Skip to content

OpenVPN: Allow Nonce Validation to be disabled when using OCSP #9241

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ybayart wants to merge 5 commits into
base: master
Choose a base branch
from
Open

OpenVPN: Allow Nonce Validation to be disabled when using OCSP #9241

ybayart wants to merge 5 commits into from
+24 −4

Conversation

@ybayart
Copy link

@ybayart ybayart commented Sep 25, 2025

Hi,

Here is an implementation of Nonce validation disabling, initially proposed by the author of OCSP validation: #7082 (comment)

Additionally there might be some more settings that should be at least considered if they should be configurable:
nonce usage (https://www.openssl.org/docs/man3.0/man3/OCSP_check_nonce.html)

Validation is done this way, by checking if the first line is an OK response ($output corresponds to the lines)

core/src/opnsense/mvc/app/library/OPNsense/Trust/Store.php

Line 646 in 5eddbce

'pass' => $status == 'good' && trim($output[0]) == 'Response verify OK',

In cases where the OCSP Responder does not support Nonce, a response of this type is returned

# openssl ocsp -resp_no_certs -timeout 10 -nonce -CAfile $OCSP_CA -issuer $OCSP_CA -url $OCSP_URL -serial 463050772713033790379517141507295683732909432205
WARNING: no nonce in response
Response verify OK
463050772713033790379517141507295683732909432205: good
	This Update: Sep 25 14:33:37 2025 GMT
	Next Update: Sep 26 02:33:37 2025 GMT

By changing the -nonce parameter to -no_nonce, we get a request that can be parsed correctly

# openssl ocsp -resp_no_certs -timeout 10 -no_nonce -CAfile $OCSP_CA -issuer $OCSP_CA -url $OCSP_URL -serial 463050772713033790379517141507295683732909432205
Response verify OK
463050772713033790379517141507295683732909432205: good
	This Update: Sep 25 14:33:42 2025 GMT
	Next Update: Sep 26 02:33:42 2025 GMT

I use the OCSP Responder integrated into Vault community (Hashicorp).

@AdSchellevis
Copy link
Member

AdSchellevis commented Sep 25, 2025

... initially proposed by the author of OCSP validation

well, technically, that's not completely true, the code originates from 318a1ae ;)

I don't mind that much adding an advanced option, although I do find it a bit odd they don't implement nonce on their end as apparently it's quite common to require them (hashicorp/vault#29364)

@AdSchellevis AdSchellevis self-assigned this Sep 25, 2025
AdSchellevis
AdSchellevis requested changes Sep 25, 2025
View reviewed changes
src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.php Outdated
'digest' => (string)$node->auth,
'description' => (string)$node->description,
'use_ocsp' => !$node->use_ocsp->isEmpty(),
'ocsp_nonce' => !$node->ocsp_no_nonce->isEmpty(),
Copy link
Member

@AdSchellevis AdSchellevis Sep 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think ocsp_no_nonce is indeed the better name in this case, disabled by default, the rest of the code just doesn't seem to reflect that (e.g. ocsp_nonce).

Copy link
Author

@ybayart ybayart Sep 26, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well, that's the logic I used initially (and an artifact I forgot to change before commit), but I found it a little confusing to have a negation.
anyway, now it's ocsp_no_nonce :)

AdSchellevis
AdSchellevis requested changes Oct 6, 2025
View reviewed changes
Copy link
Member

@AdSchellevis AdSchellevis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ybayart I've added a couple of suggestions for the labels and help texts, the code itself looks ok.

src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/forms/dialogInstance.xml
<style>role role_server</style>
<advanced>true</advanced>
<type>checkbox</type>
<help>When your OCSP Responder does not support Nonce Validation, a warning is returned and validation fails.</help>
Copy link
Member

@AdSchellevis AdSchellevis Oct 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
<help>When your OCSP Responder does not support Nonce Validation, a warning is returned and validation fails.</help>
<help>When your OCSP Responder does not support the Nonce Extension, validation will fail. This option disables Nonces at the cost of loosing protection against replay attacks</help>

src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/forms/dialogInstance.xml
</field>
<field>
<id>instance.ocsp_no_nonce</id>
<label>Disable OCSP Nonce validation</label>
Copy link
Member

@AdSchellevis AdSchellevis Oct 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
<label>Disable OCSP Nonce validation</label>
<label>Disable OCSP Nonce extension</label>

@AdSchellevis AdSchellevis removed their assignment Nov 12, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AdSchellevis AdSchellevis AdSchellevis requested changes

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ybayart @AdSchellevis