Opened 5 years ago

Last modified 3 years ago

#1149 new Bug / Defect

ssl_verify_openssl.c: missing CRL errors cause omission of verify_cert() routine

Reported by: sdl Owned by:
Priority: major Milestone: release 2.5.3
Component: Certificates Version: OpenVPN git master branch (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc: Steffan Karger


In ssl_verify_openssl.c, line 80:
/* Log and ignore missing CRL errors */

If certificate error is X509_V_ERR_UNABLE_TO_GET_CRL, which is considered here as warning only, this IF branch performs:

ret = 1;
goto cleanup;

... causing omission of the subsequent verify_cert() (line 103) procedure.

Change History (5)

comment:1 Changed 5 years ago by plaisthos

Yes, but I am not seeing the problem here. The branch you are talking about is only called if the we end up with an error anyway ( if (!preverify_ok))

comment:2 Changed 5 years ago by sdl

Yes, the branch is only called (if (!preverify_ok)). This means something is wrong with the certificate. But from the crypto library's point of view only. The OpenVPN project itself has been designed so there's an ssl reported certificate error (missing CRL), which is cosidered as a warning only with logging, not an error, in this piece of code. So this kind of error makes OpenVPN not reject connection, but proceed with it. And in this case, the following verify_cert() procedure has to be called to ensure OpenVPN's own certificate checks. In the current code, in case of missing CRL errors, verify_cert() procedure is omitted by "goto cleanup" statement, returning "ret = 1" immediately as success, which is a bug.

comment:3 Changed 5 years ago by tct


comment:4 Changed 5 years ago by Gert Döring

Cc: Steffan Karger added

@syzzer: can I interest you in having a look?

comment:5 Changed 3 years ago by Gert Döring

Milestone: release 2.5release 2.5.3
Note: See TracTickets for help on using tickets.