OpenVPN (SSL/TLS + User Auth.) strange login behavior
-
Hello @ll
im using 2.0-BETA4 (amd64) built on Thu Sep 9 04:14:56 UTC 2010. I have some problems with the openvpn.
I made a new server with mode SSL/TLS + User Auth. I can connect with a generated user with user certificate without any problems. If I create now an additional user even without any user certificate in the user manager im able to log in with this user too.
Why can I successfully log in without correspondig user certificate? Shouldn't it check for all credentials (ssl + user + pass)? Is it possible to extend the login script to check everything?thanks ::)
-
That is the current intended behavior, the cn of the certificate isn't checked for authentication.
That could be changed, though. It seems that the openvpn auth script should allow us to check if the cn of the certificate matches the username given.
-
Thanks for the information.
Do you think to change that in the near future?
I made some other tests. I was able to log in with a certificate of a deleted user and the credentials of an existing user. I think this could be a security issue?Thank you!
-
We don't yet have a CRL GUI (I'm working on that right now) - once we do, it will revoke certificates of deleted users and prevent them from getting in.
I opened a ticket to add the more strict auth setting as an option: http://redmine.pfsense.org/issues/887
Not sure when it will go in, but it shouldn't take too long.
-
great! You do a fantastic work!! 8)
-
Very eager to see this feature implemented!! We would definitely make heavy use of it.
-
Just checking in on this feature, I'm chomping at the bit for it… ;)
Possible ETA of implementation?
-
No ETA, just that it will happen before 2.0.
If a commercial support subscriber were to request it be done with some of their support time, or if a suitable bounty was offered, it might speed things up, but as-is it will happen when time allows. Updates will happen on the ticket when any progress is made.
-
Fair enough! Thanks again.
-
I just checked in the last bits of code to do this in the GUI. The next snapshot should include this option.
When you are in SSL/TLS+User Auth mode, a checkbox will show up to enable the strict username/cn matching.
-
Yep, I just updated and checked this, works like a charm. Thanks a million!
-
Great!!! ;D thank you so much…
