Ubuntu
logcheck package

OpenVPN ignore rules should silence certificate validation messages

Bug #806537 reported by Simon Déziel
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
logcheck (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Using "remote-cert-tls server" in a client configuration results in the following log messages being reported :

Jul 5 15:39:44 simon-laptop openvpn[9228]: ++ Certificate has key usage 00a0, expects 00a0
Jul 5 15:39:44 simon-laptop openvpn[9228]: VERIFY KU OK
Jul 5 15:39:44 simon-laptop openvpn[9228]: Validating certificate extended key usage
Jul 5 15:39:44 simon-laptop openvpn[9228]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Jul 5 15:39:44 simon-laptop openvpn[9228]: VERIFY EKU OK
Jul 5 15:39:44 simon-laptop openvpn[9228]: VERIFY X509NAME OK: /C=*****/<email address hidden>

Using "remote-cert-tls client" in a server configuration results in similar log output. I think this is something that should be ignored when the key usage matches the expectation. Here is a suggested solution :

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[[:digit:]]+\]:( ([-_.@[:alnum:]]+/)?[.[:digit:]]{7,15}:[[:digit:]]{2,5})? Validating certificate (|extended )key usage$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[[:digit:]]+\]:( ([-_.@[:alnum:]]+/)?[.[:digit:]]{7,15}:[[:digit:]]{2,5})? \+\+ Certificate has key usage ([0-9a-f]{4}), expects \4$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[[:digit:]]+\]:( ([-_.@[:alnum:]]+/)?[.[:digit:]]{7,15}:[[:digit:]]{2,5})? \+\+ Certificate has EKU \(str\) TLS Web (Client|Server) Authentication, expects TLS Web \4 Authentication$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[[:digit:]]+\]:( ([-_.@[:alnum:]]+/)?[.[:digit:]]{7,15}:[[:digit:]]{2,5})? VERIFY (|E)KU OK$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[[:digit:]]+\]:( ([-_.@[:alnum:]]+/)?[.[:digit:]]{7,15}:[[:digit:]]{2,5})? VERIFY X509NAME OK: .+$

Those rules should be added to /etc/logcheck/ignore.d.server/openvpn

$ lsb_release -rd
Description: Ubuntu 11.04
Release: 11.04

$ apt-cache policy logcheck-database
logcheck-database:
  Installed: 1.3.13
  Candidate: 1.3.13
  Version table:
 *** 1.3.13 0
        500 http://ca.archive.ubuntu.com/ubuntu/ natty/main amd64 Packages
        100 /var/lib/dpkg/status

ProblemType: Bug
DistroRelease: Ubuntu 11.04
Package: logcheck-database 1.3.13
ProcVersionSignature: Ubuntu 2.6.38-10.46-generic 2.6.38.7
Uname: Linux 2.6.38-10-generic x86_64
Architecture: amd64
Date: Wed Jul 6 08:34:38 2011
Dependencies:

PackageArchitecture: all
ProcEnviron:
 LANGUAGE=en_US:en
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: logcheck
UpgradeStatus: No upgrade log present (probably fresh install)

Simon Déziel (sdeziel)
tags: removed: amd64
Revision history for this message
Loïc Minier (lool) wrote :

Would you mind sending your updated rules directly upstream?
http://wiki.logcheck.org/RuleSubmission

Thanks!

Revision history for this message
Simon Déziel (sdeziel) wrote :

Submitted upstream: http://lists.alioth.debian.org/pipermail/logcheck-devel/2011-December/005645.html

Serge Hallyn (serge-hallyn)
Changed in logcheck (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.