Re: [Openvpn-devel] [PATCH v3] Implement peer-fingerprint to check fingerprint of peer certificate
Hi, On 21/03/2021 15:33, Arne Schwabe wrote: > This option allows to pin one or more more peer certificates. It also > prepares for doing TLS authentication without a CA and just > self-signed certificates. > > Patch V2: Allow peer-fingerprint to be specified multiple times > to allow multiple peers without needing to use inline > syntax. (e.g. on command line). > > Patch V3: rebase on v3 of 1/4, reword message of verify-hash and > peer-fingerpring incompatibility > > Signed-off-by: Arne Schwabe > --- > Changes.rst | 9 ++- > doc/man-sections/inline-files.rst | 4 +-- > doc/man-sections/tls-options.rst | 22 +++- > src/openvpn/init.c| 1 + > src/openvpn/options.c | 42 +++ > src/openvpn/options.h | 1 + > src/openvpn/ssl_common.h | 1 + > src/openvpn/ssl_verify.c | 19 -- > 8 files changed, 76 insertions(+), 23 deletions(-) > > diff --git a/Changes.rst b/Changes.rst > index d6be1050..ac32de26 100644 > --- a/Changes.rst > +++ b/Changes.rst > @@ -22,13 +22,20 @@ Compatibility with OpenSSL in FIPS mode > > Deprecated features > --- > -``inetd`` has been removed > +``inetd`` has been removed I guess this is just a mistake. > This was a very limited and not-well-tested way to run OpenVPN, on TCP > and TAP mode only. > > > Overview of changes in 2.5 > == > +New features in 2.5.1 I believe this feature was meant to target master/2.6, therefore putting it under 2.5.1 was probably a mistake. > +- > +Certificate pinning/verify peer fingerprint > +The ``--peer-fingerprint`` option has been introduced to give users an > +easy to use alternative to the ``tls-verify`` for matching the > +fingerprint of the peer. The option takes use a number of allowed > +SHA256 certificate fingerprints. > > New features > > diff --git a/doc/man-sections/inline-files.rst > b/doc/man-sections/inline-files.rst > index 303bb3c8..01e4a840 100644 > --- a/doc/man-sections/inline-files.rst > +++ b/doc/man-sections/inline-files.rst > @@ -4,8 +4,8 @@ INLINE FILE SUPPORT > OpenVPN allows including files in the main configuration for the ``--ca``, > ``--cert``, ``--dh``, ``--extra-certs``, ``--key``, ``--pkcs12``, > ``--secret``, ``--crl-verify``, ``--http-proxy-user-pass``, ``--tls-auth``, > -``--auth-gen-token-secret``, ``--tls-crypt``, ``--tls-crypt-v2`` and > -``--verify-hash`` options. > +``--auth-gen-token-secret``, ``--peer-fingerprint``, ``--tls-crypt``, > +``--tls-crypt-v2`` and ``--verify-hash`` options. > > Each inline file started by the line and ended by the line > > diff --git a/doc/man-sections/tls-options.rst > b/doc/man-sections/tls-options.rst > index d8f9800e..cfe1ec98 100644 > --- a/doc/man-sections/tls-options.rst > +++ b/doc/man-sections/tls-options.rst > @@ -271,7 +271,8 @@ certificates and keys: https://github.com/OpenVPN/easy-rsa >man-in-the-middle attack where an authorized client attempts to connect >to another client by impersonating the server. The attack is easily >prevented by having clients verify the server certificate using any one > - of ``--remote-cert-tls``, ``--verify-x509-name``, or ``--tls-verify``. > + of ``--remote-cert-tls``, ``--verify-x509-name``, ``--peer-fingerprint`` > + or ``--tls-verify``. > > --tls-auth args >Add an additional layer of HMAC authentication on top of the TLS control > @@ -592,6 +593,25 @@ certificates and keys: > https://github.com/OpenVPN/easy-rsa > > If the option is inlined, ``algo`` is always :code:`SHA256`. > > +--peer-fingerprint args > + Specify a SHA256 fingerprint or list of SHA256 fingerprints to verify > + the peer certificate against. The peer certificate must match one of the > + fingerprint or certificate verification will fail. The option can also > + be inlined > + > + Valid syntax: > + :: > + > +peer-fingerprint AD:B0:95:D8:09:... > + > + or inline: > + :: > + > + > + > 00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff > + > 11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00 > + > + > --verify-x509-name args >Accept connections only if a host's X.509 name is equal to **name.** The >remote host must also pass all other tests of verification. > diff --git a/src/openvpn/init.c b/src/openvpn/init.c > index d234729c..731b0cf2 100644 > --- a/src/openvpn/init.c > +++ b/src/openvpn/init.c > @@ -2927,6 +2927,7 @@ do_init_crypto_tls(struct context *c, const unsigned > int flags) > to.remote_cert_eku = options->remote_cert_eku; > to.verify_hash = options->verify_hash; > to.verify_hash_algo = options->verify_hash_algo; > +to.verify_hash_depth = options->verify_hash_depth; > #ifdef
[Openvpn-devel] [PATCH v3] Implement peer-fingerprint to check fingerprint of peer certificate
This option allows to pin one or more more peer certificates. It also prepares for doing TLS authentication without a CA and just self-signed certificates. Patch V2: Allow peer-fingerprint to be specified multiple times to allow multiple peers without needing to use inline syntax. (e.g. on command line). Patch V3: rebase on v3 of 1/4, reword message of verify-hash and peer-fingerpring incompatibility Signed-off-by: Arne Schwabe --- Changes.rst | 9 ++- doc/man-sections/inline-files.rst | 4 +-- doc/man-sections/tls-options.rst | 22 +++- src/openvpn/init.c| 1 + src/openvpn/options.c | 42 +++ src/openvpn/options.h | 1 + src/openvpn/ssl_common.h | 1 + src/openvpn/ssl_verify.c | 19 -- 8 files changed, 76 insertions(+), 23 deletions(-) diff --git a/Changes.rst b/Changes.rst index d6be1050..ac32de26 100644 --- a/Changes.rst +++ b/Changes.rst @@ -22,13 +22,20 @@ Compatibility with OpenSSL in FIPS mode Deprecated features --- -``inetd`` has been removed +``inetd`` has been removed This was a very limited and not-well-tested way to run OpenVPN, on TCP and TAP mode only. Overview of changes in 2.5 == +New features in 2.5.1 +- +Certificate pinning/verify peer fingerprint +The ``--peer-fingerprint`` option has been introduced to give users an +easy to use alternative to the ``tls-verify`` for matching the +fingerprint of the peer. The option takes use a number of allowed +SHA256 certificate fingerprints. New features diff --git a/doc/man-sections/inline-files.rst b/doc/man-sections/inline-files.rst index 303bb3c8..01e4a840 100644 --- a/doc/man-sections/inline-files.rst +++ b/doc/man-sections/inline-files.rst @@ -4,8 +4,8 @@ INLINE FILE SUPPORT OpenVPN allows including files in the main configuration for the ``--ca``, ``--cert``, ``--dh``, ``--extra-certs``, ``--key``, ``--pkcs12``, ``--secret``, ``--crl-verify``, ``--http-proxy-user-pass``, ``--tls-auth``, -``--auth-gen-token-secret``, ``--tls-crypt``, ``--tls-crypt-v2`` and -``--verify-hash`` options. +``--auth-gen-token-secret``, ``--peer-fingerprint``, ``--tls-crypt``, +``--tls-crypt-v2`` and ``--verify-hash`` options. Each inline file started by the line and ended by the line diff --git a/doc/man-sections/tls-options.rst b/doc/man-sections/tls-options.rst index d8f9800e..cfe1ec98 100644 --- a/doc/man-sections/tls-options.rst +++ b/doc/man-sections/tls-options.rst @@ -271,7 +271,8 @@ certificates and keys: https://github.com/OpenVPN/easy-rsa man-in-the-middle attack where an authorized client attempts to connect to another client by impersonating the server. The attack is easily prevented by having clients verify the server certificate using any one - of ``--remote-cert-tls``, ``--verify-x509-name``, or ``--tls-verify``. + of ``--remote-cert-tls``, ``--verify-x509-name``, ``--peer-fingerprint`` + or ``--tls-verify``. --tls-auth args Add an additional layer of HMAC authentication on top of the TLS control @@ -592,6 +593,25 @@ certificates and keys: https://github.com/OpenVPN/easy-rsa If the option is inlined, ``algo`` is always :code:`SHA256`. +--peer-fingerprint args + Specify a SHA256 fingerprint or list of SHA256 fingerprints to verify + the peer certificate against. The peer certificate must match one of the + fingerprint or certificate verification will fail. The option can also + be inlined + + Valid syntax: + :: + +peer-fingerprint AD:B0:95:D8:09:... + + or inline: + :: + + + 00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff + 11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00 + + --verify-x509-name args Accept connections only if a host's X.509 name is equal to **name.** The remote host must also pass all other tests of verification. diff --git a/src/openvpn/init.c b/src/openvpn/init.c index d234729c..731b0cf2 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2927,6 +2927,7 @@ do_init_crypto_tls(struct context *c, const unsigned int flags) to.remote_cert_eku = options->remote_cert_eku; to.verify_hash = options->verify_hash; to.verify_hash_algo = options->verify_hash_algo; +to.verify_hash_depth = options->verify_hash_depth; #ifdef ENABLE_X509ALTUSERNAME memcpy(to.x509_username_field, options->x509_username_field, sizeof(to.x509_username_field)); #else diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 3b1c69ba..871f6f5c 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -8118,26 +8118,45 @@ add_option(struct options *options, options->extra_certs_file = p[1]; options->extra_certs_file_inline = is_inline; } -
