www.zeroshell.org Forum Index www.zeroshell.org
Linux Distribution for server and embedded devices
 
 SearchSearch  RegisterRegister  UsergroupsUsergroups 
 ProfileProfile  Log inLog in  Log in to check your private messagesPrivate Message 

huge problems with revokation of certs

 
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> ZeroShell
View previous topic :: View next topic  
Author Message
rob_zero



Joined: 02 Jul 2009
Posts: 1

PostPosted: Thu Jul 02, 2009 7:59 am    Post subject: huge problems with revokation of certs Reply with quote

Hi there,

This is my very first time dropping some lines in this forum, so I really hope anyone can help me on this:

When I revoke an user's certificate by Users > X509 > revoke Certificate in order to NOT allow him VPN connection anymore, this same user still can connect by VPN, and supposely the certificate exists no more! Even if I delete that user from the Users List after revoking+delete his certificate, he still can connect!!! This is getting me crazy indeed... how is that possible?? Is there any way to delete a certificate by console or whatever? Looks like that certificate and user still exists somewhere in some database or record...

Please I need some help!!!

Thank you very much in advance!!
Back to top
View user's profile Send private message
misterplow



Joined: 22 Apr 2008
Posts: 20

PostPosted: Tue Dec 22, 2009 5:27 am    Post subject: Reply with quote

The way that OpenVPN works is that each time you revoke a certificate it generates/updates a CRL (certificate revocation list) file, against which it checks incoming client connection requests. Even though you may revoke multiple client certificates, the CRL is just one key, against which multiple clients keys can generate a hit/match.

You can find the crl.pem file that ZS uses at the location of:
Code:
/Database/etc/ssl/crl.pem


So, if you start the OpenVPN server process with the option of
Code:
--crl-verify /Database/etc/ssl/crl.pem

It will then reject any certificates that you have revoked.

The BIG CATCH is that if you delete a user without first revoking the user's cert, that user/cert will still be able to connect (as you have noticed, which is probably not what you want).

In the case you forgot to revoke the cert before deleting the user, you'll have to have access to the cert and private key for the user you mistakenly deleted. If you don't have access to these two files then you're probably screwed Wink

Assuming you DO have the cert/private key of the deleted user, you need to go in and manually swap it in for the cert+key of the "tempuser"

  1. create a new user in the ZS gui (doesn't have to be the same as the original username)
  2. using an ssh session into your ZS box, do the following:
    Quote:
    root@zeroshell root> mv /Database/etc/ssl/certs/<tempuser>_user.pem /Database/etc/ssl/certs/<tempuser>_user.pem.orig;vi /Database/etc/ssl/certs/<tempuser>_user.pem

    (paste the <mistakenly_deleted_user>_user.pem certificate contents and save)
  3. do the same for the key file located in /Database/etc/ssl/certs/<tempuser>_user.pem, this time pasting in the keyfile contents
  4. now go back into the GUI and revoke the certificate for the <tempuser>. This revocation should trigger an automatic restart of the affected openvpn server process as long as you have started it with the --crl-verify option as listed above.
  5. once this is done, you can delete the <tempuser>_user.pem files and then rename the <tempuser>_user.pem.orig back to the original <tempuser>_user.pem if you need to keep this temporary user and/or its information for some reason


Once again, just be aware that each time you revoke a certificate against an openvpn server instance where it's been started with the crl-verify option, you will reset that process and thus kick off all clients briefly.
Back to top
View user's profile Send private message
joar



Joined: 21 Jun 2007
Posts: 16

PostPosted: Tue Dec 22, 2009 9:16 am    Post subject: Problem Reply with quote

What if you demand both cert and user/passwd?
_________________
JH
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> ZeroShell All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group