Exit or Error Immediately if Certificate is Expired (QoL) - OpenVPN
469 views
Skip to first unread message
Nick Aldwin
Feb 8, 2021, 5:30:56 PM2/8/21
to tunnelblick-discuss
Hello,
We have a VPN with certs that expire on a certain basis. Once they expire, folks must get a new certificate to continue using the VPN. This all works fine.
However, one pain point we've found is that if the certificate is expired, a warning will be emitted to the logs, but then Tunnelblick will sit in the 'Authorizing' state seemingly forever. Upon manually clicking 'disconnect', a message will come up noting that there was a warning in the logs (at which point, it's apparent that the problem is an expired cert). Is there some configuration we're missing which would cause Tunnelblick to cease attempting to authorize as soon as the cert is deemed to be expired?
Once again, this is purely a QoL thing -- immediately notifying on an expired certificate would avoid the repeated "hey my VPN isn't working, just authorizing forever" questions that we seem to get often.
Thanks,
Nick
-Nick
Tunnelblick developer
Feb 9, 2021, 11:17:35 AM2/9/21
to tunnelblick-discuss
I sent the following yesterday as a private email, but have received no response (maybe it was considered to bespam):
Hi. I'm the lead Tunnelblick developer.I haven't been able to reproduce this.
Can you send a copy of a configuration with an expired certificate to
me at devel...@tunnelblick.net? That may help me reproduce the
problem, and I don't think there's much risk, since the certificate
is expired.
Best regards,
Jon Bullard
Can you send a copy of a configuration with an expired certificate to
me at devel...@tunnelblick.net? That may help me reproduce the
problem, and I don't think there's much risk, since the certificate
is expired.
Best regards,
Jon Bullard
Tunnelblick developer
Feb 9, 2021, 6:37:15 PM2/9/21
to tunnelblick-discuss
Nick sent the configuration, which helped me figure out what's happening.
After asking for authentication, Tunnelblick is waiting for the OpenVPN server to either accept or deny the authentication. The problem is that if the certificate has expired, OpenVPN server stops responding, and never tells Tunnelblick the authorization failed. So Tunnelblick keeps waiting. I think this is deliberate behavior by the OpenVPN server, to avoid possible DNS attacks by someone with an expired certificate.
The next beta will fix this problem by dealing with the the log notice about the expired certificate earlier, and disconnecting the VPN. It will do that unless the "doNotDisconnectForCertificateProblems" preference is set to be true.
Reply all
Reply to author
Forward
Message has been deleted
0 new messages