-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi,
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Monday, 24 May 2021 18:39, Selva Nair <selva.n...@gmail.com> wrote: > Hi, > > On Mon, May 24, 2021 at 10:09 AM tincantech via Openvpn-devel > openvpn-devel@lists.sourceforge.net wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA256 > > Hi, > > Is this expected ? > > Server log: > > 2021-05-24 14:58:03 us=534606 10.10.201.226:60276 TLS CRYPT V2 VERIFY > > SCRIPT OK > > 2021-05-24 14:58:03 us=558066 10.10.201.226:60276 VERIFY KU OK > > 2021-05-24 14:58:03 us=558105 10.10.201.226:60276 Validating certificate > > extended key usage > > 2021-05-24 14:58:03 us=558120 10.10.201.226:60276 ++ Certificate has EKU > > (str) TLS Web Client Authentication, expects TLS Web Client Authentication > > 2021-05-24 14:58:03 us=558130 10.10.201.226:60276 VERIFY EKU OK > > <EXOK> * EasyTLS-verify => CN: cli-arch-v21x connection allowed > > 2021-05-24 14:58:03 us=573751 10.10.201.226:60276 VERIFY SCRIPT OK: > > depth=0, CN=cli-arch-v21x > > 2021-05-24 14:58:03 us=573782 10.10.201.226:60276 VERIFY OK: depth=0, > > CN=cli-arch-v21x > > 2021-05-24 14:58:03 us=573911 10.10.201.226:60276 VERIFY KU OK > > 2021-05-24 14:58:03 us=573928 10.10.201.226:60276 Validating certificate > > extended key usage > > 2021-05-24 14:58:03 us=573939 10.10.201.226:60276 ++ Certificate has EKU > > (str) TLS Web Client Authentication, expects TLS Web Client Authentication > > 2021-05-24 14:58:03 us=573948 10.10.201.226:60276 VERIFY EKU OK > > <EXOK> * EasyTLS-verify => CN: cli-arch-v21x connection allowed > > 2021-05-24 14:58:03 us=588472 10.10.201.226:60276 VERIFY SCRIPT OK: > > depth=0, CN=cli-arch-v21x > > 2021-05-24 14:58:03 us=588508 10.10.201.226:60276 VERIFY OK: depth=0, > > CN=cli-arch-v21x > > 2021-05-24 14:58:03 us=590929 10.10.201.226:60276 peer info: IV_VER=2.6_git > > This looks like an unintended consequence of how and when OpenSSL > executes the verify callback. If there are no verification errors, the > callback is called only once for each depth with preverify_ok = 1. > When there are errors (as is the case when CA is missing), for each > depth and each error we get a callback. (Ref: OpenSSL docs on > SSL_CTX_set_verify). > > Even for self-signed certs one would get a call with an error saying > certificate is self-signed and then possibly another call with > signature verification success. For a cert issued by a CA, one would > first get an "issuer missing" error followed by a "signature > verification" error and no success calls unless there are intermediate > certs. > > This was not an issue before fingerprint support. In that case we do > not proceed further when OpenSSL reports a verify error. > > The easiest option for scripts may be to be prepared to be called > mutiple times with the same cert and same depth. I think we should > export the verification error-status to the env so that the script > could make a more informed decision. Note: In the logs above, the script is executed *before* Openvpn/Openssl verification, so exporting error-status to env for script seems unlikely. > Our internal callback is not meant to be executed multiple times with > same depth, but the side effects appear to be benign -- like repeated > VERIFY OK in the logs. > > Selva Thanks R -----BEGIN PGP SIGNATURE----- Version: ProtonMail wsBzBAEBCAAGBQJgq+wRACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ3oqQf9ELeVXn5uhviySVqMzIRyCKQAY9zMrdvFSLgNcEOJbiBYcv6Y WIzDoVfODy0jGIx44dsjODw2jM9hWP27FSj/uG8RuTCv7gmO/zDvJIKL6qEn EcpnLxLBvyJcfu7zfW80kBNhYcHyys3DSSL2khtzbT+75OM3Kvo7pUNJUAhl czUF07j7o8KmUGq2wB8E70Y7i+U07j2Dcs0+oDRhY3hBsnHHmWPSm32fBPLZ uSbRPm4btNe4a/R83uMRkWTgL1U/2dTKKPb3PyVE7bGWfeB5BmkuUQsPx5q6 bofIkWaDYG+1pW6nyTxMZ2drihC2c9vA/OHmLG6HUYxBIaYPW/JZLQ== =s/jt -----END PGP SIGNATURE-----
publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys
publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
