OpenVPN + wrong CRL shown - revoking Certs doesn't work in all cases



  • Hi,

    I created a CA, some Certs and I setup an OpenVPN Server. Everything works fine.
    In the OpenVPN Server config I added an "Certificate Revocation List" which I created before.
    I could add there a certificate which I wish to revoke and this works. The client couldn't reconnect anymore and the OpenVPN Syslog tells me

    openvpn[54799]: 12.13.14.15:55958 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
    

    Fine.

    Now I canceld the revoke of this certificate, but the client couldn't reconnect. The system log output is the same as above. I tried restarting the OpenVPN server but no success.

    Further, if the CRL is empty, then there isn't an "edit" button to add other certificates. This is only working after creating a CRL the first time, adding a Cert to revoke, cancel the revoke and then no edit button.

    My third problem is, that the OpenVPN server config shows me old CRL which do not exist anymore.

    I attached three pictures, please let me know if you need more information or if I am wrong in some understanding of OpenVPN CRLs.






  • Rebel Alliance Developer Netgate

    Are those old CRLs from CAs you have deleted?

    I suppose having a CRL there that had no certificates is what made it think it was imported. I'll have to re-check the code and see if there is another way that can happen. It doesn't let you edit in that case because you can't edit an imported CRL.

    The problem is that you are working around an almost empty CRL… if you were adding or deleting a second certificate (or a third, fourth, etc) you probably wouldn't be seeing that same behavior.



  • @jimp:

    Are those old CRLs from CAs you have deleted?

    Could be possible. I did some testing with the Cert Manager in the past, creating, deleting and so on. Several new installations -som,etimes with defaul settings, sometimes with a backuped config.xml.
    I'm not sure at all but I don't think I have deleted a CA in this config.xml file…

    I suppose having a CRL there that had no certificates is what made it think it was imported. I'll have to re-check the code and see if there is another way that can happen. It doesn't let you edit in that case because you can't edit an imported CRL.

    The problem is that you are working around an almost empty CRL… if you were adding or deleting a second certificate (or a third, fourth, etc) you probably wouldn't be seeing that same behavior.

    Ok, this makes sense. Perhaps I will create a "fake" certificate and add this as revoked to the CRL so that I could edit it for future purposes.
    Perhaps you could wirte a script which creates a fake cert when bulding a CRL but which is not visible in the GUI !?

    But why couldn't I reconnect to the OpenVPN server after I canceled the certificate revokation ?

    Thanks a lot!


  • Rebel Alliance Developer Netgate

    Not sure why you couldn't connect offhand. I had disabled selecting CRLs with no certificates revoked before, OpenVPN may not like a blank CRL.

    I just make a bunch of various cert/CRL fixes this afternoon, try a snapshot from tomorrow morning and see if you have any better luck.



  • Thank you very much.
    I hope I could do some tests, too, with an additional certificate left in the CRL.


  • Rebel Alliance Developer Netgate

    You'll have to clean out the old/invalid CRLs from your config by hand though, the new code wouldn't allow them to still exist but I don't want to delete them automatically.



  • Ok, will try this tomorrow.

    Did a quick test now before I go to bed:

    Created a new certificate, a new CRL and revoked a cert, restarted my openvpn server two times but could still connect.

    I attached you 4 screenshots.










  • I am having the same problem.

    running:
    2.0-RC1 (i386)
    built on Fri May 6 10:38:23 EDT 2011


  • Rebel Alliance Developer Netgate

    So now you're saying that when you make a CRL and you revoke a cert, nobody can connect? Is the service even running? (Check Status > Services), Does the crl-verify file in /var/etc/openvpn/ for that instance have anything in it?



  • Hi,

    1.) I didn't found time to test all scenarios but with snapshot May 7th there is an "edit" button for the CRL with no Certs in it. Great!

    2.) After editing the config.xml and deleting the "empty" CRL, the blank entry in OpenVPN Server CRL pulldownmenu disapperead. Great!

    Now I'm having another problem:
    My CA is "HPA-CA". I created a new CRL called "MYCRL" and added this CRL to the OpenVPN Server config.
    After doing this, the OpenVPN server is restarting and no unnormal entries in syslog or syslog openvpn.

    But after doing this, I cannot connect to this OpenVPN server. Not error log on pfsense and this is the only thing on Windows OpenVPN Client:

    Sun May 08 23:00:41 2011 OpenVPN 2.2.0 Win32-MSVC++ [SSL] [LZO2] built on Apr 26 2011
    Sun May 08 23:00:41 2011 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
    Sun May 08 23:00:41 2011 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
    Sun May 08 23:00:41 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Sun May 08 23:00:41 2011 Control Channel Authentication: using 'pfsense1-UDP-1194-tls-RBS.key' as a OpenVPN static key file
    Sun May 08 23:00:41 2011 LZO compression initialized
    Sun May 08 23:00:41 2011 UDPv4 link local (bound): [undef]:1194
    Sun May 08 23:00:41 2011 UDPv4 link remote: 11.12.13.14:1194
    

    This is repeating every time the keepalive time is over.
    If I delete the CRL "MYCRL" in the OpenVPN server config I can reconnect.

    Further:
    Why does the OpenVPN Server config display two CRL: "HPA-CA" which isnt a list, just the name of my CA and then the correct CRL called "MYCRL" ?

    Thanks in advance!





  • Rebel Alliance Developer Netgate

    Not sure why it wouldn't connect - it would help to know if you have any certificates revoked in that CRL, and either way it would help to know if /var/etc/openvpn/server<x>.crl-verify contained anything (where <x>is whatever this instance is).

    As for that extra CRL entry, it may still be a side effect from hand editing your config, or something else that needs cleaned up.</x></x>



  • Hi,

    like I said in my previous post:
    I created a new CRL and a new Certificate. Then I revoked this certificate and then canceld the evoke - just to see, if the CRL is empty but with an edit button.
    Now the CRL is empty - no revoked certificates in it.

    The server2.crl-verify file is empty.

    –edit--

    This are the only both blocks with <crl>in my config.xml:

    	 <crl><refid>4d401a4cb674f</refid>
    
    		<caref>4d4018ea7d5dd</caref>
    		<serial>10000</serial>
    		<lifetime>9999</lifetime>
    		<text>xxXXxxXXxx</text></crl> 
    	 <crl><refid>4dc7030fca8f5</refid>
    
    		<caref>4d445bf7f2a0c</caref>
    		<serial>9999</serial>
    		<lifetime>9999</lifetime></crl> 
    ```</crl>

  • Rebel Alliance Developer Netgate

    That top one is probably from a CA you deleted before (note the caref doesn't match)

    OpenVPN may not like a zero-byte crl. I'll have to poke at it some more.



  • I will try to do a complete fresh install of my pfsense to be sure to have no old code fragments in my config.


  • Rebel Alliance Developer Netgate

    I made more improvements to CRL handling today, hopefully OpenVPN will be happy now, there will never be a 0-byte CRL file anymore.



  • Thanks jimp,

    I hope I will find some time on weekend to test this.



  • @jimp:

    I made more improvements to CRL handling today, hopefully OpenVPN will be happy now, there will never be a 0-byte CRL file anymore.

    Good news jimp !
    Does that mean we can update our pfsense ?


  • Rebel Alliance Developer Netgate

    It should be in snapshots by now.



  • Great I'll try it tomorow or next week and I'll tell you !



  • Hi,

    I did a test today with the CRL but with no success. With the snapshot from today there isn't an empty server2.crl-verify anymore, but there is still the problem that I could not connect to an OpenVPN server when I added there a CRL.

    I didn't findeany time to do a complete reinstallation of my pfsense so this could be perhaps the problem.



  • Hi jimp,

    bad news :(

    I did a complete fresh installation of pfsense and I am on 2.0-RC3 (amd64) built on Sun Jul 3 04:02:48 EDT 2011

    I created a new CA, created 2 certs (server + client) and configured a new OpenVPN server. I just can connect if I do not select any CRL in the OpenVPN Server configuration.

    I opened an other thread on friday because I didn't remember this thread. Perhaps this will help you a little bit to resolve this error.
    http://forum.pfsense.org/index.php/topic,38466.0.html

    Thanks for your help!


  • Rebel Alliance Developer Netgate

    So if you revoke a certificate on the CRL, does it work? Does it still just not like an empty CRL? (Well, it's a valid CRL, just doesn't have any certificates revoked in it)



  • I know what you mean - and - you are right.
    I created a new certificate and revoked it - so the CRL isn't empty anymore.
    An now I can connect with an other certificate which isn't revoked.


  • Rebel Alliance Developer Netgate

    What if you then remove that certificate from the CRL so it's "empty" again?



  • @jimp:

    What if you then remove that certificate from the CRL so it's "empty" again?

    Sorry for my late reply.

    I created a new OpenVPN server, server cert, two user certs. One for use and one for putting into the crl.
    First try with the default empty CRL: FAILED
    second try with a revoked cert in the CRL: WORKED
    third try with cancelling the revocation and an empty CRL again: WORKED



  • I have also tested with an empty CRL today, and the OpenVPN entity stopped. I have not tested with entries in CRL.

    Jul 13 16:27:15 openvpn[7903]: 192.168.123.68:1194 /usr/local/sbin/ovpn-linkdown ovpns1 1500 1558 192.168.102.1 192.168.102.2 init
    Jul 13 16:27:15 openvpn[7903]: 192.168.123.68:1194 Exiting
    Jul 13 16:27:15 openvpn[7903]: 192.168.123.68:1194 CRL: cannot read CRL from file /var/etc/openvpn/server1.crl-verify
    Jul 13 16:27:15 openvpn[7903]: 192.168.123.68:1194 LZO compression initialized
    Jul 13 16:27:15 openvpn[7903]: 192.168.123.68:1194 Re-using SSL/TLS context

    2.0-RC3 (i386)
    built on Tue Jul 12 21:45:04 EDT 2011


  • Rebel Alliance Developer Netgate

    Is the CRL file it mentions empty (zero bytes) when it fails, or does it have something in it?



  • Yes, it seems to be 0 byte:

    -rw–-----  1 root  wheel    0 Jul 13 16:27 server1.crl-verify
    -rw-------  1 root  wheel    0 Jul 13 09:04 server2.crl-verify

    BR,
    //Eskild


  • Rebel Alliance Developer Netgate

    That would be the problem then.

    I thought I had committed a fix for that before, I'll have to look into it again. Might be a couple days though.


  • Rebel Alliance Developer Netgate

    Try it with these changes:

    https://github.com/bsdperimeter/pfsense/commit/2ce206b048e8496e84f732556219e18290c5481c

    (Or wait for a snapshot that includes those changes)



  • Thanks jimp,
    the CRL is no longer empty, and works as expected.



  • @eskild:

    Thanks jimp,
    the CRL is no longer empty, and works as expected.

    Did you try this with a new created CRL which has no certificates revoked in it ? (You remember, creating CRL, revoke a cert, cancel the revocation and then testing?)

    I am at home for some days now and it wouldn't be fine, if I crash my OpenVPN and could not access the machine anymore untill I am back at work ;-)


  • Rebel Alliance Developer Netgate

    @Nachtfalke:

    Did you try this with a new created CRL which has no certificates revoked in it ? (You remember, creating CRL, revoke a cert, cancel the revocation and then testing?)

    I am at home for some days now and it wouldn't be fine, if I crash my OpenVPN and could not access the machine anymore untill I am back at work ;-)

    I did, and the CRL is no longer empty even when it has no certificates in it.



  • Hi,

    I am using amd64 snapshot from 15 july.

    I know there were some fixes before this snapshot. I created a cert some days before this snapshot called "test". I revoked it with the according CRL and it worked. No I wanted to cancel the revocation and wanted to delete the Cert "test" from the according CRL. It couldn't be deleted. It still exists there if I am deleteing it from "certificates".

    If I create a new cert with same CA and same CN called "test" it appears again and as revoked. Then I am still not able to delete this cert from the CRL.





  • Rebel Alliance Developer Netgate

    So you click the "x" on the CRL view, and what happens? Nothing? An error? Something else?



  • There comes a question if I would like to delete the cert from the CRL. I click OK. Then the cert disappears from the list. If I click again on the "Certificate revocation" tab, then the cert is again in the crl.

    No visible error message.



  • Rebel Alliance Developer Netgate

    Should be OK now, I just pushed a fix.



  • Hi,

    I did some tests with 2.0-RC3 (amd64) built on Thu Jul 28 05:40:09 EDT 2011.

    Deleting revoked certs of a CRL is working now as expected.
    Allow and deny access is working as it should. I tested it several times with revoking a cert and then deleting the revocation.

    Thanks jimp!


Locked