LDAP+OpenVPN strict security. Permissive SSL verification

lex.under.3182 · Apr 26, 2023, 8:16 AM

Hello everyone,

Anyway I can allow connection via ldaps with expired SSL on it?

I have renewed my expired certificate on LDAP server and so far I can see that connection works from dashboard and Diagnostics -> Authentication test works as well.
But OpenVPN does not allow to connect still. With just ldap// protocol everything works fine

pfSense openvpn[]: openvpn.auth-user.php: ERROR! Could not bind to LDAP server LDAP. Please check the bind credentials.

Credentials are correct for sure. So probably the issue is with SSL.... although it is renewed, but may be CA is expired or something.

And ldapsearch from cli giving bellow error. It would be cool to add somewhere in system "tls_reqcert allow" for the ldap clients.
Probably /etc/inc/auth.inc is the right place but actually not sure if I can safely touch it. Plus most likely after renew of pfsense this file will be overwritten

[2.6.0-RELEASE][root@pfSense.test.server]/root: ldapsearch -H ldaps://ldap.server.test -x -b 'dc=cli,dc=ai' -d 1
ldap_url_parse_ext(ldaps://ldap.server.test)
ldap_create
ldap_url_parse_ext(ldaps://ldap.server.test:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.server.test:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.0.111:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS trace: SSL_connect:before SSL initialization
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS read server hello
TLS trace: SSL_connect:TLSv1.3 read encrypted extensions
TLS certificate verification: depth: 3, err: 10, subject: /O=Digital Signature Trust Co./CN=DST Root CA X3, issuer: /O=Digital Signature Trust Co./CN=DST Root CA X3
TLS certificate verification: Error, certificate has expired
TLS trace: SSL3 alert write:fatal:certificate expired
TLS trace: SSL_connect:error in error
TLS: can't connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (certificate has expired).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

My point is that I see no reason of strict security when ldap// protocol without any encryption is allowed anyway. I mean in any case it would be safer to even allow to connect to ldaps// with expired SSL certificats rather then using ldap// without any encryption at all.

Any help would be appreciated. If possible I want to allow pfsense to connect to expired SSLs via ldaps protocol. Can you help me to achieve this?

Regards,
Oleksandr

lex.under.3182 · Apr 27, 2023, 2:07 PM

Although SSL certificate was valid I still was unable to connect using ldapsearch client or openvpn. May be CA certificate is expired on LetsEncrypt end or it is because of free cert. Not sure. But again in pfsense under user management -> ldap configuration were not issues after certificate was renewed on ldap server.

Anyway

Was able to solve the issue by adding.
TLS_REQCERT allow

to

/usr/local/etc/openldap/ldap.conf

Now openvpn connects fine as well as ldap cmd client