On Mon, Oct 5, 2015 at 4:48 PM, Dreetjeh D <dreet...@hotmail.com> wrote:
> Hello, > > So I have to say thank you, turns out the script was the culprit. > Actually it is not my script, I speak and write some languages, but > no scripting :-) > These scripts needs not be "scripts" per se -- could be a compiled C or fortran or whatever executable that you prefer. Have to just provide an exit code of 0 for success, non-zero for failure. Unless you meant ISO 639-3 languages ;) I found 4 scripts on the net, a php, perl and this shell script together > with a python version. > It may be much more robust to use the env variable X509_0_CN which is set to the common name of the depth 0 certificate. Easier to parse and probably more reliable than picking apart the "subject in one line" string. Something like grep "^$X509_0_CN$" "$1" && exit 0 should do the job. Yes, userlist.txt contains CN, one per line. > The log now shows a verify ok. > > Tested login with another user but same certificate, access is granted. > I expected no access if a userA tries to login with certificate of userB. > But I see my thinking was not so logic :) > I understand why and thinking how did I miss that one? > Username/CN needs to be unique... > I also see each certificate has a unique x509v3 Subject Key Identifier, > hm..... > If the purpose is to match common_name against username, tls-verify is not the right tool. You can do that in the auth-user-pass-verify "script". By the time that script is called, the common name is in the env as $common_name (and as $X509_0_CN). The username is either in the env or passed via a file depending on how auth-user-pass-verify is specified. Just return failure if they don't match or don't correspond to each other in some prescribed manner. Selva Have some searching to do if some script exist that will do that. > > Thanks to all, > André > > ------------------------------ From: selva.n...@gmail.com Date: Mon, 5 Oct 2015 15:01:08 -0400 Subject: Re: [Openvpn-users] tls-verify script not working To: dreet...@hotmail.com CC: openvpn-users@lists.sourceforge.net On Mon, Oct 5, 2015 at 2:15 PM, Dreetjeh D <dreet...@hotmail.com> wrote: > I'd add some debug statements to the script, e.g. add on the second line. > echo "[$0] [$1] [$2] [$3] [$4]" Result: ***************************** Mon Oct 5 19:23:14 2015 us=499434 192.168.11.32:1194 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication Mon Oct 5 19:23:14 2015 us=499500 192.168.11.32:1194 VERIFY EKU OK *** [/volume1/@appstore/VPNCenter/scripts/ovpnCNcheck.sh] [/volume1/@appstore/VPNCenter/scripts/userlist.txt] [0] [C=NL, ST=GLD, O=MMD, OU=OVPN-NAS, CN=admin, emailAddress=dreet...@hotmail.com] [] ***^^^^^^^^^^ Your script tries to extract the common name using a regexp ".*/CN=\([^/][^/]*\)" which expects the input to be "... /CN=admin/..." which is not the case. An outdated script, perhaps? To extract the name "admin" from that input, try this regexp instead: ".* CN=\([^,]*\)" That is, replace the grep line in the script by grep -q "^`expr match "$3" ".* CN=\([^,]*\)"`$" "$1" && exit 0 I am assuming your userlist.txt file contains a list of common names, one per line. Extracting the common name from the subject string presented in an undocumented format looks quite flaky. There has to be a better way of doing tls-verify. This line shows up extra, so I would think the admin cert arrived. *** Mon Oct 5 19:23:14 2015 us=511255 192.168.11.32:1194 WARNING: Failed running command (--tls-verify script): external program exited with error status: 1 Mon Oct 5 19:23:14 2015 us=511360 192.168.11.32:1194 VERIFY SCRIPT ERROR: depth=0, C=NL, ST=GLD, O=MMD, OU=OVPN-NAS, CN=admin, emailAddress= dreet...@hotmail.com Mon Oct 5 19:23:14 2015 us=511681 192.168.11.32:1194 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:lib(20):func(137):reason(178) ****************************** > Also, what happens if you run the script manually > with the same parameters as specified via OpenVPN ? You mean start from the CLI? It`s becoming quit a journey :) This is easy to do. Just cd to the script directory and run $ ./ovpnCNcheck.sh userlist.txt 0 "C=NL, ST=GLD, O=MMD, OU=OVPN-NAS, CN=admin, emailAddress=dreet...@hotmail.com" (the above is all in one line) and check the exit code as $ echo $? You should get 0 for success, 1 for failure. Selva Thanks for trying to help this novice. André ------------------------------------------------------------------------------ _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users Selva >
------------------------------------------------------------------------------
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
