Hello,
So I have to say thank you, turns out the script was the culprit.
Actually it is not my script, I speak and write some languages, but no
scripting :-)
I found 4 scripts on the net, a php, perl and this shell script together with a
python version.
Yes, userlist.txt contains CN, one per line.
The log now shows a verify ok.
Tested login with another user but same certificate, access is granted.
I expected no access if a userA tries to login with certificate of userB.
But I see my thinking was not so logic :)
I understand why and thinking how did I miss that one?
Username/CN needs to be unique...
I also see each certificate has a unique x509v3 Subject Key Identifier, hm.....
Have some searching to do if some script exist that will do that.
Thanks to all,
André
From: selva.n...@gmail.com
Date: Mon, 5 Oct 2015 15:01:08 -0400
Subject: Re: [Openvpn-users] tls-verify script not working
To: dreet...@hotmail.com
CC: openvpn-users@lists.sourceforge.net
On Mon, Oct 5, 2015 at 2:15 PM, Dreetjeh D <dreet...@hotmail.com> wrote:
> I'd add some debug statements to the script, e.g. add on the second line.
> echo "[$0] [$1] [$2] [$3] [$4]"Result:***************************** Mon Oct
> 5 19:23:14 2015 us=499434 192.168.11.32:1194 ++ Certificate has EKU (str)
> TLS Web Client Authentication, expects TLS Web Client Authentication
Mon Oct 5 19:23:14 2015 us=499500 192.168.11.32:1194 VERIFY EKU OK
***
[/volume1/@appstore/VPNCenter/scripts/ovpnCNcheck.sh]
[/volume1/@appstore/VPNCenter/scripts/userlist.txt] [0] [C=NL, ST=GLD, O=MMD,
OU=OVPN-NAS, CN=admin, emailAddress=dreet...@hotmail.com] []
***^^^^^^^^^^
Your script tries to extract the common name using a regexp
".*/CN=\([^/][^/]*\)" which expects the input to be "... /CN=admin/..." which
is not the case. An outdated script, perhaps? To extract the name "admin" from
that input, try this regexp instead:
".* CN=\([^,]*\)"
That is, replace the grep line in the script by
grep -q "^`expr match "$3" ".* CN=\([^,]*\)"`$" "$1" && exit 0
I am assuming your userlist.txt file contains a list of common names, one per
line.
Extracting the common name from the subject string presented in an undocumented
format looks quite flaky. There has to be a better way of doing tls-verify.
This line shows up extra, so I would think the admin cert arrived.
***
Mon Oct 5 19:23:14 2015 us=511255 192.168.11.32:1194 WARNING: Failed running
command (--tls-verify script): external program exited with error status: 1
Mon Oct 5 19:23:14 2015 us=511360 192.168.11.32:1194 VERIFY SCRIPT ERROR:
depth=0, C=NL, ST=GLD, O=MMD, OU=OVPN-NAS, CN=admin,
emailAddress=dreet...@hotmail.com
Mon Oct 5 19:23:14 2015 us=511681 192.168.11.32:1194 TLS_ERROR: BIO read
tls_read_plaintext error: error:140890B2:lib(20):func(137):reason(178)
******************************
> Also, what happens if you run the script manually
> with the same parameters as specified via OpenVPN ?
You mean start from the CLI? It`s becoming quit a journey :)
This is easy to do. Just cd to the script directory and run
$ ./ovpnCNcheck.sh userlist.txt 0 "C=NL, ST=GLD, O=MMD, OU=OVPN-NAS, CN=admin,
emailAddress=dreet...@hotmail.com"
(the above is all in one line)
and check the exit code as
$ echo $?
You should get 0 for success, 1 for failure.
Selva
Thanks for trying to help this novice.
André
------------------------------------------------------------------------------
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
------------------------------------------------------------------------------
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
