Page MenuHomeVyOS Platform
Create Task
Maniphest T6044

OpenVPN revoke certificate does not work properly
Open, NormalPublicBUG
Actions

Description

In OpenVPN 1.4 or 1.5, I tried to revoke the client cert using the pki commands i.e:

vyos@test1# set pki certificate helloclient revoke
[edit]
vyos@test1# set pki ca root-ca crl 'MIIByTCBsgIBATANBgkqhkiG9w0BAQsFADBXMQswCQYD                                                                                                                                   VQQGEwJHQjETMBEGA1UECAwKU29tZS1TdGF0ZTESMBAGA1UEBwwJU29tZS1DaXR5MQ0wCwYDVQQKDARW                                                                                                                                   eU9TMRAwDgYDVQQDDAdyb290LWNhFw0yNDAyMTYwNjM1NDlaFw0yNDAyMTcwNjM1NDlaMCcwJQIUR764                                                                                                                                   YILugcbDbDVOPfP8N2beG9EXDTI0MDIxNjA2MzU0OVowDQYJKoZIhvcNAQELBQADggEBAJr7hGWaa56m                                                                                                                                   aOvwRIHNU8YFCnwluGKwV4xK8iXhQ9RaNqepjtpYXm2yPRuLeEOfCPrIb/+Tk+zqVCXpqsUWWzgcgEsb                                                                                                                                   QrHY9jVMvNW3cxE95tXFqY44MQq8UOm16PMBdjEQfD/jA8PbjqbQrtXUHUJCe+jEIbeAuhcbvu8TJYNm                                                                                                                                   GnHcC1hXhoQ6ddn7BTUsyLQ/aSngLl8yVdT36Jgj++BnBhSITaE9ifd8b2CfV68417hICgWP1yoHKmS7                                                                                                                                   asnnBr1OkV2Q9pqBEq49Hv9btfbveOhowZTvmnWS+z4mTPvAZUY2ASrWZWA9c+6a31zLECPfKI+8z0lOk9efcJNwnVE='
[edit]
vyos@test1# commit

then the openvpn server output still show the connection status for long time till I reset the connection

vyos@test1# run sh openvpn server

OpenVPN status on vtun10

Client CN    Remote Host         Tunnel IP    Local Host          TX bytes    RX bytes    Connected Since
-----------  ------------------  -----------  ------------------  ----------  ----------  -------------------
helloclient  10.217.80.94:50704  10.0.0.2     10.217.80.116:1194  3.3 KB      3.4 KB      2024-02-16 08:10:34

but I won't be able to ping the assigned tunnel IP, "reset openvpn client" command does not help, only "reset openvpn interface <>" in the server side clears the output and also logs does not show the reason that the cert is revoked, no useful information.

vyos@vyos# ping 10.0.0.1
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
^C
--- 10.0.0.1 ping statistics ---
9 packets transmitted, 0 received, 100% packet loss, time 8213ms

Feb 16 08:10:34 openvpn-vtun10[8149]: MULTI: new connection by client 'helloclient' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Feb 16 08:10:34 openvpn-vtun10[8149]: MULTI_sva: pool returned IPv4=10.0.0.2, IPv6=(Not enabled)
Feb 16 08:10:34 openvpn-vtun10[8149]: MULTI: Learn: 10.0.0.2 -> helloclient/10.217.80.94:50704
Feb 16 08:10:34 openvpn-vtun10[8149]: MULTI: primary virtual IP for helloclient/10.217.80.94:50704: 10.0.0.2
Feb 16 08:10:34 openvpn-vtun10[8149]: SENT CONTROL [helloclient]: 'PUSH_REPLY,route-gateway 10.0.0.1,topology subnet,ping 600,ping-restart 36000,ifconfig 10.0.0.2 255.255.255.0,peer-id 1,cipher AES-256-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500' (status=1)
Feb 16 08:10:35 openvpn-vtun10[8149]: helloclient/10.217.80.94:50704 Data Channel: cipher 'AES-256-GCM', peer-id: 0, compression: 'lzo'
Feb 16 08:10:35 openvpn-vtun10[8149]: helloclient/10.217.80.94:50704 Timers: ping 600, ping-restart 72000
Feb 16 08:10:35 openvpn-vtun10[8149]: helloclient/10.217.80.94:50704 Protocol options: protocol-flags cc-exit tls-ekm dyn-tls-crypt
Feb 16 08:13:28 openvpn-vtun10[8149]: MANAGEMENT: Client connected from /run/openvpn/openvpn-mgmt-intf
Feb 16 08:13:28 openvpn-vtun10[8149]: MANAGEMENT: CMD 'kill helloclient'
Feb 16 08:13:28 openvpn-vtun10[8149]: helloclient/10.217.80.94:50704 SIGTERM[soft,] received, client-instance exiting
Feb 16 08:13:28 openvpn-vtun10[8149]: MANAGEMENT: Client disconnected

I have also tested in VyOS 1.3.5 version, the client connection disconnects immediately and upgraded to 1.4-rc3, then it works as expected. No output in the server status command.
In the logs I can see the reason that cert is revoked and the vtunx interface status in client shows as A/D

Feb 13 18:15:06 openvpn-vtun10[2681]: 10.217.80.94:38758 VERIFY ERROR: depth=0, error=certificate revoked: C=US, ST=California, L=San Francisco, O=Copyleft Certificate Co, OU=My Organizational Unit, CN=branch1, [email protected], serial=160546159640694607179974856552972766332
Feb 13 18:15:06 openvpn-vtun10[2681]: 10.217.80.94:38758 OpenSSL: error:0A000086:SSL routines::certificate verify failed
Feb 13 18:15:06 openvpn-vtun10[2681]: 10.217.80.94:38758 TLS_ERROR: BIO read tls_read_plaintext error
Feb 13 18:15:06 openvpn-vtun10[2681]: 10.217.80.94:38758 TLS Error: TLS object -> incoming plaintext read error
Feb 13 18:15:06 openvpn-vtun10[2681]: 10.217.80.94:38758 TLS Error: TLS handshake failed
Feb 13 18:15:06 openvpn-vtun10[2681]: 10.217.80.94:38758 SIGUSR1[soft,tls-error] received, client-instance restarting

Details

Difficulty level
Unknown (require assessment)
Version
1.4.0-rc3, 1.5-rolling-202402120819
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Unspecified (please specify)