OpenVPN - malformed log - certificate subject

Milan Bednar

Hi,

I use OpenVPN service in pfSense for client remote access SSL VPN with TLS authentication.

Server side authetication is done via /usr/local/sbin/ovpn_auth_verify script. User certificate certificates are stored on smart cards and issued by Czech accredited CA.

I'm facing a problem with /var/log/openvpn.log character malformation - some latin characters taken from user certificate subject are not logged correctly - e.g. my last character of my last name (Unicode Code Point U+159 - LATIN SMALL LETTER R WITH CARON).

I added command env > /tmp/env into /usr/loca/sbin/ovpn_auth_verify script to check if malformation is already present in environment variables that are passed to this script, but here everything seems correctly.

This behavior is present in pfSense v 2.4.5, 2.5.1, 2.6.0. No locale modification was made on OS level.

Can anyone help me?
Thank you
Milan

[2.6.0-DEVELOPMENT][admin@pfSense.home.arpa]/root: cat  /tmp/env | grep -A1 -B1 Milan
tun_mtu=1500
X509_0_CN=Milan Bednář
proto_1=udp4
tls_id_0=CN=Milan Bednář, GN=Milan, SN=Bednář, C=CZ, O=IBM, OU=Projekt CDBP - test, serialNumber=ICA - 80954
tls_id_1=C=CZ, CN=I.CA Test Public CA/RSA 11/2015, O=První certifikační autorita, a.s., serialNumber=NTRCZ-26439395
--
X509_1_CN=I.CA Test Public CA/RSA 11/2015
X509_0_GN=Milan
script_context=init
[2.6.0-DEVELOPMENT][admin@pfSense.home.arpa]/root: 

[2.6.0-DEVELOPMENT][admin@pfSense.home.arpa]/root: hexdump -C /tmp/env | grep -A1 -B1 Milan
000000a0  6d 74 75 3d 31 35 30 30  0a 58 35 30 39 5f 30 5f  |mtu=1500.X509_0_|
000000b0  43 4e 3d 4d 69 6c 61 6e  20 42 65 64 6e c3 a1 c5  |CN=Milan Bedn...|
000000c0  99 0a 70 72 6f 74 6f 5f  31 3d 75 64 70 34 0a 74  |..proto_1=udp4.t|
000000d0  6c 73 5f 69 64 5f 30 3d  43 4e 3d 4d 69 6c 61 6e  |ls_id_0=CN=Milan|
000000e0  20 42 65 64 6e c3 a1 c5  99 2c 20 47 4e 3d 4d 69  | Bedn...., GN=Mi|
[2.6.0-DEVELOPMENT][admin@pfSense.home.arpa]/root: 

[2.6.0-DEVELOPMENT][admin@pfSense.home.arpa]/root: cat /var/log/openvpn.log  | grep -A1 -B1 Milan
Apr 28 15:00:46 pfSense openvpn[2297]: 192.168.122.174:58699 [Milan Bedná�M-^Y] Peer Connection Initiated with [AF_INET]192.168.122.174:58699
Apr 28 15:00:46 pfSense openvpn[2297]: Milan Bedná�M-^Y/192.168.122.174:58699 MULTI_sva: pool returned IPv4=10.0.10.2, IPv6=(Not enabled)

[2.6.0-DEVELOPMENT][admin@pfSense.home.arpa]/root: hexdump -C  /var/log/openvpn.log | grep Milan
00000ca0  66 53 65 6e 73 65 20 6f  70 65 6e 76 70 6e 5b 32  |fSense openvpn[2|
00000cb0  32 39 37 5d 3a 20 4d 69  6c 61 6e 20 42 65 64 6e  |297]: Milan Bedn|
00000cc0  c3 a1 c5 4d 2d 5e 59 2f  31 39 32 2e 31 36 38 2e  |...M-^Y/192.168.|

When i open /var/log/openvpn.log with less I can see this:

Apr 28 15:02:01 pfSense openvpn[93790]: 192.168.122.174:53691 [Milan Bedn<C3><A1><C5>M-^Y] Peer Connection Initiated with [AF_INET]192.168.122.174:53691
Apr 28 15:02:01 pfSense openvpn[93790]: Milan Bedn<C3><A1><C5>M-^Y/192.168.122.174:53691 MULTI_sva: pool returned IPv4=10.0.10.2, IPv6=(Not enabled)

Also in pfSense GUI OpenVPN log message column is empty for malformed messages.