Tls-verify fails when checking Certificate Depth

patronize · Nov 21, 2017, 8:46 PM

I set up a new server. I am using a root CA and an intermediate. The later created the server and the client certificates (on pfsense).
When I set the OpenVPN server option "Certificate Depth" to anything but "Do not check" any connection to the server is denied with a "VERIFY SCRIPT ERROR" at depth 0, i.e. when the server checks the client certificate. Is known problem with the option tls-verify in pfsense? Or did I misunderstand how this option is supposed to work?

When setting the option to "Do not check" everything works fine. Here are some logs to help diagnose.

Problem with "Certificate Depth"="Two (Client+Intermediate+Server)":

Nov 21 21:11:01	openvpn	21938	192.168.5.26:1194 TLS: Initial packet from [AF_INET]192.168.5.26:1194, sid=b89d4974 69582adc
Nov 21 21:11:02	openvpn	21938	192.168.5.26:1194 VERIFY WARNING: depth=1, unable to get certificate CRL: C=DE, O=[...], CN=My Firewall CA
Nov 21 21:11:02	openvpn	21938	192.168.5.26:1194 VERIFY WARNING: depth=2, unable to get certificate CRL: C=DE, O=[...], CN=My Root CA
Nov 21 21:11:02	openvpn	21938	192.168.5.26:1194 VERIFY SCRIPT OK: depth=2, C=DE, O=[...], CN=My Root CA
Nov 21 21:11:02	openvpn	21938	192.168.5.26:1194 VERIFY OK: depth=2, C=DE, O=[...], CN=My Root CA
Nov 21 21:11:02	openvpn	21938	192.168.5.26:1194 VERIFY SCRIPT OK: depth=1, C=DE, O=[...], CN=My Firewall CA
Nov 21 21:11:02	openvpn	21938	192.168.5.26:1194 VERIFY OK: depth=1, C=DE, O=[...], CN=My Firewall CA
Nov 21 21:11:02	openvpn	21938	192.168.5.26:1194 WARNING: Failed running command (--tls-verify script): external program exited with error status: 1
Nov 21 21:11:02	openvpn	21938	192.168.5.26:1194 VERIFY SCRIPT ERROR: depth=0, C=DE, ST=[...], CN=OVPN client Someclient, OU=[...], subjectAltName=
Nov 21 21:11:02	openvpn	21938	192.168.5.26:1194 OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed

Working with "Certificate Depth"="Do not check":

Nov 21 21:06:36	openvpn	7370	192.168.5.26:1194 TLS: Initial packet from [AF_INET]192.168.5.26:1194, sid=d90eb6ad 7ee910c4
Nov 21 21:06:37	openvpn	7370	192.168.5.26:1194 VERIFY WARNING: depth=1, unable to get certificate CRL: C=DE, O=[...], CN=My Firewall CA
Nov 21 21:06:37	openvpn	7370	192.168.5.26:1194 VERIFY WARNING: depth=2, unable to get certificate CRL: C=DE, O=[...], CN=My Root CA
Nov 21 21:06:37	openvpn	7370	192.168.5.26:1194 VERIFY OK: depth=2, C=DE, O=[...], CN=My Root CA
Nov 21 21:06:37	openvpn	7370	192.168.5.26:1194 VERIFY OK: depth=1, C=DE, O=[...], CN=My Firewall CA
Nov 21 21:06:37	openvpn	7370	192.168.5.26:1194 VERIFY OK: depth=0, C=DE, ST=[...], CN=OVPN client Someclient, OU=[...], subjectAltName=
Nov 21 21:06:37	openvpn	7370	192.168.5.26:1194 peer info: IV_VER=2.5_master

viragomann · Nov 21, 2017, 11:15 PM

OpenVPN complains about not finding a CRL. Haven't you add one to the CA?
I guess, it will be necessary for tls-verify.

I've enabled Cert Depth One (I've no intermediate cert) and there is no issue in 2.4.1.

patronize · Nov 22, 2017, 8:34 PM

The CA certificates do indeed not have a CRL included. However, 1) that should not be a requirement for a CA certificate and 2) OpenVPN logs the same warning and does not fail without Certificate Depth checking. I think these warnings occur in the process before the tls-verify is executed.

I admit, I do not know what the tls-verify script that ships with the pfsense OpenVPN package actually checks for. The directive tls-verify is only included in the generated configuration if "Certificate Depth" is set. That lead me to believe that the script that it calls should only check for the depth and nothing else? The depth check shouldn't require any CRL. Could the description of the option Certificate Depth option in the webinterface be improved?

dlouzan · Nov 29, 2017, 10:41 AM

I'm facing a similar issue with 2.4.2, not exactly the same but I'm not sure it merits a new thread.

I have my own PKI setup with root CA + intermediate CA, servers and clients are signed by the intermediate, crl is also setup. I have configured the OpenVPN server certificate depth to 2 accordingly.

I'm running Netgate's pfSense in AWS, and after upgrading from 2.3.5 to 2.4.2, my previously fully functional OpenVPN clients cannot connect anymore, the clients are left hanging while trying to connect and I get the following errors in the server logs:


OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
VERIFY SCRIPT ERROR: depth=2, C=<hidden>, ST=<hidden>, L=<hidden>, O=<hidden>, OU=<hidden>, CN= <hidden (root="" ca)="">WARNING: Failed running command (--tls-verify script): external program exited with error status: 1
VERIFY WARNING: depth=2, unable to get certificate CRL: C=<hidden>, ST=<hidden>, L=<hidden>, O=<hidden>, OU=<hidden>, CN= <hidden (root="" ca)="">VERIFY WARNING: depth=1, unable to get certificate CRL: C=<hidden>, ST=<hidden>, L=<hidden>, O=<hidden>, OU=<hidden>, CN=</hidden></hidden></hidden></hidden></hidden></hidden></hidden></hidden></hidden></hidden></hidden></hidden></hidden></hidden></hidden></hidden></hidden>

The crl warnings trouble me already, since that didn't happen in 2.3.x and I had tested the crl revocation functionality. But the main issue seems to be the tls verify script error, somehow it is not able to verify the root CA.

I have tried all permutations I could think of (adding the full chain root ca / intermediate ca in the crt files, singling them out, etc), but nothing works. The only thing I can do at this moment is to deactivate the depth check, then my clients connect again. I have also seen in other threads that it might be related to spaces in the X509 data, but I found nothing conclusive.

Any help will be appreciated.