OpenVPN (2.4.x?) fails with pfSense 2.4.0 if CRL is specified



  • I just did an upgrade from 2.3.4p1 to 2.4.0, and OpenVPN now refuses to connect.

    My OpenVPN logs show the following:

    
    Oct 18 23:07:23    openvpn    14312    xxx.yyy.zzz.ip:64615 TLS Error: TLS handshake failed
    Oct 18 23:07:23    openvpn    14312    xxx.yyy.zzz.ip:64615 TLS Error: TLS object -> incoming plaintext read error
    Oct 18 23:07:23    openvpn    14312    xxx.yyy.zzz.ip:64615 TLS_ERROR: BIO read tls_read_plaintext error
    Oct 18 23:07:23    openvpn    14312    xxx.yyy.zzz.ip:64615 OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
    Oct 18 23:07:23    openvpn    14312    xxx.yyy.zzz.ip:64615 VERIFY ERROR: depth=0, error=CRL signature failure: C= <cert info="">Oct 18 23:07:23    openvpn    14312    xxx.yyy.zzz.ip:64615 TLS: Initial packet from [AF_INET]xxx.yyy.zzz.ip:64615, sid=291e8194 e929c34b</cert> 
    

    A bit of googling on the OpenSSL error pointed me to OPNsense : https://github.com/opnsense/core/issues/1373

    The bottom line:  Changing the Certificate Revocation List to NONE (where I had one specified on the OpenVPN Server) allowed me to connect.

    Anybody else see this?


  • Rebel Alliance Developer Netgate

    Is that a CRL you made in the pfSense GUI or one you imported externally?

    OpenVPN 2.4 changed CRL parsing so they are verified directly by OpenSSL and not OpenVPN so it's entirely possible that it's being more strict about some aspect of the CRL.

    It almost sounds like the CRL wasn't made from the same CA as the OpenVPN server though.



  • To be more specific, pfSense is the OpenVPN server, I'm using a mobile client (Tunnelblick).

    It's the local CRL, referencing the same (local) CA as the OpenVPN server.  Both of these were from the pfSense GUI (after Heartbleed).



  • Could be related to this:

    NOTE: OpenVPN 2.4 handles CRL verification differently than previous versions, passing through validation to the library rather than handling it internally. This can cause some certificates to fail validation that may have passed previously. In particular, if a certificate is removed from a CRL, it may still fail validation until all copies of the CRL have been rewritten.



  • @klou:

    I just did an upgrade from 2.3.4p1 to 2.4.0, and OpenVPN now refuses to connect.

    My OpenVPN logs show the following:

    
    Oct 18 23:07:23    openvpn    14312    xxx.yyy.zzz.ip:64615 TLS Error: TLS handshake failed
    Oct 18 23:07:23    openvpn    14312    xxx.yyy.zzz.ip:64615 TLS Error: TLS object -> incoming plaintext read error
    Oct 18 23:07:23    openvpn    14312    xxx.yyy.zzz.ip:64615 TLS_ERROR: BIO read tls_read_plaintext error
    Oct 18 23:07:23    openvpn    14312    xxx.yyy.zzz.ip:64615 OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
    Oct 18 23:07:23    openvpn    14312    xxx.yyy.zzz.ip:64615 VERIFY ERROR: depth=0, error=CRL signature failure: C= <cert info="">Oct 18 23:07:23    openvpn    14312    xxx.yyy.zzz.ip:64615 TLS: Initial packet from [AF_INET]xxx.yyy.zzz.ip:64615, sid=291e8194 e929c34b</cert> 
    

    A bit of googling on the OpenSSL error pointed me to OPNsense : https://github.com/opnsense/core/issues/1373

    The bottom line:  Changing the Certificate Revocation List to NONE (where I had one specified on the OpenVPN Server) allowed me to connect.

    Anybody else see this?

    Seeing it here on 2.4.0 as well.  Haven't tested 2.4.1 yet.


  • Rebel Alliance Developer Netgate

    At least on 2.4.2, I can't find any problems.

    No CRL = Connects
    Empty CRL = Connects
    Cert in CRL = Doesn't connect (and it shouldn't)
    Using a different cert not in the CRL = Still connects.

    Maybe it got fixed along the way with something else, but it doesn't seem to be an issue on 2.4.2.


Log in to reply