lucaspalomodevelop/core
1
0
Fork 0
mirror of https://github.com/lucaspalomodevelop/core.git synced 2026-03-15 00:54:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

VPN: OpenVPN: Instances - (optional) ocsp check, make sure to flush our CA when ocsp is enabled and improve logging (https://github.com/opnsense/core/pull/7082, https://github.com/opnsense/core/issues/7114)

Browse Source
This commit is contained in:
Ad Schellevis 2024-01-04 19:30:25 +01:00
parent da5b772ba1
commit 043a3dd756
3 changed files with 34 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
src/etc/inc/certs.inc
View File

@ -724,7 +724,8 @@ function ocsp_validate($ca_filename, $serial)
if (!is_file($ca_filename)) {
return [
'pass' => false,
'response' => 'missing_CA_file'
'uri' => null,
'response' => "missing_CA_file ({$ca_filename})"
];
}
$ocsp_uri = null;
@ -745,12 +746,14 @@ function ocsp_validate($ca_filename, $serial)
$output,
$retval
);
$verdict_pass = empty($retval);
$verdict_pass = false;
foreach ($output as $line) {
if (str_starts_with($line, "{$serial}:")) {
$status = explode(':', $line, 2)[1];
return [
'pass' => $verdict_pass,
'response' => explode(':', $line, 2)[1],
'pass' => $status == 'good',
'response' => $status,
'uri' => $ocsp_uri,
'verify' => $output[0]
];
}
@ -763,6 +766,7 @@ function ocsp_validate($ca_filename, $serial)
return [
'pass' => $verdict_pass,
'uri' => $ocsp_uri,
'response' => $verdict_msg
];
}

8
src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.php
View File

@ -420,6 +420,8 @@ class OpenVPN extends BaseModel
// user/passwords need to be feed using a file
$output .= $key . " " . $value['filename'] . "\n";
File::file_put_contents($value['filename'], $value['content'], 0600);
} elseif ($key == 'ca-file') {
File::file_put_contents($value['filename'], $value['content'], 0600);
} else {
foreach ($value as $item) {
$output .= $key . " " . $item . "\n";
@ -646,6 +648,12 @@ class OpenVPN extends BaseModel
}
}
}
if (!empty((string)$node->use_ocsp) && !empty($options['<ca>'])) {
$options['ca-file'] = [
"filename" => "/var/etc/openvpn/instance-{$node_uuid}.ca",
"content" => $options['<ca>']
];
}
// dump to file
$this->writeConfig($node->cnfFilename, $options);

26
src/opnsense/scripts/openvpn/tls_verify.php
View File

@ -26,8 +26,8 @@
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
require_once("config.inc");
require_once("script/load_phalcon.php");
require_once("util.inc");
require_once("certs.inc");
/**
@ -46,13 +46,23 @@ function do_verify($serverid)
if ($allowed_depth != null && ($certificate_depth > $allowed_depth)) {
return "Certificate depth {$certificate_depth} exceeded max allowed depth of {$allowed_depth}.";
} elseif ($a_server['use_ocsp']) {
$cn = getenv('common_name');
$serial = getenv('tls_serial_' . $certificate_depth);
$ocsp_response = ocsp_validate("/var/etc/openvpn/server" . $serverid . ".ca", $serial);
if (!$ocsp_respons['pass']) {
return sprintf("%s - %s", $cn, $ocsp_respons['response']);
$ocsp_response = ocsp_validate("/var/etc/openvpn/instance-" . $serverid . ".ca", $serial);
if (!$ocsp_response['pass']) {
return sprintf(
"[serial : %s] @ %s - %s (%s)",
$serial,
$ocsp_response['uri'],
$ocsp_response['response'],
$ocsp_response['verify']
);
} else {
syslog(LOG_INFO, sprintf("tls-verify : %s - %s", $cn, $ocsp_respons['response']));
syslog(LOG_INFO, sprintf(
"tls-verify : [serial : %s] @ %s - %s",
$serial,
$ocsp_response['uri'],
$ocsp_response['response']
));
}
}
return true;
@ -61,7 +71,7 @@ function do_verify($serverid)
openlog("openvpn", LOG_ODELAY, LOG_AUTH);
$response = do_verify(getenv('auth_server'));
if ($response !== true) {
syslog(LOG_WARNING, $response);
syslog(LOG_WARNING, "tls-verify : {$response}");
closelog();
exit(1);
} else {