Revoking user SSL certificate blocks all other users



  • Hi all

    Running 2.2.5-RELEASE on amd64.

    We have OpenVPN running in Remote Access (SSL/TLS) mode, and this morning I made the unwanted discovery that I cannot revoke a user certificate without locking out all other users.
    Certificates are issued off a stand-alone CA server for the sake of expedience (50+ users), with the CA cert and key installed on the firewall. A user left so I tried importing his certificate into pfSense in order to revoke it. The revocation appeared to be fine, but other users can no longer connect. If I back out the revocation all works again.

    In the logs I see:

    Jan 26 14:30:48 my.firewall openvpn[20657]: TCP connection established with [AF_INET]1.2.3.4:40731
    Jan 26 14:30:43 my.firewall openvpn[20657]: 1.2.3.4:45902 Fatal TLS error (check_tls_errors_co), restarting
    Jan 26 14:30:43 my.firewall openvpn[20657]: 1.2.3.4:45902 TLS Error: TLS handshake failed
    Jan 26 14:30:43 my.firewall openvpn[20657]: 1.2.3.4:45902 TLS Error: TLS object -> incoming plaintext read error
    Jan 26 14:30:43 my.firewall openvpn[20657]: 1.2.3.4:45902 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
    Jan 26 14:30:40 my.firewall openvpn[20657]: TCP connection established with [AF_INET]1.2.3.4:45902

    I have seen https://forum.pfsense.org/index.php?topic=36414.0, which looks similar but involved a zero-length CRL file and that is not happening here.
    I've tried importing other user certificates (because there are so many we don't store them on the firewall) to see if that fixes it, but still no. I've also tried creating the CRL on the CA host and importing it as a new CRL for the VPN but that still fails to change the outcome; and, again, backing out the revocation immediately restores service.

    We don't have TLS packet authentication enabled, but that's the only thing I can see in the server config that might have any kind of bearing on what I'm seeing.

    Have I missed something really obvious?


  • Rebel Alliance Developer Netgate

    How exactly did you create your certificates?

    If you generated them all with the same serial number, that would explain why revoking one blocks them all. CRLs work by certificate serial, and if your certificate generation script or system did not give each certificate a unique serial number, then they all will be revoked if you revoke one of them.

    Look at the full cert details from a few of your certs and compare the serials.