OpenVPN certificate validation fails

Issue:
OpenVPN certificate validation fails

Solution:
OpenVPN certificate validation fails

As noted by OpenVPN, the certificates must have a certain Key and Extended Key usage parameters that are used for validation.

https://openvpn.net/community-resources/important-note-on-possible-man-in-the-middle-attack-if-clients-do-not-verify-the-certificate-of-the-server-they-are-connecting-to/

Build your server certificates with specific key usage and extended key usage. The RFC3280 determine that the following attributes should be provided for TLS connections:

Mode: Client
 Key usage:
  digitalSignature
  keyAgreement
  digitalSignature, keyAgreement
 Extended key usage:
  TLS Web Client Authentication

Server
 Key usage:
  digitalSignature, keyEncipherment
  digitalSignature, keyAgreement
 Extended key usage:
  TLS Web Server Authentication


If the usage bit value of the certificate does not match then the validation will fail.

Example of debug messages from the IRG router
Jan 06 09:48:43 EST %OVPN-P2S-5: 216.129.13.1:39576 Validating certificate key usage
Jan 06 09:48:43 EST %OVPN-P2S-5: 216.129.13.1:39576 ++ Certificate has key usage 00b8, expects 0080
Jan 06 09:48:43 EST %OVPN-P2S-5: 216.129.13.1:39576 ++ Certificate has key usage 00b8, expects 0008
Jan 06 09:48:43 EST %OVPN-P2S-5: 216.129.13.1:39576 ++ Certificate has key usage 00b8, expects 0088
Jan 06 09:48:43 EST %OVPN-P2S-5: 216.129.13.1:39576 VERIFY KU ERROR

If you cannot obtain certificates with the Key Usage noted by OpenVPN then you can work around this by instructing the OpenVPN service to match the bit total of the certificates in use. The debug example message above actually shows the total bit value of b8.

#define KU_DIGITAL_SIGNATURE    0x0080
#define KU_NON_REPUDIATION      0x0040
#define KU_KEY_ENCIPHERMENT     0x0020
#define KU_DATA_ENCIPHERMENT    0x0010
#define KU_KEY_AGREEMENT        0x0008
#define KU_KEY_CERT_SIGN        0x0004
#define KU_CRL_SIGN             0x0002
#define KU_ENCIPHER_ONLY        0x0001
#define KU_DECIPHER_ONLY        0x8000

Add the following parameter to the OpenVPN configuration
remote-cert-ku < total values of all bits >
With the Perle router this can be added as a template.

Example of successful verification:
Jan 06 10:34:20 EST %OVPN-P2S-5: 216.129.13.1:51086 Validating certificate key usage
Jan 06 10:34:20 EST %OVPN-P2S-5: 216.129.13.1:51086 ++ Certificate has key usage 00b8, expects 00b8
Jan 06 10:34:20 EST %OVPN-P2S-5: 216.129.13.1:51086 VERIFY KU OK

Related Links:
1.)  https://openvpn.net/community-resources/important-note-on-possible-man-in-the-middle-attack-if-clients-do-not-verify-the-certificate-of-the-server-they-are-connecting-to/


Article ID:
643
Published:
3/17/2021 12:56:32 PM
Last Modified:
3/17/2021 1:56:04 PM
Issue Type:
Configuration