Page 1 of 1

ROS ovpn-client doesn't verify server certificate.

Posted: Fri Oct 06, 2017 1:53 am
by lapsio
I noticed that ovpn-client doesn't take server CA certificate as argument. How does ROS verify server then (if at all)

Re: How ROS ovpn-client verifies server?

Posted: Fri Oct 06, 2017 8:04 am
by mrz
If CA certificate is imported then it is picked automatically for verification.

Re: How ROS ovpn-client verifies server?

Posted: Fri Oct 06, 2017 3:44 pm
by lapsio
In order to see if it works I imported invalid certificate (of CA generated on other mikrotik, not one hosting ovpn) but ovpn-client still connects without any problem
[lapsio@CHRgw] > /certificate print detail 
Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted 
 0     A  T name="cert_export_ca-cert.crt_0" issuer=CN=bestpony.ml common-name="bestpony.ml" key-size=4096 days-valid=365 trusted=yes key-usage=key-cert-sign,crl-sign 
            serial-number="****" fingerprint="****" invalid-before=oct/06/2017 12:28:18 
            invalid-after=oct/06/2018 12:28:18 
[lapsio@CHRgw] > /interface ovpn-client print 
Flags: X - disabled, R - running 

 0  R name="ovpn-bestpony-direct" mac-address=FE:BC:A5:5E:74:E3 max-mtu=1500 connect-to=bestpony.ml port=1194 mode=ethernet user="lapsio-lapvm" 
      password="****" profile=default certificate=none auth=sha1 cipher=aes256 add-default-route=yes
Am I missing something?

Re: How ROS ovpn-client verifies server?

Posted: Sun Oct 08, 2017 10:30 pm
by lapsio
I tested it multiple times in various combinations and ovpn-client doesn't verify server certificate allowing trivial MIM attack and sniffing in networks with SSL decryptor proxy. I classify it as serious vulnerability making ovpn-client useless feature silently compromising security of network.

Re: ROS ovpn-client doesn't verify server certificate.

Posted: Wed May 30, 2018 11:50 pm
by clannet
Hi,

Further to the original poster we have also found this to be the case running RouterOS v6.40.8 the server certificates do not seem to be checked. We have tried both Mikrotik to Mikrotik and also Mikrotik to the Windows OpenVPN client with the same results.

Are we missing something?

Thanks,

Dean

Re: ROS ovpn-client doesn't verify server certificate.

Posted: Mon Aug 20, 2018 3:53 pm
by DotTest37
I've been following up on this topic.
Any news from MIkrotik on this issue?

Re: ROS ovpn-client doesn't verify server certificate.

Posted: Sun May 19, 2019 9:26 pm
by patera
Hello,
Is Mikrotik working on this issue? Does some workaround exist? Does setting PPP secret help or an attacker is able to decode the password?

Re: ROS ovpn-client doesn't verify server certificate.

Posted: Tue Jul 16, 2019 11:11 pm
by lapsio
It's supposedly been fixed 2 weeks ago in release 6.44.5

*) ovpn - added "verify-server-certificate" parameter for OVPN client (CVE-2018-10066);

viewtopic.php?t=150045