Core: Openvpn client cant connect if server's cert revocation list is enabled

Created on 3 Feb 2017  路  5Comments  路  Source: opnsense/core

Can't connect to openvpn server as soon I enable openvpn server "Peer Certificate Revocation List".
Without revocation list enabled, client can connect (P2P ssl/tls server).

Opnsense server side complains:

CRL: cannot read CRL from file /var/etc/openvpn/server8.crl-verify
OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed

This server8.crl-verify file is on the server, but it's 0 bytes, along whti other serverX.crl-verify files.

ls -al /var/etc/openvpn/ | grep verify
-rw-r--r-- 1 root wheel 0 Feb 3 16:49 server1.crl-verify
-rw-r--r-- 1 root wheel 0 Feb 3 16:49 server2.crl-verify
-rw-r--r-- 1 root wheel 0 Feb 3 16:49 server3.crl-verify
-rw------- 1 root wheel 0 Feb 3 17:00 server4.crl-verify
-rw-r--r-- 1 root wheel 0 Feb 3 16:49 server5.crl-verify
-rw-r--r-- 1 root wheel 0 Feb 3 16:49 server6.crl-verify
-rw------- 1 root wheel 0 Feb 3 16:59 server7.crl-verify
-rw-r--r-- 1 root wheel 0 Feb 3 17:03 server8.crl-verify

server4.crl-verify and server7.crl-verify files with different permissions are P2P ssl/tls servers's files.

Checked on my old _pfsense_ box, those verify files contain cert:
-----BEGIN X509 CRL-----
cert data
-----END X509 CRL-----

Shouldn't those certs have to be present on Opnsense too?

Running Opnsense 17.1

bug
Source
picture tkald

All 5 comments

Seeing this behavior here too after the upgrade to 17.1. Was running fine on 16.7.14.

OpenVPN Server Log from the OPNsense instance:

CRL: cannot read CRL from file /var/etc/openvpn/server1.crl-verify
OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
TLS_ERROR: BIO read tls_read_plaintext error
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed

And a file listing of the CRL:

~ # ll /var/etc/openvpn/ | grep verify
-rw-------  1 root  wheel     0 Feb  8 22:19 server1.crl-verify

Clients can connect, when I disable the "Peer Certificate Revocation List" in the OpenVPN Server settings.

pc-fan picture pc-fan on 8 Feb 2017

There was this issue in the unmaintained 10 year old CRL additions of the PHP OpenSSL module that stopped working (as it should have been a long time ago) in PHP 7.0:

https://github.com/opnsense/ports/commit/0eb5e27467

17.1.1 should be good. Released later today.

Cheers,
Franco

fichtner picture fichtner on 9 Feb 2017
👍1

I had the same issue today on:

OPNsense 18.1.6-amd64
FreeBSD 11.1-RELEASE-p9
OpenSSL 1.0.2o 27 Mar 2018

dzikus picture dzikus on 29 Apr 2018

@dzikus ... how did you solve it?

byazit picture byazit on 30 Apr 2018

@byazit by disabling cert revocation.

It was my fault because of "Next Update" in crl was expired.

dzikus picture dzikus on 7 May 2018
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Stephanowicz picture Stephanowicz  路  6Comments
defiantmonkey picture defiantmonkey  路  8Comments
paride picture paride  路  4Comments
gauthig picture gauthig  路  3Comments
mimugmail picture mimugmail  路  6Comments