4. Expected behavior with OVPN users and certificates?

Expected behavior with OVPN users and certificates?

  • A

    We're currently in the process of creating new OpenVPN CAs and user certificates in response to the Heartbleed vulnerability and ran into some interesting behavior, which has left us wondering if it's normal or not.

    1. Users who have had their previous certificates unassigned or deleted (and left with no certificate) were still able to log in to OpenVPN
    2. Users who have had their previous certificates unassigned and placed into a CRL (but the CRL not applied to any OpenVPN server) were still able to log in.

    We were expecting the users with no assigned certificate to be unable to log in. This was eventually achieved by applying the CRL to the OpenVPN server. So is this expected behavior?

    0
  • Rebel Alliance Developer Netgate

    Those are both expected behaviors.

    #1 - It doesn't matter if pfSense has the user cert in its database. All that matters is that it's a valid certificate made against the right CA. Deleting the certificate does nothing from a security standpoint. At most it would break the export but that doesn't stop the existing client from working.

    #2 - Placing a certificate in a CRL does nothing special until that CRL is used by something (e.g. a specific OpenVPN server). You could revoke a cert from one server while letting it work in another one, provided both OpenVPN servers used different CRLs.

    0
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy