OpenVPN (SSL/TLS + User Auth.) strange login behavior

REDHELL

Hello @ll

im using 2.0-BETA4 (amd64) built on Thu Sep 9 04:14:56 UTC 2010. I have some problems with the openvpn.
I made a new server with mode SSL/TLS + User Auth. I can connect with a generated user with user certificate without any problems. If I create now an additional user even without any user certificate in the user manager im able to log in with this user too.
Why can I successfully log in without correspondig user certificate? Shouldn't it check for all credentials (ssl + user + pass)? Is it possible to extend the login script to check everything?

thanks  ::)

jimp

That is the current intended behavior, the cn of the certificate isn't checked for authentication.

That could be changed, though. It seems that the openvpn auth script should allow us to check if the cn of the certificate matches the username given.

REDHELL

Thanks for the information.

Do you think to change that in the near future?
I made some other tests. I was able to log in with a certificate of a deleted user and the credentials of an existing user. I think this could be a security issue?

Thank you!

jimp

We don't yet have a CRL GUI (I'm working on that right now) - once we do, it will revoke certificates of deleted users and prevent them from getting in.

I opened a ticket to add the more strict auth setting as an option: http://redmine.pfsense.org/issues/887

Not sure when it will go in, but it shouldn't take too long.

REDHELL

great! You do a fantastic work!!  8)

bubble1975

Very eager to see this feature implemented!!  We would definitely make heavy use of it.

bubble1975

Just checking in on this feature, I'm chomping at the bit for it…  ;)

Possible ETA of implementation?

jimp

No ETA, just that it will happen before 2.0.

If a commercial support subscriber were to request it be done with some of their support time, or if a suitable bounty was offered, it might speed things up, but as-is it will happen when time allows. Updates will happen on the ticket when any progress is made.

bubble1975

Fair enough!  Thanks again.

jimp

I just checked in the last bits of code to do this in the GUI. The next snapshot should include this option.

When you are in SSL/TLS+User Auth mode, a checkbox will show up to enable the strict username/cn matching.

bubble1975

Yep, I just updated and checked this, works like a charm.  Thanks a million!

REDHELL

Great!!!  ;D thank you so much…