OpenVPN: Allow Nonce Validation to be disabled when using OCSP

src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/forms/dialogInstance.xml

@@ -298,6 +298,19 @@
             <formatter>boolean</formatter>
         </grid_view>
     </field>
+    <field>
+        <id>instance.ocsp_no_nonce</id>
+        <label>Disable OCSP Nonce validation</label>
+        <style>role role_server</style>
+        <advanced>true</advanced>
+        <type>checkbox</type>
+        <help>When your OCSP Responder does not support Nonce Validation, a warning is returned and validation fails.</help>
+        <grid_view>
+            <visible>false</visible>
+            <type>boolean</type>
+            <formatter>boolean</formatter>
+        </grid_view>
+    </field>
     <field>
         <id>instance.cert_depth</id>
         <label>Certificate Depth</label>

src/opnsense/mvc/app/library/OPNsense/Trust/Store.php

@@ -609,9 +609,10 @@ public static function getCaChain($caref)
     /**
      * @param $ca_filename string filename
      * @param $serial serial number to check
+     * @param $no_nonce nonce check disabled
      * @return array
      */
-    public static function ocsp_validate($ca_filename, $serial)
+    public static function ocsp_validate($ca_filename, $serial, $no_nonce = false)
     {
         if (!is_file($ca_filename)) {
             return [
@@ -633,8 +634,8 @@ public static function ocsp_validate($ca_filename, $serial)
             $verdict_pass = false;
             $result = exec(
                 exec_safe(
-                    "%s ocsp -resp_no_certs -timeout 10 -nonce -CAfile %s -issuer %s -url %s -serial %s 2>&1",
-                    ['/usr/bin/openssl', $ca_filename, $ca_filename, $ocsp_uri, $serial]
+                    "%s ocsp -resp_no_certs -timeout 10 %s -CAfile %s -issuer %s -url %s -serial %s 2>&1",
+                    ['/usr/bin/openssl', $no_nonce ? '-no_nonce' : '-nonce', $ca_filename, $ca_filename, $ocsp_uri, $serial]
                 ),
                 $output,
                 $retval

src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.php

@@ -435,6 +435,7 @@ public function getInstanceById($server_id, $role = null)
                     'digest' => (string)$node->auth,
                     'description' => (string)$node->description,
                     'use_ocsp' => !$node->use_ocsp->isEmpty(),
+                    'ocsp_no_nonce' => !$node->ocsp_no_nonce->isEmpty(),
                     // legacy only (backwards compatibility)
                     'crypto' => (string)$node->{'data-ciphers-fallback'},
                 ];
@@ -479,6 +480,7 @@ public function getInstanceById($server_id, $role = null)
                         'digest' => (string)$item->digest,
                         'interface' => (string)$item->interface,
                         'use_ocsp' => false,
+                        'ocsp_no_nonce' => false,
                     ];
                 }
             }

src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.xml

@@ -207,6 +207,10 @@
                     <Default>0</Default>
                     <Required>Y</Required>
                 </use_ocsp>
+                <ocsp_no_nonce type="BooleanField">
+                    <Default>0</Default>
+                    <Required>Y</Required>
+                </ocsp_no_nonce>
                 <auth type="OptionField">
                     <BlankDesc>OpenVPN default</BlankDesc>
                     <OptionValues>

src/opnsense/scripts/openvpn/tls_verify.php

@@ -46,7 +46,7 @@ function do_verify($serverid)
         return "Certificate depth {$certificate_depth} exceeded max allowed depth of {$allowed_depth}.";
     } elseif ($a_server['use_ocsp'] && $certificate_depth == 0) {
         $serial = getenv('tls_serial_' . $certificate_depth);
-        $ocsp_response = OPNsense\Trust\Store::ocsp_validate("/var/etc/openvpn/instance-" . $serverid . ".ca", $serial);
+        $ocsp_response = OPNsense\Trust\Store::ocsp_validate("/var/etc/openvpn/instance-" . $serverid . ".ca", $serial, $a_server['ocsp_no_nonce']);
         if (!$ocsp_response['pass']) {
             return sprintf(
                 "[serial : %s] @ %s - %s (%s)",