Opened 5 years ago
Last modified 3 years ago
#1149 new Bug / Defect
ssl_verify_openssl.c: missing CRL errors cause omission of verify_cert() routine
| Reported by: | sdl | Owned by: | |
|---|---|---|---|
| Priority: | major | Milestone: | release 2.5.3 |
| Component: | Certificates | Version: | OpenVPN git master branch (Community Ed) |
| Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
| Cc: | Steffan Karger |
Description
In ssl_verify_openssl.c, line 80:
/* Log and ignore missing CRL errors */
If certificate error is X509_V_ERR_UNABLE_TO_GET_CRL, which is considered here as warning only, this IF branch performs:
ret = 1;
goto cleanup;
... causing omission of the subsequent verify_cert() (line 103) procedure.
Change History (5)
comment:1 Changed 5 years ago by
comment:2 Changed 5 years ago by
Yes, the branch is only called (if (!preverify_ok)). This means something is wrong with the certificate. But from the crypto library's point of view only. The OpenVPN project itself has been designed so there's an ssl reported certificate error (missing CRL), which is cosidered as a warning only with logging, not an error, in this piece of code. So this kind of error makes OpenVPN not reject connection, but proceed with it. And in this case, the following verify_cert() procedure has to be called to ensure OpenVPN's own certificate checks. In the current code, in case of missing CRL errors, verify_cert() procedure is omitted by "goto cleanup" statement, returning "ret = 1" immediately as success, which is a bug.
comment:4 Changed 4 years ago by
| Cc: | Steffan Karger added |
|---|
@syzzer: can I interest you in having a look?
comment:5 Changed 3 years ago by
| Milestone: | release 2.5 → release 2.5.3 |
|---|
Yes, but I am not seeing the problem here. The branch you are talking about is only called if the we end up with an error anyway ( if (!preverify_ok))