Expected behavior with OVPN users and certificates?



  • We're currently in the process of creating new OpenVPN CAs and user certificates in response to the Heartbleed vulnerability and ran into some interesting behavior, which has left us wondering if it's normal or not.

    1. Users who have had their previous certificates unassigned or deleted (and left with no certificate) were still able to log in to OpenVPN
    2. Users who have had their previous certificates unassigned and placed into a CRL (but the CRL not applied to any OpenVPN server) were still able to log in.

    We were expecting the users with no assigned certificate to be unable to log in. This was eventually achieved by applying the CRL to the OpenVPN server. So is this expected behavior?


  • Rebel Alliance Developer Netgate

    Those are both expected behaviors.

    #1 - It doesn't matter if pfSense has the user cert in its database. All that matters is that it's a valid certificate made against the right CA. Deleting the certificate does nothing from a security standpoint. At most it would break the export but that doesn't stop the existing client from working.

    #2 - Placing a certificate in a CRL does nothing special until that CRL is used by something (e.g. a specific OpenVPN server). You could revoke a cert from one server while letting it work in another one, provided both OpenVPN servers used different CRLs.