OpenVPN: Fix handling of CNs in Client Certificates #33
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This addresses Bugzilla issue #10552
OpenVPN client certificates were saved by regexing the 'CN=' string in the output
of '/usr/bin/openssl x509 -text -in <certificate>'. However, the output of this
command may not print the correct CN. For example, if the certificate's subject
contains an emailAddress attribute, it will be appended to the CN separated with
a slash ('/') character. There might also be some other edge cases with unusual
certificate names that cause the regex not to work correctly.
This change makes OpenSSL output the subject with each attribute on one line which
makes parsing the CN much easier and safer. The CN is now guaranteed to be on
exactly one line.
…tly saved CNs This addresses Bugzilla issue #10552 The regex that was used to extract the CN from the certificate subject extracted everything after the 'CN=' part which included possible other attributes in the subject, e.g. an emailAddress. This commit does mainly fix the regex. But since the same issue occurred when client certificates were saved, some compatibility code had to be added to still support previously and incorrectly saved certificates.
This addresses Bugzilla issue #10552 In case of incorrectly saved CNs (i.e. CNs containing additional attributs from the certificate subject), the connection status of the client's was always 'DISCONNECTED'. This commit fixes this issue by matching the client's CN with the entry in ovpnconfig.
This addresses Bugzilla issue #10552 The OpenSSL documentation [1] is pretty clear about how the subject is formatted in a multiline output. Thus, the regex to grep the CN can be made much stricter. [1] https://www.openssl.org/docs/apps/x509.html#NAME_OPTIONS
This addresses Bugzilla issue #10552 This commit contains some improvement in matching CNs while remaining compatible with possible incorrectly saved CNs in ovpnconfig.
This addresses Bugzilla issue #10552 The OpenSSL specification says 4 spaces at the beginning. So this should be part of the regular expression.
This addresses Bugzilla issue #10552 The previous solution to verify a client's CN was to construct a regular expression to match it against the entries in ovpnconfig. This must be avoided in order the client's CN is not guaranteed to be spoiled.
mtremer
pushed a commit
that referenced
this pull request
Oct 22, 2021
- Update from 2.35 (2006) to 2.73 (2020)
- Update of rootfile
- Updated version of perl-GD required ExtUtils-PkgConfig for build. Seperate patch
to build that is part of this series
- Changelog
2.73 * allow --options override the libgd options. Not recommended.
See GH #33 and RT #130045
2.72 * fix CVE 2019-6977 colorMatch for older unpatched libgd versions.
This is a severe security problem, an exploitable heap-overflow.
See https://nvd.nist.gov/vuln/detail/CVE-2019-6977
2.71 * skip Test::Fork on freebsd (GH #25)
2.70 * fixes for hardened CCFLAGS with -Werror (RT #128167)
2.69 * little spelling error, GH #29 Xavier Guimard
2.68 * fix GD::Polygon->clear, RT #124463 Michael Cain
2.67 * fix thread-safety for GD::Simple %COLORS (#26 melak)
* fix arc start-angle docs, RT #123277 Andrew G Gray
* improve setBrush docs, RT #123194 Andrew G Gray
* improve StringFT docs, RT #123193
* replace MacOSX by darwin, and not by Mac OS X/macOS as suggested
in PR #24
* add GD::Image->_file method as suggested in RT #60488 by Kevin Ryde,
also the helper GD::supportsFileType
2.66 * throw proper error on newFrom* with not-existing file
* add t/transp.t from RT #40525
* Improve RT #54366 multiple gd.h warning
* better doc for GD::Simple->arc
* fix ANIMGIF with libgd 2.3.0-dev
2.65 * fix --gdlib_config_path to accept an argument (fperrad)
2.64 * Update doc for LIBGD_VERSION()
* Fix 5.6.2, which does not have float in its typemap
2.63 * renamed VERSION() to LIBGD_VERSION(), RT #121307.
It was treated magically by "use GD 2.18"
2.62 * fixed wrong <5.14 code generated with ExtUtils::Constants
RT #121297. Don't generate const-xs.inc, only when missing.
* add -liconv on hpux also (our pkgconfig parser cannot handle it)
2.61 * add CONFIGURE_REQUIRES META
* add --gdlib_config_path
* add Image Filters: scatter, pixelate, negate, grayscale, brightness,
contrast, color, selectiveBlur, edgeDetectQuick, gaussianBlur, emboss,
meanRemoval, smooth, copyGaussianBlurred
* add palette methods: createPaletteFromTrueColor,
neuQuant (but discouraged), colorMatch.
* add interpolation methods: copyScale, copyRotateInterpolated,
interpolationMethod.
* add double GD::VERSION
* add all gd.h constants
2.60 * add missing methods newFromWBMP, newFromXbm,
(RT #68784) and some missing docs
* Add --lib_fontconfig_path, --fcgi options
* rewrote most of the XS code
* cleanup Makefile.PL #20
2.59 * error on failing libgd calls
* fix colorClosestAlpha, colorAllocateAlpha
* add missing documentation
2.58 * fix VERSION_STRING for 2.0.x
* honor --lib_gd_path specific gdlib-config
* Loosen the comparison tests with GDIMAGETYPE ne gd2
* Improve gdlib-config parsing (PR #17), esp. with 2.0.34
2.57 * fix Jpeg magic number detection RT #26146
* fix RGB - HSV roundtrips: RT #120572 by J2N-FORGET
* fix -print-search-dirs errors RT #106265
* co-maint to rurban
* add hv_fetchs, CI smokers
* add GD::VERSION_STRING api
2.56_03 * add alpha method
* improve option handling
* fix meta data
2.56_02 * fix feature extraction >= 2.2 [RT #119459]
2.56_01 * rm Build.PL, fix permissions, fix for missing gdlib-config
2.56 * Fix Makefile.PL so that it works again.
2.55 * Great simplification of regression framework ought to fix make test problems.
* Replace ExtUtils::MakeMaker script with Module::Build system
(just in time for Module::Build to be deprecated).
* Remove archaic qd.pl (for creating QuickDraw picts) from distribution.
2.54 Patch from yurly@unet.net to fix image corruption in rotate180 when image height is odd.
2.53 Points to Gabor Szabo's GD::Simple tutorial, and fix link to repository.
2.52 Fix regression tests to run on Ubuntu 12.04 64bit.
2.51 Fix misleading warning message about location of gd.h file.
2.50 Fix gdUseFontConfig so that it can be called as a class method.
2.49 Add GitHub information to README.
2.48 Fix compile crash on windows and strawberry (https://rt.cpan.org/Public/Bug/Display.html?id=67990).
2.47 Fix compilation on older perl's without the Newxz macros.
2.46 Added a basic "use" test for GD::Simple
2.45 Clarified the GD license. There is now a formal LICENSE file in the package.
2.44 GD::Group now installed properly.
Quenched compiler warning caused by Newxs() calls.
2.43 Added "transparent" color to GD::Simple.
Fixed Makefile so that GD/Image.pm depends both on GD/Image.pm.PLS and .config.cache
2.42 Fixed magic number detection to autodetect certain missed jpeg files (thanks to Mike Walker)
2.41 Added backend support for grouping features in GD::SVG module.
2.40 ** Do not use - contains a bug **
2.39 Makefile.PL will refuse to run if the proper version of libgd is unavailable.
2.38 Fixed bizarre warning about /usr/include/gd.h != /usr/include/gd.h.
2.37 GD/Image.pm did not bring in croak() properly, meaning that incorrect error messages are printed out when any of the newFromXXX() calls are made.
2.36 Instructions on using gdAntiAliased with palette images.
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
mtremer
pushed a commit
that referenced
this pull request
Oct 28, 2025
- Update from version 1.88.0 to 1.89.0
- Update of rootfiles for all three architectures.
- Changelog
1.89.0
New Libraries
Bloom:
filters, from Joaquín M López Muñoz.
Updated Libraries
Any:
Initial support for C++20 Modules. See the docs for more info.
Asio:
Added allocator constructors to execution_context, io_context and
thread_pool, with the supplied allocator being used for allocating
objects associated with the execution context.
Added a new configuration parameter "timer" / "heap_reserve" that may
be used to reserve space in the vector used for a timer queue's heap.
Added a new configuration parameter "resolver" / "threads" that
specifies the number of internal threads used by async_resolve to
emulate asynchronous address resolution.
Removed deadline_timer, basic_deadline_timer and time_traits from the
convenience header boost/asio.hpp.
Ensured that the Windows named pipes created by connect_pipe use
unique names that do not conflict if Asio is used in multiple,
independent plug-in DLLs.
Changed BOOST_ASIO_CONCURRENCY_HINT_SAFE to be consistent with the
io_context default constructor.
Fixed the documentation for BOOST_ASIO_CONCURRENCY_HINT_UNSAFE_IO to
reflect that registration locking is still enabled.
Added separate b2 and cmake build targets for optional dependencies.
Added the [[noreturn]] attribute to
boost::asio::detail::throw_exception.
Fixed co_spawn to adhere to the asynchronous operation requirement
for non-reentrant invocation of the completion handler.
Added a documentation note on basic_signal_set async signal safety.
Fixed various minor compilation errors on different platforms.
Consult the Revision History for further details.
Atomic:
Added TSAN instrumentation in asm-based x86, AArch32, AArch64 and PPC
backends. This silences TSAN false errors for code using Boost.Atomic
for thread synchronization.
Following the announcement in Boost 1.84, removed support for Windows
versions older than Windows 10.
A note to MinGW-w64 users. Since Windows SDK headers on MinGW-w64
define _WIN32_WINNT to an older Windows version by default,
you may need to define _WIN32_WINNT=0x0A00 or
BOOST_USE_WINAPI_VERSION=0x0A00 when compiling Boost.Atomic
and the code that uses Boost.Atomic.
Support for Windows CE is deprecated and will be removed in a future
release.
Added support for timed waiting operations.
Exposed thread_pause operation, which can be used as a backoff
measure in spin loops. Added support for PowerPC and improved support for AArch64 in thread_pause.
Removed BOOST_ATOMIC_NO_ATOMIC_FLAG_INIT macro definition. Since the
library now requires C++11, BOOST_ATOMIC_FLAG_INIT is always supported.
Enabled bitwise operations for atomic enumerations. This can be
useful when enumerations are used to implement bit masks.
Beast:
Fixes
Conditionally defined immediate_executor_type in async_base.
Added missing cstdint header to detail/cpu_info.hpp.
Fixed std::is_trivial deprecation warnings.
handshake_timeout now applies to closing handshakes during reads.
Improvements
Replaced detail/work_guard.hpp with net::executor_work_guard.
Fixed portability issues for building tests in MinGW.
Documentation
Removed moved sections from documentation.
Removed superfluous log messages from tests.
Acknowledgements
yliu1021
Charconv:
Fixed a performance degradation with from_chars for integer types
Fixed rounding and trailing decimal place bugs with to_chars for
specified precisions with floating point types
Cobalt:
Move assign fixed for generator & promise.
Fixed internal exceptions
Added IO library. Cobalt.io provides a large subset of asio as a
compiled library.
Compat:
Added move_only_function.hpp.
ContainerHash:
Added the hash_is_avalanching trait class.
Conversion:
Added an ability to use polymorphic_downcast and polymorphic_cast in
constexpr (requires C++20).
Core:
Fixed bit_ceil to return 1 for input 0 as per specification. (PR#199)
Added support for std::format to boost::core::string_view. (#190)
Detail:
Operators generated by BOOST_BITMASK now use underlying type of the
enum to implement bitwise operators. The operators are marked
noexcept and constexpr, when possible.
The function bitmask_set generated by BOOST_BITMASK is marked
deprecated. In a future release, BOOST_BITMASK will stop producing
this function. Users are recommended to use double negation (!!mask)
to test if the value is zero. This affects e.g. enums defined in
Boost.Filesystem.
DLL:
Fixed compiling and exporting on Cygwin. Many thanks to Luohao Wang
for the PR!
Fixed building on FreeBSD. Thanks to ash for the bug report!
Added BOOST_DLL_USE_STD_FS CMake option to match the preprocessor
option. Thanks to Yury Bura for the PR!
Filesystem:
Corrected ASAN warnings about comparing pointers to potentially
unrelated objects in path::append. (#335)
Geometry:
Major improvements
PR#1369 Rewrite of traversal
PR#1402 Add geometry polyhedral surface
Improvements
PR#1404 Performance improvements in buffer
PR#1405 Avoid static variables and functions in header files
Breaking changes
PR#1401 Remove deprecated headers
Solved issues
(#1221) Difference with rectilinear multipolygon with integer
coordinates produces invalid polygon with disconnected interior
(#1295) Wrong result in intersection (result polygon is equal to
the biggest of the input polygons)
(#1349) Difference of polygons giving wrong result
(#1382) Buffer operation creates self-intersection
Various fixes of errors and warnings
Hash2:
Added Blake2 algorithm (blake2s_256, blake2b_512).
Added XXH3 algorithm (xxh3_128).
Iterator:
Fixed filter_iterator copy/converting constructor, which could
previously produce an invalid iterator. (#92)
Removed usage of is_trivial in iterator_facade as it is deprecated in
C++26. (#93)
iterator_facade::operator[] now always returns a proxy rather than
conditionally returning a value or a proxy. This allows users to
bind a reference to the result of the operator, regardless of
whether the value type is trivially-copyable. (#61)
The proxy returned by iterator_facade::operator[] now supports
forwarding dereferencing operators to the referenced value. This
allows it[n]->foo() and (*it[n]).foo() expressions to compile.
The proxy returned by iterator_facade::operator[] now implementes
perfect forwarding in its assignment operator.
JSON:
Revamped documentation.
Optionals that are ranges are categorised as optionals.
Described class support is enabled for types with bases.
Log:
Added support for BOOST_LOG_WITHOUT_ASIO configuration macro, which
can be used to remove the dependency on Boost.Asio and disable the
related functionality.
Use locale-independent formatting of the file counter in
text_file_backend when composing log file names. This fixes failures
in the subsequent parsing of the file names in
file_collector::scan_for_files. (PR#246)
Added a new wrap_filter utility that simplifies injecting
user-defined function objects in filtering expressions. (#195)
Math:
Add explicit C++14 <type_traits> and constexpr requirement to builds
Collected fixes for GPU support on a variety of platforms
Fix lower incomplete gamma function with x = 0
Fix the external archive error in the jSO algorithm
Fix numeric underflow in ibeta
Fix inverse ibeta for large values of a and b
Fix variadic functions to make them safe with C++26
MQTT5:
Fixed incorrect parsing of URI paths in the list of brokers (#31).
Default Maximum Packet Size now explicitly set in the CONNECT packet.
(#33).
Fixed high CPU usage with large Maximum Packet Size values (#33).
Multiprecision:
Major update.
Adds a new backend type: cpp_double_fp_backend
Fixes a namespace collision with Boost.Serialization
MySQL:
The caching_sha2_password authentication plugin can now be used
without TLS. This is the default in MySQL 8 and above. Plaintext
connections that attempt to use this plugin no longer fail with
client_errc::auth_plugin_requires_ssl (#313).
Fixed a problem causing client_errc::incomplete_message to be
returned during connection establishment when the target database
does not exist and the caching_sha2_password is used. The
appropriate server-generated diagnostic is now returned. See
issues #468 and #488.
The handshake algorithm is now more resilient to protocol violations
(#469).
Fixed a build failure with gcc-15 due to a missing include (PR#475).
Thanks hhoffstaette for the PR.
Added benchmarks against the official drivers.
Optimized metadata representation to be faster to construct and take
less memory (#461).
PFR:
Rewrite C++20 module following the new recommended Boost practice.
See the docs for more info.
Fixed C++26 compilation on modern clang compilers. Thanks to Valery
Mironov for the report!
Support types that use 'Arrays of Length Zero' compiler extension.
Fixed typos. Thanks to Egor for highlighting the issues!
Return std::array<std::string_view, 0> type for
boost::pfr::names_as_array(empty_struct{}) to allow compilation of for
(std::string_view name : boost::pfr::names_as_array(empty_struct{})).
Many thanks to sabudilovskiy for the bug report!
process:
Added v1.hpp to emulate v1 process.hpp include.
Fix to windows path escaping
Fixed exit-code issue wehre terminate & async_wait lead to a loss of
the exit-code value.
Random:
Fix NAN being generated by beta_distribution
Improve the performance of beta_distribution::operator()
TypeIndex:
Initial support for C++20 Modules. See the docs for more info.
Unordered:
Deprecated boost::unordered::hash_is_avalanching is now a
using-declaration of boost::hash_is_avalanching in
<boost/container_hash/hash_is_avalanching.hpp>. Use that header
directly instead. <boost/unordered/hash_traits.hpp> will be removed
in the future.
Added pull(const_iterator) to open-addressing containers. This
operation allows for efficient removal and retrieval of an element
via move construction.
Histogram:
Update CMake minimum version and Python detection in CMake
Improve documentation
Add example on how to make an axis which accepts multiple value
types that are not implicitly convertible
Show how to use histogram::fill with a multidimensional histogram
efficiently when data per dimension is already available as
contiguous data
Don't use deprecated form of user-defined literal operator
Add support for modular build structure with b2
Fixed warnings in MSVC about narrowed types
Added collector accumulator, which stores all values in a bin
Internal changes to tests and classes in detail namespace
Updated Tools
Build:
Includes release of B2 version 5.3.2.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Note: This PR solves Bugzilla issue #10552
This PR fixes a few issues in the handling of OpenVPN client CNs. The main problem is that the CN is currently expected to be the last attribute in a certificate's subject string. In case the subject contains further attributes after the CN such as an
emailAddress, the CN is incorrectly parsed, which leads to misbehaviour at a few places:Upload of client certificates
When a client certificate with further attributes after the CN is uploaded, the resulting entry in
/var/ipfire/ovpn/ovpnconfigcontains the CN and all other attributes separated by a slash (/) character. The reason is that/srv/web/ipfire/cgi-bin/ovpnmain.cgiexecutes/usr/bin/openssl x509 -text ...and tries to grep the CN from the output of the command. However, the-textoption causes attributes after the CN to be appended to the CN with a slash character as separator.Example
The certificate with the subject
C=XX, L=Xxxxxx, O=xxx, OU=XX, CN=ovpnClient, emailAddress=ovpnClient@example.comwill generate this name in ovpnconfig when uploaded:ovpnClient/emailAddress=ovpnClient@example.comtls-verify is not working
The script
/usr/lib/openvpn/verifywhich is executed by OpenVPN during the TLS handshake parses the CN incorrecly as well. It will contain all attributes of the subject after the CN separated by a comma. Using the example from the last chapter, the parsed CN will beovpnClient, emailAddress=ovpnClient@example.com. This CN is then compared with the entries in/var/ipfire/ovpn/ovpnconfigwhich will never match. As a consequence, the TLS handshake will fail with this error:Connection status in the Web UI
To display the connection status of the OpenVPN clients the script
/srv/web/ipfire/cgi-bin/ovpnmain.cgireads the correct CNs of the connected clients from/var/log/ovpnserver.logand tries to compare them with the (possibly wrong) CNs in/var/ipfire/ovpn/ovpnconfig. As a consequence, the clients will always be displayed asDISCONNECTEDeven if they are connected.This PR fixes all the issues described above and stays compatible with previously created wrong entries in
/var/ipfire/ovpn/ovpnconfig:/usr/lib/openvpn/verifyscript will parse the CN correctly from the subject. If it cannot be matched exactly with an entry in/var/ipfire/ovpn/ovpnconfig, it uses a regex to match it with an eventually incorrectly saved CN./srv/web/ipfire/cgi-bin/ovpnmain.cgihas been fixed to use the correct CN when uploading or creating a client certificate./srv/web/ipfire/cgi-bin/ovpnmain.cgiwill use a regex to match the CNs of the connected clients to the possibly wrong CNs in/var/ipfire/ovpn/ovpnconfig.