Re: [Openvpn-devel] [PATCH v2 3/5] Support fingerprint authentication without CA certificate
Hi,
On 19/03/2021 15:20, Arne Schwabe wrote:
> From: "Jason A. Donenfeld"
>
> OpenVPN traditionally works around CAs. However many TLS-based protocols also
> allow an alternative simpler mode in which rather than verify certificates
> against CAs, the certificate itself is hashed and compared against a
> pre-known set of acceptable hashes. This is usually referred to as
> "fingerprint verification". It's popular across SMTP servers, IRC servers,
> XMPP servers, and even in the context of HTTP with pinning.
>
>* Allow not specifying the --ca parameter, to specify that
> certificates should not be checked against a CA.
>
> I've included some instructions on how to use all of this.
>
> Server side:
>
>
> Make self-signed cert:
> $ openssl req -x509 -newkey ec:<(openssl ecparam -name secp384r1) -keyout
> serverkey.pem -out servercert.pem -nodes -sha256 -days 3650 -subj '/CN=server'
>
> Record our fingerprint in an environment variable for the client to use later:
> $ server_fingerprint="$(openssl x509 -in servercert.pem -noout -sha256
> -fingerprint | sed 's/.*=//;s/\(.*\)/\1/')"
>
> Client side:
>
> Make self-signed cert:
> $ openssl req -x509 -newkey ec:<(openssl ecparam -name secp384r1) -keyout
> clientkey.pem -out clientcert.pem -nodes -sha256 -days 3650 -subj '/CN=client'
>
> Record our fingerprint in an environment variable for the server to use later:
> $ client_fingerprint="$(openssl x509 -in clientcert.pem -noout -sha256
> -fingerprint | sed 's/.*=//;s/\(.*\)/\1/')"
>
> Start server/client
> ===
>
> Start openvpn with peer fingerprint verification:
>
> $ sudo openvpn --server 10.66.0.0 255.255.255.0 --dev tun --dh none --cert
> servercert.pem --key serverkey.pem --peer-fingerprint "$client_fingerprint"
>
> $ sudo openvpn --client --remote 127.0.0.1 --dev tun --cert clientcert.pem
> --key clientkey.pem --peer-fingerprint "$server_fingerprint" --nobind
>
> Signed-off-by: Jason A. Donenfeld
>
> Patch V2: Changes in V2 (by Arne Schwabe):
> - Only check peer certificates, not all cert levels, if you need
> multiple levels of certificate you should use a real CA
> - Use peer-fingerprint instead tls-verify on server side in example.
> - rename variable ca_file_none to verify_hash_no_ca
> - do no require --ca none but allow --ca simply
> to be absent when --peer-fingprint is present
> - adjust warnings/errors messages to also point to
> peer-fingerprint as valid verification method.
> - Fix mbed TLS version of not requiring CA
> not working
>
> Signed-off-by: Arne Schwabe
> ---
> src/openvpn/init.c | 2 ++
> src/openvpn/options.c| 30 +++---
> src/openvpn/options.h| 1 +
> src/openvpn/ssl.c| 2 +-
> src/openvpn/ssl_common.h | 1 +
> src/openvpn/ssl_verify_mbedtls.c | 17 +
> src/openvpn/ssl_verify_openssl.c | 2 +-
> 7 files changed, 46 insertions(+), 9 deletions(-)
>
> diff --git a/src/openvpn/init.c b/src/openvpn/init.c
> index 731b0cf2..835621cb 100644
> --- a/src/openvpn/init.c
> +++ b/src/openvpn/init.c
> @@ -2928,6 +2928,8 @@ do_init_crypto_tls(struct context *c, const unsigned
> int flags)
> to.verify_hash = options->verify_hash;
> to.verify_hash_algo = options->verify_hash_algo;
> to.verify_hash_depth = options->verify_hash_depth;
> +to.verify_hash_no_ca = options->verify_hash_no_ca;
> +
> #ifdef ENABLE_X509ALTUSERNAME
> memcpy(to.x509_username_field, options->x509_username_field,
> sizeof(to.x509_username_field));
> #else
> diff --git a/src/openvpn/options.c b/src/openvpn/options.c
> index 6b4a2c11..27ed813d 100644
> --- a/src/openvpn/options.c
> +++ b/src/openvpn/options.c
> @@ -2712,18 +2712,23 @@ options_postprocess_verify_ce(const struct options
> *options,
> else
> {
> #ifdef ENABLE_CRYPTO_MBEDTLS
> -if (!(options->ca_file))
> +if (!(options->ca_file || options->verify_hash_no_ca))
> {
> -msg(M_USAGE, "You must define CA file (--ca)");
> +msg(M_USAGE, "You must define CA file (--ca) and/or "
> +"peer fingeprint verification "
> +"(--peer-fingerprint)");
> }
> if (options->ca_path)
> {
> msg(M_USAGE, "Parameter --capath cannot be used with the
> mbed TLS version version of OpenVPN.");
> }
> #else /* ifdef ENABLE_CRYPTO_MBEDTLS */
> -if ((!(options->ca_file)) && (!(options->ca_path)))
> +if ((!(options->ca_file)) && (!(options->ca_path))
> +&& (!(options->verify_hash_no_ca)))
> {
> -msg(M_USAGE, "You must define CA file (--ca) or CA path
> (--capath)");
> +msg(M_USAGE, "You must define CA file (--ca)
[Openvpn-devel] [PATCH v2 3/5] Support fingerprint authentication without CA certificate
From: "Jason A. Donenfeld"
OpenVPN traditionally works around CAs. However many TLS-based protocols also
allow an alternative simpler mode in which rather than verify certificates
against CAs, the certificate itself is hashed and compared against a
pre-known set of acceptable hashes. This is usually referred to as
"fingerprint verification". It's popular across SMTP servers, IRC servers,
XMPP servers, and even in the context of HTTP with pinning.
* Allow not specifying the --ca parameter, to specify that
certificates should not be checked against a CA.
I've included some instructions on how to use all of this.
Server side:
Make self-signed cert:
$ openssl req -x509 -newkey ec:<(openssl ecparam -name secp384r1) -keyout
serverkey.pem -out servercert.pem -nodes -sha256 -days 3650 -subj '/CN=server'
Record our fingerprint in an environment variable for the client to use later:
$ server_fingerprint="$(openssl x509 -in servercert.pem -noout -sha256
-fingerprint | sed 's/.*=//;s/\(.*\)/\1/')"
Client side:
Make self-signed cert:
$ openssl req -x509 -newkey ec:<(openssl ecparam -name secp384r1) -keyout
clientkey.pem -out clientcert.pem -nodes -sha256 -days 3650 -subj '/CN=client'
Record our fingerprint in an environment variable for the server to use later:
$ client_fingerprint="$(openssl x509 -in clientcert.pem -noout -sha256
-fingerprint | sed 's/.*=//;s/\(.*\)/\1/')"
Start server/client
===
Start openvpn with peer fingerprint verification:
$ sudo openvpn --server 10.66.0.0 255.255.255.0 --dev tun --dh none --cert
servercert.pem --key serverkey.pem --peer-fingerprint "$client_fingerprint"
$ sudo openvpn --client --remote 127.0.0.1 --dev tun --cert clientcert.pem
--key clientkey.pem --peer-fingerprint "$server_fingerprint" --nobind
Signed-off-by: Jason A. Donenfeld
Patch V2: Changes in V2 (by Arne Schwabe):
- Only check peer certificates, not all cert levels, if you need
multiple levels of certificate you should use a real CA
- Use peer-fingerprint instead tls-verify on server side in example.
- rename variable ca_file_none to verify_hash_no_ca
- do no require --ca none but allow --ca simply
to be absent when --peer-fingprint is present
- adjust warnings/errors messages to also point to
peer-fingerprint as valid verification method.
- Fix mbed TLS version of not requiring CA
not working
Signed-off-by: Arne Schwabe
---
src/openvpn/init.c | 2 ++
src/openvpn/options.c| 30 +++---
src/openvpn/options.h| 1 +
src/openvpn/ssl.c| 2 +-
src/openvpn/ssl_common.h | 1 +
src/openvpn/ssl_verify_mbedtls.c | 17 +
src/openvpn/ssl_verify_openssl.c | 2 +-
7 files changed, 46 insertions(+), 9 deletions(-)
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 731b0cf2..835621cb 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -2928,6 +2928,8 @@ do_init_crypto_tls(struct context *c, const unsigned int
flags)
to.verify_hash = options->verify_hash;
to.verify_hash_algo = options->verify_hash_algo;
to.verify_hash_depth = options->verify_hash_depth;
+to.verify_hash_no_ca = options->verify_hash_no_ca;
+
#ifdef ENABLE_X509ALTUSERNAME
memcpy(to.x509_username_field, options->x509_username_field,
sizeof(to.x509_username_field));
#else
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 6b4a2c11..27ed813d 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -2712,18 +2712,23 @@ options_postprocess_verify_ce(const struct options
*options,
else
{
#ifdef ENABLE_CRYPTO_MBEDTLS
-if (!(options->ca_file))
+if (!(options->ca_file || options->verify_hash_no_ca))
{
-msg(M_USAGE, "You must define CA file (--ca)");
+msg(M_USAGE, "You must define CA file (--ca) and/or "
+"peer fingeprint verification "
+"(--peer-fingerprint)");
}
if (options->ca_path)
{
msg(M_USAGE, "Parameter --capath cannot be used with the mbed
TLS version version of OpenVPN.");
}
#else /* ifdef ENABLE_CRYPTO_MBEDTLS */
-if ((!(options->ca_file)) && (!(options->ca_path)))
+if ((!(options->ca_file)) && (!(options->ca_path))
+&& (!(options->verify_hash_no_ca)))
{
-msg(M_USAGE, "You must define CA file (--ca) or CA path
(--capath)");
+msg(M_USAGE, "You must define CA file (--ca) or CA path "
+"(--capath) and/or peer fingeprint verification "
+"(--peer-fingerprint)");
}
#endif
if (pull)
@@ -2742,7 +2747,8 @@ options_postprocess_verify_ce(const struct options
*options,
#if P2MP
