and if less than 100MB RAM are available, use setrlimit() to upgrade
the limit. See Trac #1390. Not available on OpenSolaris.
+Certificate pinning/verify peer fingerprint
+ The ``--peer-fingerprint`` option has been introduced to give users an
+ easy to use alternative to the ``tls-verify`` for matching the
+ fingerprint of the peer. The option takes use a number of allowed
+ SHA256 certificate fingerprints.
+
Deprecated features
-------------------
OpenVPN allows including files in the main configuration for the ``--ca``,
``--cert``, ``--dh``, ``--extra-certs``, ``--key``, ``--pkcs12``,
``--secret``, ``--crl-verify``, ``--http-proxy-user-pass``, ``--tls-auth``,
-``--auth-gen-token-secret``, ``--tls-crypt``, ``--tls-crypt-v2`` and
-``--verify-hash`` options.
+``--auth-gen-token-secret``, ``--peer-fingerprint``, ``--tls-crypt``,
+``--tls-crypt-v2`` and ``--verify-hash`` options.
Each inline file started by the line ``<option>`` and ended by the line
``</option>``
man-in-the-middle attack where an authorized client attempts to connect
to another client by impersonating the server. The attack is easily
prevented by having clients verify the server certificate using any one
- of ``--remote-cert-tls``, ``--verify-x509-name``, or ``--tls-verify``.
+ of ``--remote-cert-tls``, ``--verify-x509-name``, ``--peer-fingerprint``
+ or ``--tls-verify``.
--tls-auth args
Add an additional layer of HMAC authentication on top of the TLS control
If the option is inlined, ``algo`` is always :code:`SHA256`.
+--peer-fingerprint args
+ Specify a SHA256 fingerprint or list of SHA256 fingerprints to verify
+ the peer certificate against. The peer certificate must match one of the
+ fingerprint or certificate verification will fail. The option can also
+ be inlined
+
+ Valid syntax:
+ ::
+
+ peer-fingerprint AD:B0:95:D8:09:...
+
+ or inline:
+ ::
+
+ <peer-fingerprint>
+ 00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff
+ 11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00
+ </peer-fingerprint>
+
--verify-x509-name args
Accept connections only if a host's X.509 name is equal to **name.** The
remote host must also pass all other tests of verification.
to.remote_cert_eku = options->remote_cert_eku;
to.verify_hash = options->verify_hash;
to.verify_hash_algo = options->verify_hash_algo;
+ to.verify_hash_depth = options->verify_hash_depth;
#ifdef ENABLE_X509ALTUSERNAME
memcpy(to.x509_username_field, options->x509_username_field, sizeof(to.x509_username_field));
#else
options->extra_certs_file = p[1];
options->extra_certs_file_inline = is_inline;
}
- else if (streq(p[0], "verify-hash") && p[1] && !p[3])
+ else if ((streq(p[0], "verify-hash") && p[1] && !p[3])
+ || (streq(p[0], "peer-fingerprint") && p[1] && !p[2]))
{
VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
+
+ int verify_hash_depth = 0;
+ if (streq(p[0], "verify-hash"))
+ {
+ /* verify level 1 cert, i.e. the CA that signed the leaf cert */
+ verify_hash_depth = 1;
+ }
+
options->verify_hash_algo = MD_SHA256;
int digest_len = SHA256_DIGEST_LENGTH;
- if ((!p[2] && !is_inline) || (p[2] && streq(p[2], "SHA1")))
+ if (options->verify_hash && options->verify_hash_depth != verify_hash_depth)
{
- options->verify_hash_algo = MD_SHA1;
- msg(M_WARN, "DEPRECATED FEATURE: Usage of SHA1 fingerprints for "
- "verify-hash is deprecated. You should switch to SHA256.");
- options->verify_hash_algo = MD_SHA1;
- digest_len = SHA_DIGEST_LENGTH;
+ msg(msglevel, "ERROR: Setting %s not allowed. --verify-hash and"
+ " --peer-fingerprint are mutually exclusive", p[0]);
+ goto err;
}
- else if (p[2] && !streq(p[2], "SHA256"))
+
+ if (streq(p[0], "verify-hash"))
{
- msg(msglevel, "invalid or unsupported hashing algorithm: %s "
- "(only SHA1 and SHA256 are valid)", p[2]);
- goto err;
+ if ((!p[2] && !is_inline) || (p[2] && streq(p[2], "SHA1")))
+ {
+ options->verify_hash_algo = MD_SHA1;
+ msg(M_WARN, "DEPRECATED FEATURE: Usage of SHA1 fingerprints for "
+ "verify-hash is deprecated. You should switch to SHA256.");
+ options->verify_hash_algo = SHA_DIGEST_LENGTH;
+ digest_len = SHA_DIGEST_LENGTH;
+ }
+ else if (p[2] && !streq(p[2], "SHA256"))
+ {
+ msg(msglevel, "invalid or unsupported hashing algorithm: %s "
+ "(only SHA1 and SHA256 are supported)", p[2]);
+ goto err;
+ }
}
struct verify_hash_list *newlist;
if (!options->verify_hash)
{
options->verify_hash = newlist;
+ options->verify_hash_depth = verify_hash_depth;
}
else
{
const char *remote_cert_eku;
struct verify_hash_list *verify_hash;
hash_algo_type verify_hash_algo;
+ int verify_hash_depth;
unsigned int ssl_flags; /* set to SSLF_x flags from ssl.h */
#ifdef ENABLE_PKCS11
unsigned remote_cert_ku[MAX_PARMS];
const char *remote_cert_eku;
struct verify_hash_list *verify_hash;
+ int verify_hash_depth;
hash_algo_type verify_hash_algo;
#ifdef ENABLE_X509ALTUSERNAME
char *x509_username_field[MAX_PARMS];
goto cleanup; /* Reject connection */
}
- /* verify level 1 cert, i.e. the CA that signed our leaf cert */
- if (cert_depth == 1 && opt->verify_hash)
+ if (cert_depth == opt->verify_hash_depth && opt->verify_hash)
{
- struct buffer ca_hash = {0};
+ struct buffer cert_fp = {0};
switch (opt->verify_hash_algo)
{
case MD_SHA1:
- ca_hash = x509_get_sha1_fingerprint(cert, &gc);
+ cert_fp = x509_get_sha1_fingerprint(cert, &gc);
break;
case MD_SHA256:
- ca_hash = x509_get_sha256_fingerprint(cert, &gc);
+ cert_fp = x509_get_sha256_fingerprint(cert, &gc);
break;
default:
while (current_hash)
{
- if (memcmp_constant_time(BPTR(&ca_hash), current_hash->hash,
- BLEN(&ca_hash)) == 0)
+ if (memcmp_constant_time(BPTR(&cert_fp), current_hash->hash,
+ BLEN(&cert_fp)) == 0)
{
break;
}
if (!current_hash)
{
- msg(D_TLS_ERRORS, "TLS Error: --tls-verify certificate hash verification failed");
+ const char *hex_fp = format_hex_ex(BPTR(&cert_fp), BLEN(&cert_fp),
+ 0, 1, ":", &gc);
+ msg(D_TLS_ERRORS, "TLS Error: --tls-verify/--peer-fingerprint"
+ "certificate hash verification failed. (got "
+ "fingerprint: %s", hex_fp);
goto cleanup;
}
}