Page MenuHomeVyOS Platform
Create Task
Maniphest T6044

OpenVPN certificate revocation does not work properly
Closed, ResolvedPublicBUG
Actions

Description

In OpenVPN 1.4 or 1.5, I tried to revoke the client cert using the pki commands i.e:

vyos@test1# set pki certificate helloclient revoke
[edit]
vyos@test1# set pki ca root-ca crl 'MIIByTCBsgIBATANBgkqhkiG9w0BAQsFADBXMQswCQYD                                                                                                                                   VQQGEwJHQjETMBEGA1UECAwKU29tZS1TdGF0ZTESMBAGA1UEBwwJU29tZS1DaXR5MQ0wCwYDVQQKDARW                                                                                                                                   eU9TMRAwDgYDVQQDDAdyb290LWNhFw0yNDAyMTYwNjM1NDlaFw0yNDAyMTcwNjM1NDlaMCcwJQIUR764                                                                                                                                   YILugcbDbDVOPfP8N2beG9EXDTI0MDIxNjA2MzU0OVowDQYJKoZIhvcNAQELBQADggEBAJr7hGWaa56m                                                                                                                                   aOvwRIHNU8YFCnwluGKwV4xK8iXhQ9RaNqepjtpYXm2yPRuLeEOfCPrIb/+Tk+zqVCXpqsUWWzgcgEsb                                                                                                                                   QrHY9jVMvNW3cxE95tXFqY44MQq8UOm16PMBdjEQfD/jA8PbjqbQrtXUHUJCe+jEIbeAuhcbvu8TJYNm                                                                                                                                   GnHcC1hXhoQ6ddn7BTUsyLQ/aSngLl8yVdT36Jgj++BnBhSITaE9ifd8b2CfV68417hICgWP1yoHKmS7                                                                                                                                   asnnBr1OkV2Q9pqBEq49Hv9btfbveOhowZTvmnWS+z4mTPvAZUY2ASrWZWA9c+6a31zLECPfKI+8z0lOk9efcJNwnVE='
[edit]
vyos@test1# commit

then the openvpn server output still show the connection status for long time till I reset the connection

vyos@test1# run sh openvpn server

OpenVPN status on vtun10

Client CN    Remote Host         Tunnel IP    Local Host          TX bytes    RX bytes    Connected Since
-----------  ------------------  -----------  ------------------  ----------  ----------  -------------------
helloclient  10.217.80.94:50704  10.0.0.2     10.217.80.116:1194  3.3 KB      3.4 KB      2024-02-16 08:10:34

but I won't be able to ping the assigned tunnel IP, "reset openvpn client" command does not help, only "reset openvpn interface <>" in the server side clears the output and also logs does not show the reason that the cert is revoked, no useful information.

vyos@vyos# ping 10.0.0.1
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
^C
--- 10.0.0.1 ping statistics ---
9 packets transmitted, 0 received, 100% packet loss, time 8213ms

Feb 16 08:10:34 openvpn-vtun10[8149]: MULTI: new connection by client 'helloclient' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Feb 16 08:10:34 openvpn-vtun10[8149]: MULTI_sva: pool returned IPv4=10.0.0.2, IPv6=(Not enabled)
Feb 16 08:10:34 openvpn-vtun10[8149]: MULTI: Learn: 10.0.0.2 -> helloclient/10.217.80.94:50704
Feb 16 08:10:34 openvpn-vtun10[8149]: MULTI: primary virtual IP for helloclient/10.217.80.94:50704: 10.0.0.2
Feb 16 08:10:34 openvpn-vtun10[8149]: SENT CONTROL [helloclient]: 'PUSH_REPLY,route-gateway 10.0.0.1,topology subnet,ping 600,ping-restart 36000,ifconfig 10.0.0.2 255.255.255.0,peer-id 1,cipher AES-256-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500' (status=1)
Feb 16 08:10:35 openvpn-vtun10[8149]: helloclient/10.217.80.94:50704 Data Channel: cipher 'AES-256-GCM', peer-id: 0, compression: 'lzo'
Feb 16 08:10:35 openvpn-vtun10[8149]: helloclient/10.217.80.94:50704 Timers: ping 600, ping-restart 72000
Feb 16 08:10:35 openvpn-vtun10[8149]: helloclient/10.217.80.94:50704 Protocol options: protocol-flags cc-exit tls-ekm dyn-tls-crypt
Feb 16 08:13:28 openvpn-vtun10[8149]: MANAGEMENT: Client connected from /run/openvpn/openvpn-mgmt-intf
Feb 16 08:13:28 openvpn-vtun10[8149]: MANAGEMENT: CMD 'kill helloclient'
Feb 16 08:13:28 openvpn-vtun10[8149]: helloclient/10.217.80.94:50704 SIGTERM[soft,] received, client-instance exiting
Feb 16 08:13:28 openvpn-vtun10[8149]: MANAGEMENT: Client disconnected

I have also tested in VyOS 1.3.5 version, the client connection disconnects immediately and upgraded to 1.4-rc3, then it works as expected. No output in the server status command.
In the logs I can see the reason that cert is revoked and the vtunx interface status in client shows as A/D

Feb 13 18:15:06 openvpn-vtun10[2681]: 10.217.80.94:38758 VERIFY ERROR: depth=0, error=certificate revoked: C=US, ST=California, L=San Francisco, O=Copyleft Certificate Co, OU=My Organizational Unit, CN=branch1, [email protected], serial=160546159640694607179974856552972766332
Feb 13 18:15:06 openvpn-vtun10[2681]: 10.217.80.94:38758 OpenSSL: error:0A000086:SSL routines::certificate verify failed
Feb 13 18:15:06 openvpn-vtun10[2681]: 10.217.80.94:38758 TLS_ERROR: BIO read tls_read_plaintext error
Feb 13 18:15:06 openvpn-vtun10[2681]: 10.217.80.94:38758 TLS Error: TLS object -> incoming plaintext read error
Feb 13 18:15:06 openvpn-vtun10[2681]: 10.217.80.94:38758 TLS Error: TLS handshake failed
Feb 13 18:15:06 openvpn-vtun10[2681]: 10.217.80.94:38758 SIGUSR1[soft,tls-error] received, client-instance restarting

Details

Version
1.4.0-rc3, 1.5-rolling-202402120819
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Related Objects

Mentioned In
1.4.1

Event Timeline

SrividyaA created this task.Feb 16 2024, 12:08 PM
Viacheslav triaged this task as Normal priority.Feb 16 2024, 12:25 PM
pasik subscribed.Feb 17 2024, 1:08 AM
syncer edited projects, added VyOS 1.4 Sagitta (1.4.0-GA); removed VyOS 1.4 Sagitta (1.4.0).May 7 2024, 8:02 AM
dmbaturin edited projects, added VyOS 1.4 Sagitta (1.4.1); removed VyOS 1.4 Sagitta (1.4.0-GA), VyOS 1.5 Circinus.Jul 2 2024, 7:29 PM
dmbaturin added a project: Restricted Project.Sep 16 2024, 4:15 PM
SrividyaA added a comment.Sep 26 2024, 5:12 PM

This PR https://github.com/vyos/vyos-1x/pull/3311 has fixed the issue.
Tested in 1.4.0 and latest rolling release. 1.5-rolling-202409250007

SrividyaA closed this task as Resolved.Sep 26 2024, 5:13 PM
dmbaturin renamed this task from OpenVPN revoke certificate does not work properly to OpenVPN certificate revocation does not work properly.Oct 14 2024, 9:09 AM
dmbaturin edited projects, added VyOS Rolling, VyOS 1.5 Circinus; removed Restricted Project.
dmbaturin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.
dmbaturin changed Issue type from Unspecified (please specify) to Bug (incorrect behavior).
dmbaturin moved this task from Backlog to Finished on the VyOS 1.4 Sagitta (1.4.1) board.Dec 3 2024, 4:52 PM
dmbaturin mentioned this in 1.4.1.Dec 31 2024, 1:23 AM