-
Notifications
You must be signed in to change notification settings - Fork 82
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenVPN: Fix tls-verify with email address in X509 identifier #25
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
OpenVPN’s TLS verification will fail when the client’s certificate contains an “emailAddress” attribute. The reason is that when a client certificate is uploaded to IPFire the resulting entry in /var/ipfire/ovpn/ovpnconfig will contain the CN and the emailAddress separated by a slash character as certificate name. The script used for tls-verify, however, treats everything after the “CN=“ string in the X509 identifier as certificate name. So if the client’s certificate happens to contain an email address the certificate name that the TLS verification script expects will never match the entries in ovpnconfig. Example The certificate “C=XX, L=Xxxxxx, O=xxx, OU=XX, CN=ovpnClient, emailAddress=ovpnClient@example.com” will generate this name in ovpnconfig when uploaded: “ovpnClient/emailAddress=ovpnClient@example.com”. On the other hand, the TLS verification script expects the certificate name “ovpnClient, emailAddress=ovpnClient@example.com” (there’s a comma and a space and not a slash) to be in ovpnconfig when the client tries to connect. The expected name will never match the entries in ovpnconfig which results in an error during the TLS handshake: WARNING: Failed running command (--tls-verify script): external program exited with error status: 1 VERIFY SCRIPT ERROR: depth=0, C=XX, L=Xxxxxx, O=xxx, OU=XX, CN=ovpnClient, emailAddress=ovpnClient@example.com TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned To fix this issue, all commas in the expected certificate name need to be replaced by a slash character in order to get the certificate name in line with the entries in ovpnconfig.
This PR does not really solve the problem. It's more a workaround. I'll fix this problem better and open a new PR. |
mtremer
pushed a commit
that referenced
this pull request
Apr 14, 2021
- Update from 2.3.3 to 2.3.3op2 - OpenPrinting statement from March 2021:- CUPS has new home at OpenPrinting Due to the fact that CUPS development at Apple has stopped since the beginning of 2020 we had forked CUPS some months ago to incorporate patches and fixes from the distributions. As Apple did not resume the upstream work on CUPS, we have made OpenPrinting now the official upstream home for CUPS. This especially means that we can now continue developing CUPS, independent of Apple. So we can add features and lead CUPS into the new architecture without PPD files and with Printer Applications. CUPS has a new home page now and what was formerly our fork is now the official CUPS repository. Upcoming releases will be of the new 2.4.x series, without “opX” suffix as now. Also all documentation files which come with it are updated to point to the OpenPrinting resources. - Update of rootfile not required. - Changelog Changes in CUPS v2.3.3op2 - Security: Fixed a buffer (read) overflow in the `ippReadIO` function (CVE-2020-10001) - Clarified the documentation for the "Listen" directive (Issue #53) - Fixed duplicate ColorModel entries for AirPrint printers (Issue 59) - Fixed directory/permission defaults for Debian kfreebsd-based systems (Issue #60, Issue #61) - Fixed crash bug in `ppdOpen` (Issue #64, Issue #78) - Fixed regression in `snprintf` emulation function (Issue #67) - The scheduler's systemd service file now waits for the nslcd service to start (Issue #69) - The libusb-based USB backend now uses a simpler read timer implementation to avoid a regression in a previous change (Issue #72) - The PPD caching code now only tracks the `APPrinterIconPath` value on macOS (Issue #73) - Fixed segfault in help.cgi when searching in man pages (Issue #81) - Root certificates were incorrectly stored in "~/.cups/ssl". Changes in CUPS v2.3.3op1 - The automated test suite can now be activated using `make test` for consistency with other projects and CI environments - the old `make check` continues to work as well, and the previous test server behavior can be accessed by running `make testserver`. - ippeveprinter now supports multiple icons and strings files. - ippeveprinter now uses the system's FQDN with Avahi. - ippeveprinter now supports Get-Printer-Attributes on "/". - ippeveprinter now uses a deterministic "printer-uuid" value. - ippeveprinter now uses system sounds on macOS for Identify-Printer. - Updated ippfind to look for files in "~/Desktop" on Windows. - Updated ippfind to honor `SKIP-XXX` directives with `PAUSE`. - Updated IPP Everywhere support to work around printers that only advertise color raster support but really also support grayscale (Issue #1) - ipptool now supports DNS-SD URIs like `ipps://My%20Printer._ipps._tcp.local` (Issue #5) - The scheduler now allows root backends to have world read permissions but not world execute permissions (Issue #21) - Failures to bind IPv6 listener sockets no longer cause errors if IPv6 is disabled on the host (Issue #25) - The SNMP backend now supports the HP and Ricoh vendor MIBs (Issue #28) - The scheduler no longer includes a timestamp in files it writes (Issue #29) - The systemd service names are now "cups.service" and "cups-lpd.service" (Issue #30, Issue #31) - The scheduler no longer adds the local hostname to the ServerAlias list (Issue #32) - Added `LogFileGroup` directive in "cups-files.conf" to control the group owner of log files (Issue #34) - Added `--with-max-log-size` configure option (Issue #35) - Added `--enable-sync-on-close` configure option (Issue #37) - Added `--with-error-policy` configure option (Issue #38) - IPP Everywhere PPDs could have an "unknown" default InputSlot (Issue #44) - The `httpAddrListen` function now uses a listen backlog of 128. - Added USB quirks (Apple issue #5789, #5823, #5831) - Fixed IPP Everywhere v1.1 conformance issues in ippeveprinter. - Fixed DNS-SD name collision support in ippeveprinter. - Fixed compiler and code analyzer warnings. - Fixed TLS support on Windows. - Fixed ippfind sub-type searches with Avahi. - Fixed the default hostname used by ippeveprinter on macOS. - Fixed resolution of local IPP-USB printers with Avahi. - Fixed coverity issues (Issue #2) - Fixed `httpAddrConnect` issues (Issue #3) - Fixed web interface device URI issue (Issue #4) - Fixed lp/lpr "printer/class not found" error reporting (Issue #6) - Fixed xinetd support for LPD clients (Issue #7) - Fixed libtool build issue (Issue #11) - Fixed a memory leak in the scheduler (Issue #12) - Fixed a potential integer overflow in the PPD hashing code (Issue #13) - Fixed output-bin and print-quality handling issues (Issue #18) - Fixed PPD options getting mapped to odd IPP values like "tray---4" (Issue #23) - Fixed remote access to the cupsd.conf and log files (Issue #24) - Fixed the automated test suite when running in certain build/CI environments (Issue #25) - Fixed a logging regression caused by a previous change for Apple issue #5604 (Issue #25) - Fixed fax phone number handling with GNOME (Issue #40) - Fixed potential rounding error in rastertopwg filter (Issue #41) - Fixed the "uri-security-supported" value from the scheduler (Issue #42) - Fixed IPP backend crash bug with "printer-alert" values (Issue #43) - Removed old Solaris inetconv(1m) reference in cups-lpd man page (Issue #46) - Fixed default options that incorrectly use the "custom" prefix (Issue #48) - Fixed a memory leak when resolving DNS-SD URIs (Issue #49) - Fixed systemd status reporting by adopting the notify interface (Issue #51) - Fixed crash in rastertopwg (Apple issue #5773) - Fixed cupsManualCopies values in IPP Everywhere PPDs (Apple issue #5807) Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
mtremer
pushed a commit
that referenced
this pull request
May 14, 2021
- Update from 0.2.7 to 0.2.10 - Convert from python-inotify to python3-inotify make.sh, lfs & rootfiles - Update rootfiles - Changelog 0.2.8: - We now just *skip* the event if not known - Implement InotifyTree and InotifyTrees as sub-classes of new BaseTree class - Made InotifyTree and InotifyTrees sub-classes of new base class BaseTree - Recursively watch a list of paths/trees 0.2.9: - Added getter for Inotify object from tree objects - Added note to docs about race-conditions. Added small change for redundant adds. - Slightly reorganized documentation. Updated example. - Merge pull request #35 from dsoprea/dustin. Added extensive unit-test coverage. Closes all bug requests. - Added large amount of unit-test coverage. - Now handle rename-specific events. - Can now also ignore issues with new directories not existing if you're created *and* deleted or renamed a folder since the last time events were read. - Adjusted requirements for simplicity. - Added Python 3 compatibility. - Fixed Unicode support. - Can now provide `filter_predicate` to event_gen() to allow custom loop termination based on events. - We'll now terminate the loop when certain events are encountered. These events are passed into event_gen() as `terminal_events`. By default these are the IN_Q_OVERFLOW and IN_UNMOUNT types. - Fixes #28 - Fixes #23 - Fixes #22 - Fixes #19 - Fixes #16 - Fixes #15 - Fixes #5 - Check presence of both glibc errno and musl libc err - Support for musl libc (Alpine Linux) - Merge pull request #27 from jessesuen/master. Support for musl libc (Alpine Linux) - Check presence of both glibc errno and musl libc err - Merge pull request #26 from hathcock/hathcock/issue-25. resolves #25, list of binary paths can't be logged with existing call - Support for musl libc (Alpine Linux) - Resolves #25, list of binary paths can't be logged with existing call 0.2.10: - Merge pull request #34 from davidparsson/ feature/support-moved-directories - Support MOVED_FROM and MOVED_TO in BaseTree - events: Now log event types from epoll vs data stream. - This release implicitly fixed the botched binary package released in 0.2.9 Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
mtremer
pushed a commit
that referenced
this pull request
Oct 22, 2021
- Update from 2.35 (2006) to 2.73 (2020) - Update of rootfile - Updated version of perl-GD required ExtUtils-PkgConfig for build. Seperate patch to build that is part of this series - Changelog 2.73 * allow --options override the libgd options. Not recommended. See GH #33 and RT #130045 2.72 * fix CVE 2019-6977 colorMatch for older unpatched libgd versions. This is a severe security problem, an exploitable heap-overflow. See https://nvd.nist.gov/vuln/detail/CVE-2019-6977 2.71 * skip Test::Fork on freebsd (GH #25) 2.70 * fixes for hardened CCFLAGS with -Werror (RT #128167) 2.69 * little spelling error, GH #29 Xavier Guimard 2.68 * fix GD::Polygon->clear, RT #124463 Michael Cain 2.67 * fix thread-safety for GD::Simple %COLORS (#26 melak) * fix arc start-angle docs, RT #123277 Andrew G Gray * improve setBrush docs, RT #123194 Andrew G Gray * improve StringFT docs, RT #123193 * replace MacOSX by darwin, and not by Mac OS X/macOS as suggested in PR #24 * add GD::Image->_file method as suggested in RT #60488 by Kevin Ryde, also the helper GD::supportsFileType 2.66 * throw proper error on newFrom* with not-existing file * add t/transp.t from RT #40525 * Improve RT #54366 multiple gd.h warning * better doc for GD::Simple->arc * fix ANIMGIF with libgd 2.3.0-dev 2.65 * fix --gdlib_config_path to accept an argument (fperrad) 2.64 * Update doc for LIBGD_VERSION() * Fix 5.6.2, which does not have float in its typemap 2.63 * renamed VERSION() to LIBGD_VERSION(), RT #121307. It was treated magically by "use GD 2.18" 2.62 * fixed wrong <5.14 code generated with ExtUtils::Constants RT #121297. Don't generate const-xs.inc, only when missing. * add -liconv on hpux also (our pkgconfig parser cannot handle it) 2.61 * add CONFIGURE_REQUIRES META * add --gdlib_config_path * add Image Filters: scatter, pixelate, negate, grayscale, brightness, contrast, color, selectiveBlur, edgeDetectQuick, gaussianBlur, emboss, meanRemoval, smooth, copyGaussianBlurred * add palette methods: createPaletteFromTrueColor, neuQuant (but discouraged), colorMatch. * add interpolation methods: copyScale, copyRotateInterpolated, interpolationMethod. * add double GD::VERSION * add all gd.h constants 2.60 * add missing methods newFromWBMP, newFromXbm, (RT #68784) and some missing docs * Add --lib_fontconfig_path, --fcgi options * rewrote most of the XS code * cleanup Makefile.PL #20 2.59 * error on failing libgd calls * fix colorClosestAlpha, colorAllocateAlpha * add missing documentation 2.58 * fix VERSION_STRING for 2.0.x * honor --lib_gd_path specific gdlib-config * Loosen the comparison tests with GDIMAGETYPE ne gd2 * Improve gdlib-config parsing (PR #17), esp. with 2.0.34 2.57 * fix Jpeg magic number detection RT #26146 * fix RGB - HSV roundtrips: RT #120572 by J2N-FORGET * fix -print-search-dirs errors RT #106265 * co-maint to rurban * add hv_fetchs, CI smokers * add GD::VERSION_STRING api 2.56_03 * add alpha method * improve option handling * fix meta data 2.56_02 * fix feature extraction >= 2.2 [RT #119459] 2.56_01 * rm Build.PL, fix permissions, fix for missing gdlib-config 2.56 * Fix Makefile.PL so that it works again. 2.55 * Great simplification of regression framework ought to fix make test problems. * Replace ExtUtils::MakeMaker script with Module::Build system (just in time for Module::Build to be deprecated). * Remove archaic qd.pl (for creating QuickDraw picts) from distribution. 2.54 Patch from yurly@unet.net to fix image corruption in rotate180 when image height is odd. 2.53 Points to Gabor Szabo's GD::Simple tutorial, and fix link to repository. 2.52 Fix regression tests to run on Ubuntu 12.04 64bit. 2.51 Fix misleading warning message about location of gd.h file. 2.50 Fix gdUseFontConfig so that it can be called as a class method. 2.49 Add GitHub information to README. 2.48 Fix compile crash on windows and strawberry (https://rt.cpan.org/Public/Bug/Display.html?id=67990). 2.47 Fix compilation on older perl's without the Newxz macros. 2.46 Added a basic "use" test for GD::Simple 2.45 Clarified the GD license. There is now a formal LICENSE file in the package. 2.44 GD::Group now installed properly. Quenched compiler warning caused by Newxs() calls. 2.43 Added "transparent" color to GD::Simple. Fixed Makefile so that GD/Image.pm depends both on GD/Image.pm.PLS and .config.cache 2.42 Fixed magic number detection to autodetect certain missed jpeg files (thanks to Mike Walker) 2.41 Added backend support for grouping features in GD::SVG module. 2.40 ** Do not use - contains a bug ** 2.39 Makefile.PL will refuse to run if the proper version of libgd is unavailable. 2.38 Fixed bizarre warning about /usr/include/gd.h != /usr/include/gd.h. 2.37 GD/Image.pm did not bring in croak() properly, meaning that incorrect error messages are printed out when any of the newFromXXX() calls are made. 2.36 Instructions on using gdAntiAliased with palette images. Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
mtremer
pushed a commit
that referenced
this pull request
Apr 24, 2022
- Update from v3.3.16 to v4.0.0 - added --disable-static to ./configure to remove static libs from rootfile - Update of rootfile - Changed lib name. Ran ./make.sh find-dependencies. No dependencies on old libraries - Changelog procps-ng-4.0.0 * Rename pwait to pidwait * free: Add committed line option merge #25 * free: Fix -h --si combined options issue #133, #223 * free: Fix first column justification issue #229, #204, #206, Debian #1001689 * free: Better spacing for Chinese language issue #213 * library: renamed to libproc-2 and reset to 0:0:0 * library: add support for accessing smaps_rollup issue #112, #201 * library: add support for accessing autogroups * library: add support for LIBPROC_HIDE_KERNEL env var merge #147 * library: add support for cpu utilization to pids i/f * pkill: Check for lt- variants of program name issue #192 * pgrep: Add newline after regex error message merge #91 * pgrep: Fix selection where uid/gid > 2^31 merge !146 * pgrep: Select on cgroup v2 paths issue #168 * ps: Add OOM and OOMADJ fields issue #198 * ps: Add IO Accounting fields issue #184 * ps: Add PSS and USS fields issue #112 * ps: Add two new autogroup fields * ps: Ignore SIGURG merge !142 * slabtop: Don't combine d and o options issue #160 * sysctl: Add support for systemd glob patterns issue #191 * sysctl: Check resolved path to be under /proc/sys issue #179 * sysctl: return non-zero if EINVAL return for write merge #76 * sysctl.conf.5: Note max line length issue #77 * top: added LOGID similar to 3.3.13 ps LUID * top: added EXE identical to 3.3.17 ps EXE * top: exploit some library smaps_rollup provisions issue #112 * top: added four new IO accounting fields issue #184 * top: 'F' key is now a new forest view 'focus' toggle * top: summary area memory lines can print two abreast * top: added two new autogroup fields * top: added long versions of command line options * top: added cpu utilization & 2 time related fields * top: the time related fields can now be user scaled * uptime: print short/pretty format correctly issue #217 * vmstat: add -y option to remove first line merge !72 procps-ng-3.3.17 * library: Incremented to 8:3:0 (no removals or additions, internal changes only) * all: properly handle utf8 cmdline translations issue #176 * kill: Pass int to signalled process merge #32 * pgrep: Pass int to signalled process merge #32 * pgrep: Check sanity of SG_ARG_MAX issue #152 * pgrep: Add older than selection merge #79 * pidof: Quiet mode merge #83 * pidof: show worker threads Redhat #1803640 * ps.1: Mention stime alias issue #164 * ps: check also match on truncated 16 char comm names * ps: Add exe output option Redhat #1399206 * pwait: New command waits for a process merge #97 * sysctl: Match systemd directory order Debian #950788 * sysctl: Document directory order Debian #951550 * top: ensure config file backward compatibility Debian #951335 * top: add command line 'e' for symmetry with 'E' issue #165 * top: add '4' toggle for two abreast cpu display issue #172 * top: add '!' toggle for combining multiple cpus * top: fix potential SEGV involving -p switch merge #114 * vmstat: Wide mode gives wider proc columns merge #48 * watch: Add environment variable for interval merge #62 * watch: Add no linewrap option issue #182 * watch: Support more colors merge #106,#109 * free,uptime,slabtop: complain about extra ops issue #181 Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
mtremer
pushed a commit
that referenced
this pull request
Aug 13, 2024
- Update from version 0.6.1-f54b3fa to 0.6.3 - Update of rootfile not required - Changelog 0.6.3 * remove outdated copyright and email * Merge pull request #25 from fweimer/patch-1 AC_QEF_C_NORETURN: Include <stdlib.h> for exit * Merge pull request #27 from ofalk/master Fix potential write to unallocated memory. * Merge pull request #28 from vgropp/#2-fix-csv-bits feat: #2 output bits in csv * Merge pull request #29 from vgropp/#2-fix-csv-bits fix(doc): #2 output bits in csv * Merge pull request #32 from vgropp/new-netstat-#5 feat: add support for newer (2016+) linux netstat #5 0.6.2 * Merge pull request #22 from vgropp/issue-#13 to fix windows build * Merge pull request #20 from dreibh/master CSV file output: fix for timestamp inaccuracy and Y-2038 problem * Merge pull request #21 from vgropp/travisci add travisci * Merge pull request #17 from Himura2la/master Add the started time in "sum" mode * Merge pull request #18 from Himura2la/fix-dynamic Fix DYNAMIC and ANSIOUT in config * Merge pull request #10 from SoapGentoo/fixes Use `static inline` instead of `inline` * Merge pull request #9 from adventureloop/master Always fflush the pipe * Merge pull request #7 from samueloph/fsf_address_clean Update FSF address * Merge pull request #6 from samueloph/master Fix typos * fix nan and inf values on fast refresh (fixes debian bug #532331 Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Note: This PR solves Bugzilla issue #10552
OpenVPN’s TLS verification will fail when the client’s certificate contains an “emailAddress” attribute.
The reason is that when a client certificate is uploaded to IPFire the resulting entry in
/var/ipfire/ovpn/ovpnconfig
will contain the CN and the emailAddress separated by a slash character as certificate name.The script used for tls-verify, however, treats everything after the
CN=
string in the X509 identifier as certificate name. So if the client’s certificate happens to contain an email address the certificate name that the TLS verification script expects will never match the entries in ovpnconfig.Example
The certificate with the identification
C=XX, L=Xxxxxx, O=xxx, OU=XX, CN=ovpnClient, emailAddress=ovpnClient@example.com
will generate this name in ovpnconfig when uploaded:ovpnClient/emailAddress=ovpnClient@example.com
. On the other hand, the TLS verification script expects the certificate nameovpnClient, emailAddress=ovpnClient@example.com
(there’s a comma and a space and not a slash) to be in ovpnconfig when the client tries to connect. The expected name will never match the entries in ovpnconfig which results in an error during the TLS handshake:To fix this issue, all commas in the expected certificate name need to be replaced by a slash character in order to get the certificate name in line with the entries in ovpnconfig.