Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ECC certificate server status not detected #5128

Closed
2 tasks done
Soham3-1415 opened this issue Jul 30, 2021 · 5 comments
Closed
2 tasks done

ECC certificate server status not detected #5128

Soham3-1415 opened this issue Jul 30, 2021 · 5 comments
Assignees
@AdSchellevis
Labels
bug Production bug
Milestone
22.1

Comments

@Soham3-1415
Copy link

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

Describe the bug

ECC certificates, like the ones issued from Let's Encrypt, do not have "Key Encipherment" listed as a key usage. These certificates may have the appropriate extensions for being considered a server certificate (e.g.: TLS Web Server Authentication extended key usage), but they are not recognized as server certificates by OPNSense. In OPNSense 21.7, the lack of server certificate status prevents such certificates from being used for the Web GUI.

To Reproduce

Certificates and key material have been provided in the "Additional context" section.

Steps to reproduce the behavior:

  1. Go to /system_certmanager.php?act=new
  2. Provide a descriptive name
  3. Paste the certificate labeled BAD.pem into "Certificate data"
  4. Paste the key labeled KEY.pem into "Private key data"
  5. Click "save"

The certificate will be marked as "CA:No, Server:No"

  1. Go to /system_certmanager.php?act=new
  2. Provide a descriptive name
  3. Paste the certificate labeled GOOD.pem into "Certificate data"
  4. Paste the key labeled KEY.pem into "Private key data"
  5. Click "save"

The certificate will be marked as "CA:No, Server:Yes"

The only appreciable difference between the two certificates is that one of them is lacking the "Key Encipherment" key usage extension.

Expected behavior

Both certificates should be marked as "CA:No, Server:Yes" because they have the TLS Web Server Authentication extended key usage extension.

Describe alternatives you considered

  • Use certificates with the "Key Encipherment" key usage extension. This is not possible with ECC certificates.
  • Use a version of OPNSense before 21.7. The server flag will still be no, but the certificate can be used with the Web GUI.

Screenshots
diff
bad
good

Relevant log files

N/A

Additional context

KEY.pem

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA3HnVoEg1uaufJwvxnM0A+0v2iD6ZV5F+qRuR1TpGtaLyjOwM
soUKr3QrPXlh2CI2giZs+GlIZ5vclKFzieJDub+diWVAh9QvqDYUOJZYokAgIY3c
IfaTZ/UwoI108rWFx08j+KaEwlxBUA4xR9ttQiCjB1vqv9Vb9TcQnzB2fu/2dZuB
optldeoP/v67rIFhgFdcOyDc/DtnI8ei2UjJJdEDAC5WQB1war1Ju/iD67Ceo0xp
SkoRhine8pktg4IoVu1wq9R5KJBM4BXPKvWmhXWJKWd80bwfb8HaVJlmeFBh0TeB
dGdGHiLeUjdFKyoQVvRGWnKrfJgCPzf1E5doDQIDAQABAoIBAFouv7ITN16eE7iO
CyNfO5KO7OWn7WNDUTLs4wb8EmZDo8D+4Oa4wrkn5HP9zYbx36f2/cXSktpGh8CI
FdGFqrw048SKlQ26PlAo5raK0PB1GG+BLlT6Hit8wIo7smWA2JrBBW609kLmJ5UO
aRwCZjuRS/47m9ch975i6rqiwSWEUUM8Xr/66W2SRhQZ7cTho29EwYGA9JPWjmo0
usz+hihzVxRcG2ew3uuWYze+lE++fk6gYHlHS+JDHpjUhhikosmUZAwwNddzFKxk
JXke+sXtW7Z42baK2UR3wYQaD2cLEJ9u/nRmxVJ8jzuSfS/N3/f/1kmgNpyLzehX
944ROAUCgYEA/6yaB7f+3oOwSMCyBrMaYMyLLmSyVlHCpmQhcS+kXqqRHDnBsZ0b
Mq8NlfaFROvVU9OuPBvu+lXJzLiXJzfkWe1366xlFLBnSsLrARB4RGmEEbD50vLj
eTvp9aFUVlI0VzuuAM8FubWBzi1gl7XX8m91Rv7bLIwC95GB3aL4avMCgYEA3MHA
YDIVv2jCjZaFJawt4fjeeoAgVPsFwxS+3tciVmElOVXjb0PhkM1P7gEecZ6al5vh
YIiJR/kom41qCoY5zBlObSpoEUjopr881hgUNA+pN30fGJYjgvEcB+vMe7J1Kant
8qM2Ct+evsJ9CVLzXc2Fy06oGcDDPTH+3JC/oP8CgYBxjYQfl32P8Cb0OPkYdqVp
ho7uPPTj144+/kvIDGPRU6n9Qj2fl+pDeXHsP7/y21c00tgYhEOAVWe6D+W6Gl3F
/uz68+c06CAIGUfsghcYM1Df1p0uLogPCSgg2tUtPXdXov7mBwxA7bdIDelPmAjf
+Na6gGhxgYGz2KE4AbCZNwKBgClicSwXd5hAjWh5tVBQrPFV9G9GockMnhHqS7X+
4sMKxy2uekqbkSfSNY/KyehG8XhGksPEFOhXP1OZ+S0r6J3oiJlSf9vtrR/FbiQ8
s1znKrPqUvALBXFAvh6GB/mQhQJghukby7/SGDJux339/P2yz8hDYKQjTPal7r9u
q14FAoGBAKRiECDEOv3kz5nwV4v03QUPY5un2ESiTgcuKAXwJRt9/L2owI+tIKCs
8TL11sORbSkPY3eAKbpcZXt6Zo+ELAP5nAmTolt+QVjWQrUMXA5Sqlt33ScyVR/g
V2mfannUbFe98C1RDy/VRGYgZekW5bljjh3FH/MrpxbGCQfwv4MZ
-----END RSA PRIVATE KEY-----

GOOD.pem

-----BEGIN CERTIFICATE-----
MIID+DCCAuCgAwIBAgIUPzTkH5LQdwptXV61rw/ahEJHzkEwDQYJKoZIhvcNAQEL
BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMTA3MjkyMzU2MjFaFw0yMzEx
MDEyMzU2MjFaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDcedWgSDW5q58nC/GczQD7S/aIPplXkX6pG5HVOka1
ovKM7AyyhQqvdCs9eWHYIjaCJmz4aUhnm9yUoXOJ4kO5v52JZUCH1C+oNhQ4llii
QCAhjdwh9pNn9TCgjXTytYXHTyP4poTCXEFQDjFH221CIKMHW+q/1Vv1NxCfMHZ+
7/Z1m4Gim2V16g/+/rusgWGAV1w7INz8O2cjx6LZSMkl0QMALlZAHXBqvUm7+IPr
sJ6jTGlKShGGKd7ymS2DgihW7XCr1HkokEzgFc8q9aaFdYkpZ3zRvB9vwdpUmWZ4
UGHRN4F0Z0YeIt5SN0UrKhBW9EZacqt8mAI/N/UTl2gNAgMBAAGjgd8wgdwwCQYD
VR0TBAIwADAdBgNVHQ4EFgQUYjDf2AgNLtIdYCyNwiwg5mtUvo4wgYAGA1UdIwR5
MHeAFAZYUp9CR64pQ+Br2ss9iCYGiHFroUmkRzBFMQswCQYDVQQGEwJBVTETMBEG
A1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkg
THRkghQp1rn8o6AQB9xpt7I9ULsAOUFnVTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0l
BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQCulUX1
Y08OLBNMGMStyeGRsVJxnb+DY0Ou9RfcoZ3rzj3imrzcvUD3LWK6ufioBJSz/UCp
eJQN8L4H09dWa4rYzrFEJY6WnoB08DFBV0wZZKtV0a0B3z0rMmzKOtjxJlOtjExH
nQx+zHhvaLlnSDv6R+Gtev5v6WBATaYxQOyc/esAnXoJunxPRB1NaiaDFj+gnyi1
rlGPbt2W5loAGTFEWaCDgOsbMlRoot49JvWGg5PTCuBADF7WgvtbcUSZHXs1Ah8x
mohOpLOK0Pj7XEh30wowwiF0FflP8FCP+BPUuNPn+GrjgzXVnjULS2ADLmj7MtRX
ax33/+tFgjYsbaEo
-----END CERTIFICATE-----

BAD.pem

-----BEGIN CERTIFICATE-----
MIID+DCCAuCgAwIBAgIUPzTkH5LQdwptXV61rw/ahEJHzkAwDQYJKoZIhvcNAQEL
BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMTA3MjkyMzU2MThaFw0yMzEx
MDEyMzU2MThaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDcedWgSDW5q58nC/GczQD7S/aIPplXkX6pG5HVOka1
ovKM7AyyhQqvdCs9eWHYIjaCJmz4aUhnm9yUoXOJ4kO5v52JZUCH1C+oNhQ4llii
QCAhjdwh9pNn9TCgjXTytYXHTyP4poTCXEFQDjFH221CIKMHW+q/1Vv1NxCfMHZ+
7/Z1m4Gim2V16g/+/rusgWGAV1w7INz8O2cjx6LZSMkl0QMALlZAHXBqvUm7+IPr
sJ6jTGlKShGGKd7ymS2DgihW7XCr1HkokEzgFc8q9aaFdYkpZ3zRvB9vwdpUmWZ4
UGHRN4F0Z0YeIt5SN0UrKhBW9EZacqt8mAI/N/UTl2gNAgMBAAGjgd8wgdwwCQYD
VR0TBAIwADAdBgNVHQ4EFgQUYjDf2AgNLtIdYCyNwiwg5mtUvo4wgYAGA1UdIwR5
MHeAFAZYUp9CR64pQ+Br2ss9iCYGiHFroUmkRzBFMQswCQYDVQQGEwJBVTETMBEG
A1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkg
THRkghQp1rn8o6AQB9xpt7I9ULsAOUFnVTAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0l
BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQA5cbhc
+aXzRujvQ18QDF3llGtU8h+LpUPKxQrraH7lEuROMCGN048LY5GtYb69umyNNPJw
2R0Q2rQE/UHGgJBIJ+FyOYjmql7LPB9Ipi/yZnsJ/WIHmw/l8LKw6Y8hEIIxZ3dk
TmJ8Q4mKrzxYNC5SJcDo21fqXDqg6DgNdJ8lawBePOqF3N2j/acwss4dobMChHmj
embJScDo4DkDgh1iHtUEEKuAwZhB8Niw/dERSjCcajxcDrOhoQ7aMtTsGSk08+gk
lMp1bnX9JZo43OwOWWfUNJTdEIZ+tG+JOO+ZAPJbml8jK16BW/YMXq0SjLzRtp1z
3fkDCtJ6GeTD4b4h
-----END CERTIFICATE-----

Environment

Reproduced on
OPNsense 21.1.8_1 (amd64, LibreSSL).
OPNsense 21.7 (amd64, LibreSSL).
@AdSchellevis
Copy link
Member

Looking at the track record of how the current logic landed via #2459 (which is likely the state you're looking for) and #2463, I'm doubting a bit if there's actually a valid reason to check for existence of "Digital Signature" and "Key Encipherment/Agreement" (which seems to originate from https://community.openvpn.net/openvpn/wiki/HOWTO#ImportantNoteonpossibleMan-in-the-Middleattackifclientsdonotverifythecertificateoftheservertheyareconnectingto ).

It might be a best practice for OpenVPN, but if the question is "is this a server cert", these attributes aren't necessarily needed. @fichtner what do you think?

@fichtner
Copy link
Member

fichtner commented Aug 1, 2021

Also reported here: https://forum.opnsense.org/index.php?topic=24153.0

@AdSchellevis I wasn't aware that the server flag was so specific to OpenVPN, at least the naming did not suggest it although it is for sure only used by OpenVPN at the moment. We should make a correct server flag and then maybe check for further constraints in OpenVPN itself (or ask for OpenVPN server suitability per optional flag?

@fichtner fichtner added the bug Production bug label Aug 1, 2021
@fichtner fichtner self-assigned this Aug 1, 2021
@fichtner fichtner added this to the 22.1 milestone Aug 1, 2021
AdSchellevis added a commit that referenced this issue Aug 1, 2021
@AdSchellevis
System / Trust - split between generic server use in cert_get_purpose…
b9b6e3e 
…() and id-kp-serverAuth according to rfc3280, for #5128
@AdSchellevis
Copy link
Member

@fichtner how about b9b6e3e ? should keep it rather simple, if other rfc purposes would matter at a later time we can always parse them separately.

@fields987
Copy link

The workaround I used was manually editing the config.xml file to use the refid of the ecc cert and restarting the webgui service. The new cert is now in use, however any further edits to the systems/settings/administration page throw the same error of "certificate is not intended for server use"

@fichtner fichtner assigned AdSchellevis and unassigned fichtner Aug 2, 2021
fichtner pushed a commit that referenced this issue Aug 2, 2021
@AdSchellevis @fichtner
System / Trust - split between generic server use in cert_get_purpose…
d638cf0 
…() and id-kp-serverAuth according to rfc3280, for #5128

(cherry picked from commit b9b6e3e)
@fichtner
Copy link
Member

fichtner commented Aug 2, 2021

@AdSchellevis b9b6e3e make sense, thanks a lot!

@fichtner fichtner closed this as completed Aug 2, 2021
AdSchellevis added a commit that referenced this issue Aug 15, 2021
@AdSchellevis
System / Trust - split between generic server use in cert_get_purpose…
859de97 
…() and id-kp-serverAuth according to rfc3280, for #5128
oshogbo pushed a commit to DynFi/opnsense-core that referenced this issue Mar 3, 2022
@AdSchellevis @fichtner
System / Trust - split between generic server use in cert_get_purpose…
5e64cf4 
…() and id-kp-serverAuth according to rfc3280, for opnsense/core#5128

(cherry picked from commit b9b6e3e)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@AdSchellevis AdSchellevis

Labels
bug Production bug
Milestone
22.1
Development

No branches or pull requests
4 participants
@fichtner @AdSchellevis @Soham3-1415 @fields987