Issue:
OpenVPN certificate validation fails
Solution:
OpenVPN certificate validation fails
As noted by OpenVPN, the certificates must have a certain Key and Extended Key usage parameters that are used for validation.
https://openvpn.net/community-resources/important-note-on-possible-man-in-the-middle-attack-if-clients-do-not-verify-the-certificate-of-the-server-they-are-connecting-to/
Build your server certificates with specific key usage and extended key usage. The RFC3280 determine that the following attributes should be provided for TLS connections:
Mode:
Client
Key usage:
digitalSignature
keyAgreement
digitalSignature, keyAgreement
Extended key usage:
TLS Web Client Authentication
Server
Key usage:
digitalSignature, keyEncipherment
digitalSignature, keyAgreement
Extended key usage:
TLS Web Server Authentication
If the usage bit value of the certificate does not match then the validation will fail.
Example of debug messages from the IRG router
Jan 06 09:48:43 EST %OVPN-P2S-5: 216.129.13.1:39576 Validating certificate key usage
Jan 06 09:48:43 EST %OVPN-P2S-5: 216.129.13.1:39576 ++ Certificate has key usage 00b8, expects 0080
Jan 06 09:48:43 EST %OVPN-P2S-5: 216.129.13.1:39576 ++ Certificate has key usage 00b8, expects 0008
Jan 06 09:48:43 EST %OVPN-P2S-5: 216.129.13.1:39576 ++ Certificate has key usage 00b8, expects 0088
Jan 06 09:48:43 EST %OVPN-P2S-5: 216.129.13.1:39576 VERIFY KU ERROR
If you cannot obtain certificates with the Key Usage noted by OpenVPN then you can work around this by instructing the OpenVPN service to match the bit total of the certificates in use. The debug example message above actually shows the total bit value of b8.
#define KU_DIGITAL_SIGNATURE 0x0080
#define KU_NON_REPUDIATION 0x0040
#define KU_KEY_ENCIPHERMENT 0x0020
#define KU_DATA_ENCIPHERMENT 0x0010
#define KU_KEY_AGREEMENT 0x0008
#define KU_KEY_CERT_SIGN 0x0004
#define KU_CRL_SIGN 0x0002
#define KU_ENCIPHER_ONLY 0x0001
#define KU_DECIPHER_ONLY 0x8000
Add the following parameter to the OpenVPN configuration
remote-cert-ku < total values of all bits >
With the Perle router this can be added as a template.
Example of successful verification:
Jan 06 10:34:20 EST %OVPN-P2S-5: 216.129.13.1:51086 Validating certificate key usage
Jan 06 10:34:20 EST %OVPN-P2S-5: 216.129.13.1:51086 ++ Certificate has key usage 00b8, expects 00b8
Jan 06 10:34:20 EST %OVPN-P2S-5: 216.129.13.1:51086 VERIFY KU OK
Article
ID: |
643 |
Published: |
3/17/2021 12:56:32 PM |
Last
Modified: |
3/17/2021 1:56:04 PM |
Issue Type: |
Configuration |
|