ROS ovpn-client doesn't verify server certificate.
I noticed that ovpn-client doesn't take server CA certificate as argument. How does ROS verify server then (if at all)
Last edited by lapsio on Sun Oct 08, 2017 10:31 pm, edited 1 time in total.
Re: How ROS ovpn-client verifies server?
If CA certificate is imported then it is picked automatically for verification.
Re: How ROS ovpn-client verifies server?
In order to see if it works I imported invalid certificate (of CA generated on other mikrotik, not one hosting ovpn) but ovpn-client still connects without any problem
Am I missing something?
Code: Select all
[lapsio@CHRgw] > /certificate print detail
Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted
0 A T name="cert_export_ca-cert.crt_0" issuer=CN=bestpony.ml common-name="bestpony.ml" key-size=4096 days-valid=365 trusted=yes key-usage=key-cert-sign,crl-sign
serial-number="****" fingerprint="****" invalid-before=oct/06/2017 12:28:18
invalid-after=oct/06/2018 12:28:18
[lapsio@CHRgw] > /interface ovpn-client print
Flags: X - disabled, R - running
0 R name="ovpn-bestpony-direct" mac-address=FE:BC:A5:5E:74:E3 max-mtu=1500 connect-to=bestpony.ml port=1194 mode=ethernet user="lapsio-lapvm"
password="****" profile=default certificate=none auth=sha1 cipher=aes256 add-default-route=yes
Re: How ROS ovpn-client verifies server?
I tested it multiple times in various combinations and ovpn-client doesn't verify server certificate allowing trivial MIM attack and sniffing in networks with SSL decryptor proxy. I classify it as serious vulnerability making ovpn-client useless feature silently compromising security of network.
Re: ROS ovpn-client doesn't verify server certificate.
Hi,
Further to the original poster we have also found this to be the case running RouterOS v6.40.8 the server certificates do not seem to be checked. We have tried both Mikrotik to Mikrotik and also Mikrotik to the Windows OpenVPN client with the same results.
Are we missing something?
Thanks,
Dean
Further to the original poster we have also found this to be the case running RouterOS v6.40.8 the server certificates do not seem to be checked. We have tried both Mikrotik to Mikrotik and also Mikrotik to the Windows OpenVPN client with the same results.
Are we missing something?
Thanks,
Dean
Re: ROS ovpn-client doesn't verify server certificate.
I've been following up on this topic.
Any news from MIkrotik on this issue?
Any news from MIkrotik on this issue?
Re: ROS ovpn-client doesn't verify server certificate.
Hello,
Is Mikrotik working on this issue? Does some workaround exist? Does setting PPP secret help or an attacker is able to decode the password?
Is Mikrotik working on this issue? Does some workaround exist? Does setting PPP secret help or an attacker is able to decode the password?
Re: ROS ovpn-client doesn't verify server certificate.
It's supposedly been fixed 2 weeks ago in release 6.44.5
*) ovpn - added "verify-server-certificate" parameter for OVPN client (CVE-2018-10066);
viewtopic.php?t=150045
*) ovpn - added "verify-server-certificate" parameter for OVPN client (CVE-2018-10066);
viewtopic.php?t=150045
Who is online
Users browsing this forum: Bing [Bot], darvishi1990 and 32 guests