Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    LDAP+OpenVPN strict security. Permissive SSL verification

    Scheduled Pinned Locked Moved OpenVPN
    2 Posts 1 Posters 741 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      lex.under.3182
      last edited by lex.under.3182

      Hello everyone,

      Anyway I can allow connection via ldaps with expired SSL on it?

      I have renewed my expired certificate on LDAP server and so far I can see that connection works from dashboard and Diagnostics -> Authentication test works as well.
      But OpenVPN does not allow to connect still. With just ldap// protocol everything works fine

      pfSense openvpn[]: openvpn.auth-user.php: ERROR! Could not bind to LDAP server LDAP. Please check the bind credentials.
      

      Credentials are correct for sure. So probably the issue is with SSL.... although it is renewed, but may be CA is expired or something.

      And ldapsearch from cli giving bellow error. It would be cool to add somewhere in system "tls_reqcert allow" for the ldap clients.
      Probably /etc/inc/auth.inc is the right place but actually not sure if I can safely touch it. Plus most likely after renew of pfsense this file will be overwritten

      [2.6.0-RELEASE][root@pfSense.test.server]/root: ldapsearch -H ldaps://ldap.server.test -x -b 'dc=cli,dc=ai' -d 1
      ldap_url_parse_ext(ldaps://ldap.server.test)
      ldap_create
      ldap_url_parse_ext(ldaps://ldap.server.test:636/??base)
      ldap_sasl_bind
      ldap_send_initial_request
      ldap_new_connection 1 1 0
      ldap_int_open_connection
      ldap_connect_to_host: TCP ldap.server.test:636
      ldap_new_socket: 3
      ldap_prepare_socket: 3
      ldap_connect_to_host: Trying 192.168.0.111:636
      ldap_pvt_connect: fd: 3 tm: -1 async: 0
      attempting to connect:
      connect success
      TLS trace: SSL_connect:before SSL initialization
      TLS trace: SSL_connect:SSLv3/TLS write client hello
      TLS trace: SSL_connect:SSLv3/TLS write client hello
      TLS trace: SSL_connect:SSLv3/TLS read server hello
      TLS trace: SSL_connect:TLSv1.3 read encrypted extensions
      TLS certificate verification: depth: 3, err: 10, subject: /O=Digital Signature Trust Co./CN=DST Root CA X3, issuer: /O=Digital Signature Trust Co./CN=DST Root CA X3
      TLS certificate verification: Error, certificate has expired
      TLS trace: SSL3 alert write:fatal:certificate expired
      TLS trace: SSL_connect:error in error
      TLS: can't connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (certificate has expired).
      ldap_err2string
      ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
      

      My point is that I see no reason of strict security when ldap// protocol without any encryption is allowed anyway. I mean in any case it would be safer to even allow to connect to ldaps// with expired SSL certificats rather then using ldap// without any encryption at all.

      Any help would be appreciated. If possible I want to allow pfsense to connect to expired SSLs via ldaps protocol. Can you help me to achieve this?

      Regards,
      Oleksandr

      1 Reply Last reply Reply Quote 0
      • L
        lex.under.3182
        last edited by

        Although SSL certificate was valid I still was unable to connect using ldapsearch client or openvpn. May be CA certificate is expired on LetsEncrypt end or it is because of free cert. Not sure. But again in pfsense under user management -> ldap configuration were not issues after certificate was renewed on ldap server.

        Anyway

        Was able to solve the issue by adding.
        TLS_REQCERT allow

        to

        /usr/local/etc/openldap/ldap.conf

        Now openvpn connects fine as well as ldap cmd client

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.