On Sat, Mar 7, 2015 at 2:32 PM, David Durrleman < [email protected]> wrote:
> [I am not subscribed to this list; please kindly copy me on any answer] > > Hi, > > I believe I have found a bug in pfsense. I am reporting it here per > https://doc.pfsense.org/index.php/Bug_reporting > Please let me know if this is the wrong channel. > > There seems to be an issue in pfsense's custom certificate depth > verification for OpenVPN connections. When long certificate subjects are > used, the validation fails. Here is how to repro: > > Create three certificate with subjects: > > A) C=US, ST=New York, L=New York City, O=Acme Inc, emailAddress= > [email protected], CN=*myvpn*. > mylongsubdomainname.mylongdomainname.com > B) C=US, ST=New York, L=New York City, O=Acme Inc, emailAddress= > [email protected], CN=*myclient*. > mylongsubdomainname.mylongdomainname.com > C) C=US, ST=New York, L=New York City, O=Acme Inc, emailAddress= > [email protected], CN=*myclient2*. > mylongsubdomainname.mylongdomainname.com > > Create a vpn server using certificate A, turn on depth validation, and try > to authenticate with clients using certificates B and C. Certificate B will > be recognized by the server, but certificate C won't. > If depth validation is turned off, both certificates will be recognized > correctly. > > I have tracked this down to a failure to > execute /usr/local/sbin/ovpn_auth_verify. My intuition (not verified) is > that /usr/local/sbin/fcgicli doesn't like it when the url parameters are > too long. But here, "long" is less than 250 chars, which is a pretty low > limit. > > Thanks > > *David Durrleman* > Co-founder & CTO > SHIFT TECHNOLOGY > > www.shift-technology.com > > I suppose the only thing I would do after this, if you do not get responses, is post the bug here: https://redmine.pfsense.org/projects/pfsense
_______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
