Bug#942097: openvpn does not re-read CRLs on client connect in "capath" mode

Bartos-Elekes Zsolt Thu, 10 Oct 2019 02:09:19 -0700

Package: openvpn
Version: 2.4.7-1
Severity: normal

Dear Maintainer,


openvpn does not re-read CRLs on client connect in "capath" mode (that is,
a directory containing trusted CA certificates and CRLs).

I have a two-level CA setup (one root CA and one intermediate CA that emits
both server and client certificates). Please find attached the test
certificates I have used.


Here is my server config:

----------------------------------------------------------------

# daemon openvpn-server-client
user nobody
group nogroup

proto udp

key /etc/openvpn/server.key
cert /etc/openvpn/server.pem
capath /etc/openvpn/ca-certs
remote-cert-tls client
duplicate-cn
dh /etc/openvpn/dh2048.pem
cipher AES-256-CBC

float
lport 1194

dev tun
server 192.0.2.0 255.255.255.0
comp-lzo
passtos

keepalive 5 20
ping-timer-rem
persist-tun
persist-key

----------------------------------------------------------------


My client config (I guess it does not matter, but anyway):

----------------------------------------------------------------

# daemon openvpn-client-server
user nobody
group nogroup

proto udp

key /etc/openvpn/client.key
cert /etc/openvpn/client.pem
ca /etc/openvpn/ca-certs/ca-test-root.pem
verify-x509-name "example.com" name
remote-cert-tls server
cipher AES-256-CBC

remote localhost
resolv-retry 30
float
rport 1194
nobind

dev tun
client
comp-lzo
passtos

keepalive 5 20
ping-timer-rem
persist-tun
persist-key

----------------------------------------------------------------


I start the openvpn server with strace:

# strace -o /tmp/openvpn.strace openvpn --config config.server-client


... and watch openvpn accessing the capath directory in strace's log on another 
console:

# tail -f /tmp/openvpn.strace | grep -F "/etc/openvpn/ca-certs"

* first client connects *

stat("/etc/openvpn/ca-certs/b60149e5.0", {st_mode=S_IFREG|0644, st_size=7339, 
...}) = 0
openat(AT_FDCWD, "/etc/openvpn/ca-certs/b60149e5.0", O_RDONLY) = 5
stat("/etc/openvpn/ca-certs/b60149e5.1", 0x7ffd789d74c0) = -1 ENOENT (No such 
file or directory)
stat("/etc/openvpn/ca-certs/7f67f311.0", {st_mode=S_IFREG|0644, st_size=1870, 
...}) = 0
openat(AT_FDCWD, "/etc/openvpn/ca-certs/7f67f311.0", O_RDONLY) = 5
stat("/etc/openvpn/ca-certs/7f67f311.1", 0x7ffd789d74c0) = -1 ENOENT (No such 
file or directory)
stat("/etc/openvpn/ca-certs/b60149e5.r0", {st_mode=S_IFREG|0644, st_size=1003, 
...}) = 0
openat(AT_FDCWD, "/etc/openvpn/ca-certs/b60149e5.r0", O_RDONLY) = 5
stat("/etc/openvpn/ca-certs/b60149e5.r1", 0x7ffd789d7430) = -1 ENOENT (No such 
file or directory)
stat("/etc/openvpn/ca-certs/7f67f311.r0", {st_mode=S_IFREG|0644, st_size=991, 
...}) = 0
openat(AT_FDCWD, "/etc/openvpn/ca-certs/7f67f311.r0", O_RDONLY) = 5
stat("/etc/openvpn/ca-certs/7f67f311.r1", 0x7ffd789d7430) = -1 ENOENT (No such 
file or directory)
stat("/etc/openvpn/ca-certs/7f67f311.r1", 0x7ffd789d7430) = -1 ENOENT (No such 
file or directory)

* next client connects *

stat("/etc/openvpn/ca-certs/b60149e5.r1", 0x7ffd789d7430) = -1 ENOENT (No such 
file or directory)
stat("/etc/openvpn/ca-certs/7f67f311.r1", 0x7ffd789d7430) = -1 ENOENT (No such 
file or directory)
stat("/etc/openvpn/ca-certs/7f67f311.r1", 0x7ffd789d7430) = -1 ENOENT (No such 
file or directory)

* another client connects *

stat("/etc/openvpn/ca-certs/b60149e5.r1", 0x7ffd789d7430) = -1 ENOENT (No such 
file or directory)
stat("/etc/openvpn/ca-certs/7f67f311.r1", 0x7ffd789d7430) = -1 ENOENT (No such 
file or directory)
stat("/etc/openvpn/ca-certs/7f67f311.r1", 0x7ffd789d7430) = -1 ENOENT (No such 
file or directory)

(7f67f311 is the root CA, b60149e5 is the intermediate CA)

----------------------------------------------------------------


strace log shows that CRLs are read only when the first client connects.
When the next client connects, CRLs are attempted to access only using a wrong
filename ("*.r1" instead of "*.r0"), and open obviously fails.

This is a security problem if I later revoke a certificate, upload the new CRL,
but it does not have effect.

Please feel free to contact me if you need any further information.

--
Regards,
Zsolt



-- System Information:
Debian Release: 10.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'oldstable-updates'), (500, 
'stable'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.196 (SMP w/4 CPU cores)
Locale: LANG=en_US.ISO-8859-2, LC_CTYPE=en_US.ISO-8859-2 (charmap=ISO-8859-2), 
LANGUAGE=en_US.ISO-8859-2 (charmap=ISO-8859-2
Shell: /bin/sh linked to /usr/bin/dash
Init: none (chroot environment)

Versions of packages openvpn depends on:
ii  debconf [debconf-2.0]  1.5.71
ii  iproute2               4.20.0-2
ii  libc6                  2.28-10
ii  liblz4-1               1.8.3-1
ii  liblzo2-2              2.10-0.1
ii  libpam0g               1.3.1-5
ii  libpkcs11-helper1      1.25.1-1
ii  libssl1.1              1.1.1d-0+deb10u1
ii  libsystemd0            241-7~deb10u1
ii  lsb-base               10.2019051400

Versions of packages openvpn recommends:
pn  easy-rsa  <none>

Versions of packages openvpn suggests:
ii  openssl                   1.1.1d-0+deb10u1
pn  openvpn-systemd-resolved  <none>
pn  resolvconf                <none>

-- debconf information:
  openvpn/create_tun: false

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=HU, O=Test, Inc., CN=Test Root CA
        Validity
            Not Before: Oct  4 15:00:00 2019 GMT
            Not After : Oct  4 15:00:00 2039 GMT
        Subject: C=HU, O=Test, Inc., CN=Test Intermediate CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:d9:38:d2:10:b2:c1:0a:67:d1:14:c0:dd:d3:da:
                    f7:c1:98:b6:9f:06:1c:a2:13:c6:6b:11:d7:ff:55:
                    16:24:15:44:63:e3:e7:b2:97:f4:75:d8:49:0e:cc:
                    5a:83:1a:73:63:f6:73:b2:90:59:22:92:2d:a0:61:
                    b4:69:71:65:e8:06:c6:d0:b9:94:2c:d8:d8:8c:e9:
                    f0:38:48:34:da:12:62:4b:f1:29:d8:20:07:9e:af:
                    ee:be:a0:89:bf:e3:64:12:cc:c1:60:b0:f2:cb:c3:
                    32:67:62:b0:99:04:d1:2f:58:61:b0:b1:8f:9f:f3:
                    0f:14:cf:4e:a3:3a:e0:7f:30:2e:a8:72:17:02:a4:
                    23:e6:44:0e:91:13:ca:a3:4d:d5:ae:51:92:8e:87:
                    f1:c0:84:00:fb:01:7a:f1:9f:19:4e:e5:c0:3f:21:
                    e8:05:31:59:d8:a5:d2:84:62:51:25:cb:c6:db:7a:
                    8c:f9:57:f3:06:ad:4f:b4:7d:df:bc:35:2c:62:58:
                    3b:8d:5e:f4:d3:65:9b:2d:ff:13:63:be:1e:ce:2e:
                    08:84:f5:c2:a0:b7:e8:cb:7d:f5:5c:fd:34:af:f2:
                    e0:f8:c1:c2:3e:27:89:27:e7:f9:cd:16:08:f2:dd:
                    25:83:d1:da:72:94:59:dd:fc:a2:3d:f0:f3:9b:01:
                    46:af:50:ff:cb:e3:14:2e:7e:24:02:9f:30:00:69:
                    9f:e8:e6:9e:65:de:f8:4d:da:c8:00:21:44:bb:5c:
                    ab:d3:8d:43:d8:a0:0b:08:06:7c:94:29:e6:89:22:
                    c4:1d:99:16:bc:75:6d:b3:4d:4c:ae:d2:e4:18:0e:
                    6e:29:01:09:e0:6b:07:31:58:62:0e:5d:3d:81:f0:
                    8f:d7:96:04:e5:e4:1b:9e:eb:51:ec:db:0b:2a:af:
                    6b:dc:de:54:a5:5e:a9:de:0f:e4:70:97:53:a6:31:
                    6c:c0:e3:fa:9f:18:2f:3f:68:c4:9c:69:48:8b:07:
                    4f:b8:f8:51:3e:a2:9c:36:5b:57:49:55:3b:f5:4e:
                    70:a2:3e:ac:62:8d:40:44:1c:76:66:27:0c:19:f7:
                    7e:c6:af:7b:2a:9b:50:3c:c5:90:a8:08:44:e4:5f:
                    4e:27:9a:7e:0d:3e:07:c3:cd:df:72:4c:ca:51:93:
                    0a:73:0e:21:6f:bf:92:04:30:58:a0:33:30:7b:6c:
                    b0:94:5f:10:a8:2c:97:e3:ca:5e:5e:01:46:71:fd:
                    ba:94:71:07:af:8c:ae:7a:e5:f3:f7:bd:94:3c:d3:
                    6f:66:2f:34:dd:76:71:96:da:e1:a9:3c:3f:34:9f:
                    b9:c2:7d:35:e1:a1:51:ab:74:75:4a:3e:ec:99:c9:
                    08:34:ed
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Certificate Policies: 
                Policy: X509v3 Any Policy

            X509v3 Subject Key Identifier: 
                A6:FD:24:2C:B0:C1:AA:72:54:6B:C3:92:C3:7E:DA:94:B6:2D:6F:2B
            X509v3 Authority Key Identifier: 
                
keyid:D6:D3:4B:FB:C1:30:EB:0E:9A:80:31:62:22:16:68:7C:CD:B0:5B:C7

    Signature Algorithm: sha256WithRSAEncryption
         73:04:f4:b6:9d:4c:55:ca:8a:22:1a:16:ad:c1:75:2a:55:6d:
         c6:a8:15:38:05:5a:14:12:82:f7:e6:80:21:f5:fe:3b:c3:cd:
         eb:6a:f7:40:f5:79:d0:9f:a1:be:ab:5d:84:63:44:42:46:f7:
         fe:93:2b:ac:ea:c4:e1:75:09:1f:e3:8f:e1:0e:79:f4:94:d9:
         f3:6e:eb:17:91:fd:e2:cf:58:35:1c:9d:5f:f6:a8:b4:af:d7:
         bd:6e:a2:32:5b:74:33:17:0f:4a:e6:62:08:c1:b1:f7:0d:cb:
         9d:c4:b6:66:ad:af:c1:6a:8b:b6:e4:aa:f5:80:99:28:70:90:
         1a:81:dc:55:39:08:35:4d:63:3f:e5:2d:de:b0:34:c8:7a:b2:
         17:7b:4a:4d:ff:b8:de:0a:e0:54:3d:1a:07:6e:75:3f:b2:66:
         fc:9c:a1:d0:95:4f:70:17:f9:28:81:4e:49:3a:e3:80:f5:d4:
         45:02:fb:4e:dd:ab:8f:c2:43:95:5a:92:af:96:a8:c5:a9:10:
         10:98:0b:01:3d:c3:2f:b3:e0:e2:8d:9d:68:8e:b0:65:d9:f0:
         c8:26:c0:4b:e7:db:4b:64:3c:a9:64:af:27:c2:8d:6b:86:30:
         4c:4d:4d:e8:cb:8e:c4:35:ff:eb:93:b4:97:fc:77:55:0d:99:
         1f:03:ea:f5:68:29:5f:ca:e2:d3:10:db:35:c6:e5:85:d0:60:
         1a:65:b6:f4:c4:fc:87:45:e5:62:91:d7:fb:4b:57:91:38:34:
         e9:be:0f:11:a8:d0:c8:02:dd:98:57:09:0e:7f:c5:a0:e9:8e:
         93:15:be:97:fd:55:f2:df:c1:8e:21:05:71:57:2e:89:1d:7c:
         eb:f9:9b:68:d6:66:8c:3a:51:86:d1:cb:2a:e8:82:49:a9:ab:
         a6:c7:91:19:f0:e5:61:3c:7f:42:60:8d:d0:17:f1:48:33:e4:
         81:91:ea:db:06:75:a8:cc:c8:1e:2b:b1:0d:e8:ef:b8:0c:28:
         41:7b:56:b8:8d:28:f1:2d:f0:6d:d7:6c:c9:6d:57:15:51:d9:
         15:c8:34:12:2a:bb:ae:6f:6a:b8:cc:c6:b2:66:c8:20:61:58:
         91:cc:4a:58:43:f3:f3:33:5e:aa:6a:77:d9:8b:e4:26:6b:76:
         a6:05:b9:f8:a0:89:42:de:df:2f:0b:a1:79:5b:9e:e8:af:d0:
         5d:e4:e0:24:9c:40:55:6b:cc:68:e1:0c:11:cb:07:b4:fc:8e:
         b6:f1:4d:48:5b:b1:33:30:8f:91:89:eb:c8:a9:89:05:7c:f6:
         66:1f:76:cc:6c:02:34:27:65:30:15:27:ae:0a:17:8f:8d:72:
         7f:df:ea:90:bb:da:81:bc
-----BEGIN CERTIFICATE-----
MIIFjzCCA3egAwIBAgIBATANBgkqhkiG9w0BAQsFADA5MQswCQYDVQQGEwJIVTET
MBEGA1UECgwKVGVzdCwgSW5jLjEVMBMGA1UEAwwMVGVzdCBSb290IENBMB4XDTE5
MTAwNDE1MDAwMFoXDTM5MTAwNDE1MDAwMFowQTELMAkGA1UEBhMCSFUxEzARBgNV
BAoMClRlc3QsIEluYy4xHTAbBgNVBAMMFFRlc3QgSW50ZXJtZWRpYXRlIENBMIIC
IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA2TjSELLBCmfRFMDd09r3wZi2
nwYcohPGaxHX/1UWJBVEY+Pnspf0ddhJDsxagxpzY/ZzspBZIpItoGG0aXFl6AbG
0LmULNjYjOnwOEg02hJiS/Ep2CAHnq/uvqCJv+NkEszBYLDyy8MyZ2KwmQTRL1hh
sLGPn/MPFM9OozrgfzAuqHIXAqQj5kQOkRPKo03VrlGSjofxwIQA+wF68Z8ZTuXA
PyHoBTFZ2KXShGJRJcvG23qM+VfzBq1PtH3fvDUsYlg7jV7002WbLf8TY74ezi4I
hPXCoLfoy331XP00r/Lg+MHCPieJJ+f5zRYI8t0lg9HacpRZ3fyiPfDzmwFGr1D/
y+MULn4kAp8wAGmf6OaeZd74TdrIACFEu1yr041D2KALCAZ8lCnmiSLEHZkWvHVt
s01MrtLkGA5uKQEJ4GsHMVhiDl09gfCP15YE5eQbnutR7NsLKq9r3N5UpV6p3g/k
cJdTpjFswOP6nxgvP2jEnGlIiwdPuPhRPqKcNltXSVU79U5woj6sYo1ARBx2ZicM
Gfd+xq97KptQPMWQqAhE5F9OJ5p+DT4Hw83fckzKUZMKcw4hb7+SBDBYoDMwe2yw
lF8QqCyX48peXgFGcf26lHEHr4yueuXz972UPNNvZi803XZxltrhqTw/NJ+5wn01
4aFRq3R1Sj7smckINO0CAwEAAaOBmTCBljASBgNVHRMBAf8ECDAGAQH/AgEAMA4G
A1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwEQYD
VR0gBAowCDAGBgRVHSAAMB0GA1UdDgQWBBSm/SQssMGqclRrw5LDftqUti1vKzAf
BgNVHSMEGDAWgBTW00v7wTDrDpqAMWIiFmh8zbBbxzANBgkqhkiG9w0BAQsFAAOC
AgEAcwT0tp1MVcqKIhoWrcF1KlVtxqgVOAVaFBKC9+aAIfX+O8PN62r3QPV50J+h
vqtdhGNEQkb3/pMrrOrE4XUJH+OP4Q559JTZ827rF5H94s9YNRydX/aotK/XvW6i
Mlt0MxcPSuZiCMGx9w3LncS2Zq2vwWqLtuSq9YCZKHCQGoHcVTkINU1jP+Ut3rA0
yHqyF3tKTf+43grgVD0aB251P7Jm/Jyh0JVPcBf5KIFOSTrjgPXURQL7Tt2rj8JD
lVqSr5aoxakQEJgLAT3DL7Pg4o2daI6wZdnwyCbAS+fbS2Q8qWSvJ8KNa4YwTE1N
6MuOxDX/65O0l/x3VQ2ZHwPq9WgpX8ri0xDbNcblhdBgGmW29MT8h0XlYpHX+0tX
kTg06b4PEajQyALdmFcJDn/FoOmOkxW+l/1V8t/BjiEFcVcuiR186/mbaNZmjDpR
htHLKuiCSamrpseRGfDlYTx/QmCN0BfxSDPkgZHq2wZ1qMzIHiuxDejvuAwoQXtW
uI0o8S3wbddsyW1XFVHZFcg0Eiq7rm9quMzGsmbIIGFYkcxKWEPz8zNeqmp32Yvk
Jmt2pgW5+KCJQt7fLwuheVue6K/QXeTgJJxAVWvMaOEMEcsHtPyOtvFNSFuxMzCP
kYnryKmJBXz2Zh92zGwCNCdlMBUnrgoXj41yf9/qkLvagbw=
-----END CERTIFICATE-----

server.key
Description: application/pgp-keys

client.key
Description: application/pgp-keys

Bug#942097: openvpn does not re-read CRLs on client connect in "capath" mode

Reply via email to