How to allow (some) expired client certificates?

Scripts which allow the use of special authentication methods (LDAP, AD, MySQL/PostgreSQL, etc).

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
tschoening
OpenVpn Newbie
Posts: 17
Joined: Tue Jan 28, 2020 7:47 pm

How to allow (some) expired client certificates?

Post by tschoening » Tue Jan 28, 2020 8:02 pm

I would like to prepare for the case that client certificates get expired and wondered if there's any option/hook one can use to tell OpenVPN to accept client certificates even if they have been expired?

Looking at the reference manual, I only found things which could be checked alternatively or additionally and then mostly after OpenVPN itself validated certificates already. But I can't find anything to tell that OpenVPN should do its normal certificate validation but only in case a certificate has been expired simply still allow it or optionally ask me by using some script.

"–tls-verify cmd" runs only after all other tests have passed already, but in case of an expired certificate things fail. The same seems to be the case for "-management-client-auth". Something like "–verify-client-cert none|optional|require" sounds promising, but there simply doesn't seem to be the case I need. Using username+password wouldn't help my use case, because that would involve reconfiguring lots of clients, in which case I could simply change certificates as well. I need something which relies on certificates but gives me some additional influence.

So is that possible at all currently? From what I've read it sounds like the answer is no. Thanks!

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: How to allow (some) expired client certificates?

Post by TinCanTech » Wed Jan 29, 2020 1:02 am

See --verify-client-cert in the man.

tschoening
OpenVpn Newbie
Posts: 17
Joined: Tue Jan 28, 2020 7:47 pm

Re: How to allow (some) expired client certificates?

Post by tschoening » Wed Jan 29, 2020 7:03 am

As can be read in my text, I did and it doesn't seem to provide what I'm looking for. How exactly does this option accept an expired certificate?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: How to allow (some) expired client certificates?

Post by TinCanTech » Wed Jan 29, 2020 2:46 pm

I have never tried it myself, no need to. However, if it does not work that way then so be it.

Did you try issuing a new certificate to the client ?

tschoening
OpenVpn Newbie
Posts: 17
Joined: Tue Jan 28, 2020 7:47 pm

Re: How to allow (some) expired client certificates?

Post by tschoening » Wed Jan 29, 2020 4:28 pm

TinCanTech wrote:
Wed Jan 29, 2020 2:46 pm
Did you try issuing a new certificate to the client ?
No, but I know that this is possible and am thinking of ways to avoid that for various reasons.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: How to allow (some) expired client certificates?

Post by TinCanTech » Wed Jan 29, 2020 5:03 pm

I think you will find you are out of luck, unless you want to take a shot at changing the source code.

tschoening
OpenVpn Newbie
Posts: 17
Joined: Tue Jan 28, 2020 7:47 pm

Re: How to allow (some) expired client certificates?

Post by tschoening » Wed Jan 29, 2020 5:53 pm

I suspected the same. But have a look at the following error messages:
[...]ovpn-server[24352]: Options error: --verify-client-cert none|optional must be used with --management-client-auth, an --auth-user-pass-verify script, or plugin
Where does that "or plugin" belong to in your opinion? To me it reads like it's an additional 3rd option independent of all the others. But the only mention of "plugin" I found was in combination with "--auth-user-pass", like in the following docs:

https://openvpn.net/community-resources ... n-methods/

So it seems that without certificates, everything else is always bound to at least username+password? Do you know where I can find docs about what exactly is possible with plugins when? Things like API-docs etc.?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: How to allow (some) expired client certificates?

Post by TinCanTech » Wed Jan 29, 2020 6:06 pm

The point you are missing is that, if you don't verify the client cert then openvpn expects you to verify by username/password. It's a minimum level of security and the manual makes it absolutely clear that your security is down to your user/pass verification.

I suggest you start with the Howto.
https://community.openvpn.net/openvpn/wiki/HOWTO

tschoening
OpenVpn Newbie
Posts: 17
Joined: Tue Jan 28, 2020 7:47 pm

Re: How to allow (some) expired client certificates?

Post by tschoening » Wed Jan 29, 2020 6:48 pm

You should be more careful about what you tell people they didn't understand properly. :-/ Let's have a look at the docs:
none : a client certificate is not required. the client need to authenticate using username/password only.
optional : a client may present a certificate but it is not required to do so. When using this directive, you should also use a –auth-user-pass-verify script to ensure that clients are authenticated using a certificate, a username and password, or possibly even both.
"need" vs. "should", that's why I tested that specific setup and wondered what exactly the printed error message means.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: How to allow (some) expired client certificates?

Post by TinCanTech » Wed Jan 29, 2020 7:34 pm

tschoening wrote:
Wed Jan 29, 2020 6:48 pm
You should be more careful about what you tell people they didn't understand properly
:roll:
tschoening wrote:
Wed Jan 29, 2020 5:53 pm
Options error: --verify-client-cert none|optional must be used with --management-client-auth, an --auth-user-pass-verify script, or plugin
:geek:
tschoening wrote:
Wed Jan 29, 2020 6:48 pm
need" vs. "should", that's why I tested that specific setup and wondered what exactly the printed error message means.
TinCanTech wrote:
Wed Jan 29, 2020 6:06 pm
The point you are missing is that, if you don't verify the client cert then openvpn expects you to verify by username/password. It's a minimum level of security and the manual makes it absolutely clear that your security is down to your user/pass verification.

I suggest you start with the Howto.
https://community.openvpn.net/openvpn/wiki/HOWTO
Last edited by TinCanTech on Wed Jan 29, 2020 9:21 pm, edited 1 time in total.

tschoening
OpenVpn Newbie
Posts: 17
Joined: Tue Jan 28, 2020 7:47 pm

Re: How to allow (some) expired client certificates?

Post by tschoening » Wed Jan 29, 2020 7:52 pm

Why do you think I was asking for how exactly "or plugin" is meant, where it belongs to in the sentence and where I can find docs for that? Your bold "must" in combination with "or plugin" in theory could perfectly well mean that no combination of username+password is necessary IF one uses a plugin INSTEAD. The error message I quoted is simply NOT clear regarding that point and the docs I quoted are NOT clear regarding that point as well.

It would be of much more help if you would have been able to provide the docs I was requesting and unable to find myself instead of guessing what I might have understood or not.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: How to allow (some) expired client certificates?

Post by TinCanTech » Wed Jan 29, 2020 9:24 pm

tschoening wrote:
Wed Jan 29, 2020 7:52 pm
Why do you think I was asking for how exactly "or plugin" is meant
One or the other ..
tschoening wrote:
Wed Jan 29, 2020 7:52 pm
where it belongs to in the sentence and where I can find docs for that?
TinCanTech wrote:
Wed Jan 29, 2020 6:06 pm
I suggest you start with the Howto.
https://community.openvpn.net/openvpn/wiki/HOWTO
tschoening wrote:
Wed Jan 29, 2020 7:52 pm
Your bold "must" in combination with "or plugin" in theory could perfectly well mean that no combination of username+password is necessary IF one uses a plugin INSTEAD. The error message I quoted is simply NOT clear regarding that point and the docs I quoted are NOT clear regarding that point as well.

It would be of much more help if you would have been able to provide the docs I was requesting and unable to find myself instead of guessing what I might have understood or not.
Improvements to the documentation are always welcome.

tschoening
OpenVpn Newbie
Posts: 17
Joined: Tue Jan 28, 2020 7:47 pm

Re: How to allow (some) expired client certificates?

Post by tschoening » Thu Jan 30, 2020 7:39 am

TinCanTech wrote:
Wed Jan 29, 2020 9:24 pm
tschoening wrote:
Wed Jan 29, 2020 7:52 pm
where it belongs to in the sentence and where I can find docs for that?
TinCanTech wrote:
Wed Jan 29, 2020 6:06 pm
I suggest you start with the Howto.
https://community.openvpn.net/openvpn/wiki/HOWTO
Did you actually look at that HowTo? It contains the following sentence:
If you would like more information on developing your own plugins for use with OpenVPN, see the README files in the plugin subdirectory of the OpenVPN source distribution.
The only plugin-related subdirectory I was able to find is "plugins" instead of "plugin" and that doesn't seem to contain any generic README explaining plugins in general, but only the specific ones already available:

https://github.com/OpenVPN/openvpn/tree ... rc/plugins

And that's why I asked for additional details, as it's obvious that the existing username+password-plugin is not of much help answering my questions. I need to influence certificate validation itself, if at all.

So, do you know about general docs about plugins, available interfaces/hooks etc. to them or not?

Post Reply