diff --git a/src/etc/inc/certs.inc b/src/etc/inc/certs.inc index 8304b4b99..b1e933c0d 100644 --- a/src/etc/inc/certs.inc +++ b/src/etc/inc/certs.inc @@ -724,7 +724,8 @@ function ocsp_validate($ca_filename, $serial) if (!is_file($ca_filename)) { return [ 'pass' => false, - 'response' => 'missing_CA_file' + 'uri' => null, + 'response' => "missing_CA_file ({$ca_filename})" ]; } $ocsp_uri = null; @@ -745,12 +746,14 @@ function ocsp_validate($ca_filename, $serial) $output, $retval ); - $verdict_pass = empty($retval); + $verdict_pass = false; foreach ($output as $line) { if (str_starts_with($line, "{$serial}:")) { + $status = explode(':', $line, 2)[1]; return [ - 'pass' => $verdict_pass, - 'response' => explode(':', $line, 2)[1], + 'pass' => $status == 'good', + 'response' => $status, + 'uri' => $ocsp_uri, 'verify' => $output[0] ]; } @@ -763,6 +766,7 @@ function ocsp_validate($ca_filename, $serial) return [ 'pass' => $verdict_pass, + 'uri' => $ocsp_uri, 'response' => $verdict_msg ]; } diff --git a/src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.php b/src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.php index 86a2e8567..e2f514489 100644 --- a/src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.php +++ b/src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.php @@ -420,6 +420,8 @@ class OpenVPN extends BaseModel // user/passwords need to be feed using a file $output .= $key . " " . $value['filename'] . "\n"; File::file_put_contents($value['filename'], $value['content'], 0600); + } elseif ($key == 'ca-file') { + File::file_put_contents($value['filename'], $value['content'], 0600); } else { foreach ($value as $item) { $output .= $key . " " . $item . "\n"; @@ -646,6 +648,12 @@ class OpenVPN extends BaseModel } } } + if (!empty((string)$node->use_ocsp) && !empty($options[''])) { + $options['ca-file'] = [ + "filename" => "/var/etc/openvpn/instance-{$node_uuid}.ca", + "content" => $options[''] + ]; + } // dump to file $this->writeConfig($node->cnfFilename, $options); diff --git a/src/opnsense/scripts/openvpn/tls_verify.php b/src/opnsense/scripts/openvpn/tls_verify.php index a66e630e1..f37a5300b 100755 --- a/src/opnsense/scripts/openvpn/tls_verify.php +++ b/src/opnsense/scripts/openvpn/tls_verify.php @@ -26,8 +26,8 @@ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. */ - -require_once("config.inc"); +require_once("script/load_phalcon.php"); +require_once("util.inc"); require_once("certs.inc"); /** @@ -46,13 +46,23 @@ function do_verify($serverid) if ($allowed_depth != null && ($certificate_depth > $allowed_depth)) { return "Certificate depth {$certificate_depth} exceeded max allowed depth of {$allowed_depth}."; } elseif ($a_server['use_ocsp']) { - $cn = getenv('common_name'); $serial = getenv('tls_serial_' . $certificate_depth); - $ocsp_response = ocsp_validate("/var/etc/openvpn/server" . $serverid . ".ca", $serial); - if (!$ocsp_respons['pass']) { - return sprintf("%s - %s", $cn, $ocsp_respons['response']); + $ocsp_response = ocsp_validate("/var/etc/openvpn/instance-" . $serverid . ".ca", $serial); + if (!$ocsp_response['pass']) { + return sprintf( + "[serial : %s] @ %s - %s (%s)", + $serial, + $ocsp_response['uri'], + $ocsp_response['response'], + $ocsp_response['verify'] + ); } else { - syslog(LOG_INFO, sprintf("tls-verify : %s - %s", $cn, $ocsp_respons['response'])); + syslog(LOG_INFO, sprintf( + "tls-verify : [serial : %s] @ %s - %s", + $serial, + $ocsp_response['uri'], + $ocsp_response['response'] + )); } } return true; @@ -61,7 +71,7 @@ function do_verify($serverid) openlog("openvpn", LOG_ODELAY, LOG_AUTH); $response = do_verify(getenv('auth_server')); if ($response !== true) { - syslog(LOG_WARNING, $response); + syslog(LOG_WARNING, "tls-verify : {$response}"); closelog(); exit(1); } else {