Logs Filling with openvpn: Found certificate…
-
In our OpenVPN section of the system logs, the message:
openvpn: Found certificate /C=US/ST=***/L=***/O=***/emailAddress=IT@virticus.com***/CN=openvpn-ca with depth 1
or one similar for our other certificates is appearing every 5-10 minutes. I don't recall this happening before the update we did last week to 2.0.1. Anyone know what would cause this?
-
does it have something todo with this ?
Improved certificate handling in OpenVPN to restrict certificate chaining to a specified depth – CVE-2011-4197
Notes for certificate generation vulnerability
Certificates generated with the built-in certificate manager in all 2.0 versions prior to 2.0.1 are excessively permissive for non-CA certificates. These certificates can be used as a certificate authority, meaning a user can use their own certificate to create chained certificates. We have defaulted OpenVPN on 2.0.1 and newer versions to not accept chained certificates, which mitigates this. However, if untrusted users have certificates generated from 2.0 release, we suggest re-generating all your certificates and issuing new ones. Certificates generated by easy-rsa and imported into 2.0 are not affected.see release notes if this seems related
-
Ah, I think that was it. I found a setting in the OpenVPN server settings called Certificate Depth. With that set to Do Not Check, those log entries have stopped appearing.
-
Actually that message is a bit of debug info that was left in there by accident. If you edit /etc/inc/openvpn.tls-verify.php and remove or comment out the line that prints that message, it will go away. It's harmless, but if you have a very busy server I could see it being annoying.
https://github.com/bsdperimeter/pfsense/commit/aa291f197a71383b41ed2b54cc5177d143e70ab2
-
Oh, thanks. Will turning off the certificate check cause any issues down the road? I haven't noticed any problems and since the message is gone, I won't worry about it if it doesn't affect anything I care about.
-
That commit didn't disable any checks, it just stops that line from logging