think it would be this painful for everyone..

    I'm looking forward to my Gold Membership.


  • Banned

    No, I am saying that if you want that COSMETIC issue with certificate PURPOSE fixed, you should use 2.4 because you clearly are UNABLE to apply the patch properly. IT WILL NOT FIX VERIFICATION. IT WILL NOT FIX VERIFICATION. IT WILL NOT FIX VERIFICATION. IT WILL NOT FIX VERIFICATION. IT WILL NOT FIX VERIFICATION.

    Next time, choose a thread subject to match your REAL issue, to avoid GIANT waste of time. And with that, I'm outta here.



  • @doktornotor:

    No, I am saying that if you want that COSMETIC issue with certificate PURPOSE fixed, you should use 2.4 because you clearly are UNABLE to apply the patch properly. IT WILL NOT FIX VERIFICATION. IT WILL NOT FIX VERIFICATION. IT WILL NOT FIX VERIFICATION. IT WILL NOT FIX VERIFICATION. IT WILL NOT FIX VERIFICATION.

    Next time, choose a thread subject to match your REAL issue, to avoid GIANT waste of time. And with that, I'm outta here.

    Dude, you are rude, and unhelpful, The subject is what it is, the cert is a server cert, but pfsense doesn't see it as such regardless to why, it used to.

    That said you linked to a bugpost for a version i'm not running and expected me to know to upgrade to a experimental version.

    Then you contradict yourself by saying it is cosmetic, but needs o be fixed.

    I am unable to apply a patch, do you think you are a developer or created an awesome patch because you added a line of code to an existing config file?

    Thanks for all your help dude, you make this a great community, and a friendly environment.

    Be gone then..


  • Rebel Alliance Global Moderator

    dok - you gained another smite I see ;)  Your going for the board record maybe?…

    dok is a very helpful and knowledgeable part of this community.. And like a big friendly cuddly teddy bear when you get to know him - his bark can be loud, but he doesn't bite..  I would take dok advice over almost everyone here other than my own ;) And to be honest I can not recall a time where he was not right on the money with his assessment and advice.

    As to your client connect issue with android.. The openvpn client for android works just fine in every case I have tried out of the box..  I can not think of an instance when you would want a public signed cert for a vpn connection.  When would such a cert need to be trusted by the masses - the only one that need to trust this cert are your vpn users.  Which would normally be set to trust your cert when they are set to connect to your vpn.  Normally these devices would always be in control by the owner of the vpn, or atleast the users of such the vpn would be controlled by the owner of the vpn that gave them the info needed to access it and auth, etc.

    The only thing a publc signed cert would get you for a vpn connection would be added cost, added complexity and quite possible less security since its possible that any client cert also signed by that public ca could access the vpn.  Just doesn't make sense to use a public signed cert in the vpn use case.



  • Yeah his character flaws are not that interesting to me really to be honest with you. I came for some simple advice regarding my externally signed SSL certificate regardless to the use case and regardless of the scenario pfSense is stating that it is not a server certificate.

    I guess maybe I'm a different kind of individual where I would say listen this isn't the best practice to use a publicly signed SSL certificate for VPN server.

    That being said this is a known bug and to resolve it you would need to go to 2.4 and apply the following line in your config file.

    Do you agree that that would have been the easiest way to approach my question? Or is sending me a link and having me go back and forth with him while he ridicules me and behaves in a condescending manner the typical theme for support in this type of community?


  • Galactic Empire Netgate

    @Digital_ADHD:

    Yeah his character flaws are not that interesting to me really to be honest with you. I came for some simple advice regarding my externally signed SSL certificate regardless to the use case and regardless of the scenario pfSense is stating that it is not a server certificate.

    I guess maybe I'm a different kind of individual where I would say listen this isn't the best practice to use a publicly signed SSL certificate for VPN server.

    That being said this is a known bug and to resolve it you would need to go to 2.4 and apply the following line in your config file.

    Do you agree that that would have been the easiest way to approach my question? Or is sending me a link and having me go back and forth with him while he ridicules me and behaves in a condescending manner the typical theme for support in this type of community?

    All help on this forum is on voluntary basis and we kindly ask you to acknowledge that.



  • @ivor:

    @Digital_ADHD:

    Yeah his character flaws are not that interesting to me really to be honest with you. I came for some simple advice regarding my externally signed SSL certificate regardless to the use case and regardless of the scenario pfSense is stating that it is not a server certificate.

    I guess maybe I'm a different kind of individual where I would say listen this isn't the best practice to use a publicly signed SSL certificate for VPN server.

    That being said this is a known bug and to resolve it you would need to go to 2.4 and apply the following line in your config file.

    Do you agree that that would have been the easiest way to approach my question? Or is sending me a link and having me go back and forth with him while he ridicules me and behaves in a condescending manner the typical theme for support in this type of community?

    All help on this forum is on voluntary basis and we kindly ask you to acknowledge that.

    That doesn't give anyone a pass to be rude or condescending. That's like that age-old no offense but you're an a****** type mentality. I appreciate your help that you have volunteered.


  • Galactic Empire Netgate

    Take a break and cool off, see you in 7 days.



  • Hey all, sorry if i was giving you all a hard time a week back. I guess maybe i was misunderstanding, and being overly sensitive. Sorry..


  • Rebel Alliance Global Moderator

    "a pass to be rude or condescending."

    And what gives you a pass to read into tone what your feeling?  Just because your having a bad day does not mean that some comment was not given in the best possible intentions.  That you read it as rude is quite often on the reader..

    I just read through this thread again.. And dok was nothing but helpful and nice until much later in the thread after you just didn't seem to be getting it ;) And then even then - he just stated this was a waste of time and he was out..



  • Hense my apology.