[I am not subscribed to this list; please kindly copy me on any answer] Hi,
I believe I have found a bug in pfsense. I am reporting it here per https://doc.pfsense.org/index.php/Bug_reporting Please let me know if this is the wrong channel. There seems to be an issue in pfsense's custom certificate depth verification for OpenVPN connections. When long certificate subjects are used, the validation fails. Here is how to repro: Create three certificate with subjects: A) C=US, ST=New York, L=New York City, O=Acme Inc, emailAddress= [email protected], CN=*myvpn*. mylongsubdomainname.mylongdomainname.com B) C=US, ST=New York, L=New York City, O=Acme Inc, emailAddress= [email protected], CN=*myclient*. mylongsubdomainname.mylongdomainname.com C) C=US, ST=New York, L=New York City, O=Acme Inc, emailAddress= [email protected], CN=*myclient2*. mylongsubdomainname.mylongdomainname.com Create a vpn server using certificate A, turn on depth validation, and try to authenticate with clients using certificates B and C. Certificate B will be recognized by the server, but certificate C won't. If depth validation is turned off, both certificates will be recognized correctly. I have tracked this down to a failure to execute /usr/local/sbin/ovpn_auth_verify. My intuition (not verified) is that /usr/local/sbin/fcgicli doesn't like it when the url parameters are too long. But here, "long" is less than 250 chars, which is a pretty low limit. Thanks *David Durrleman* Co-founder & CTO SHIFT TECHNOLOGY www.shift-technology.com
_______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
