Community discussions

 
User avatar
lapsio
Member
Member
Topic Author
Posts: 435
Joined: Wed Feb 24, 2016 5:19 pm

ROS ovpn-client doesn't verify server certificate.

Fri Oct 06, 2017 1:53 am

I noticed that ovpn-client doesn't take server CA certificate as argument. How does ROS verify server then (if at all)
Last edited by lapsio on Sun Oct 08, 2017 10:31 pm, edited 1 time in total.
MTCNA, MTCRE, MTCINE
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5813
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: How ROS ovpn-client verifies server?

Fri Oct 06, 2017 8:04 am

If CA certificate is imported then it is picked automatically for verification.
 
User avatar
lapsio
Member
Member
Topic Author
Posts: 435
Joined: Wed Feb 24, 2016 5:19 pm

Re: How ROS ovpn-client verifies server?

Fri Oct 06, 2017 3:44 pm

In order to see if it works I imported invalid certificate (of CA generated on other mikrotik, not one hosting ovpn) but ovpn-client still connects without any problem
[lapsio@CHRgw] > /certificate print detail 
Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted 
 0     A  T name="cert_export_ca-cert.crt_0" issuer=CN=bestpony.ml common-name="bestpony.ml" key-size=4096 days-valid=365 trusted=yes key-usage=key-cert-sign,crl-sign 
            serial-number="****" fingerprint="****" invalid-before=oct/06/2017 12:28:18 
            invalid-after=oct/06/2018 12:28:18 
[lapsio@CHRgw] > /interface ovpn-client print 
Flags: X - disabled, R - running 

 0  R name="ovpn-bestpony-direct" mac-address=FE:BC:A5:5E:74:E3 max-mtu=1500 connect-to=bestpony.ml port=1194 mode=ethernet user="lapsio-lapvm" 
      password="****" profile=default certificate=none auth=sha1 cipher=aes256 add-default-route=yes
Am I missing something?
MTCNA, MTCRE, MTCINE
 
User avatar
lapsio
Member
Member
Topic Author
Posts: 435
Joined: Wed Feb 24, 2016 5:19 pm

Re: How ROS ovpn-client verifies server?

Sun Oct 08, 2017 10:30 pm

I tested it multiple times in various combinations and ovpn-client doesn't verify server certificate allowing trivial MIM attack and sniffing in networks with SSL decryptor proxy. I classify it as serious vulnerability making ovpn-client useless feature silently compromising security of network.
MTCNA, MTCRE, MTCINE
 
clannet
just joined
Posts: 5
Joined: Fri Mar 23, 2012 12:36 pm
Location: UK
Contact:

Re: ROS ovpn-client doesn't verify server certificate.

Wed May 30, 2018 11:50 pm

Hi,

Further to the original poster we have also found this to be the case running RouterOS v6.40.8 the server certificates do not seem to be checked. We have tried both Mikrotik to Mikrotik and also Mikrotik to the Windows OpenVPN client with the same results.

Are we missing something?

Thanks,

Dean
 
DotTest37
newbie
Posts: 42
Joined: Sun Oct 06, 2013 10:01 pm

Re: ROS ovpn-client doesn't verify server certificate.

Mon Aug 20, 2018 3:53 pm

I've been following up on this topic.
Any news from MIkrotik on this issue?

Who is online

Users browsing this forum: No registered users and 60 guests