Results 1 to 9 of 9
  1. #1
    Untanglit
    Join Date
    Nov 2016
    Posts
    17

    Default openVPN SSL cert

    Is there an easy way to attach a SSL cert into the openVPN server? The default lasts 10 years and obviously self signed which both invalidates PCI compliance. We have a SSL setup for untangle but this isn't passed through.

  2. #2
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    9,201

    Default

    Inserting your own cert to OpenVPN is not support.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,263

    Default

    OpenVPN using its own certificate authority does not invalidate PCI compliance.

    And no, you can't stuff a certificate in there. OpenVPN is an authority, not a single cert.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  4. #4
    Untanglit
    Join Date
    Nov 2016
    Posts
    17

    Default

    ANY certificate over 825 days (27 months) invalidates PCI compliance. Also the cert isn't using openVPN certificate authority but "certificateAuthority" which is generic.

  5. #5
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,263

    Default

    Quote Originally Posted by justinm001 View Post
    ANY certificate over 825 days (27 months) invalidates PCI compliance. Also the cert isn't using openVPN certificate authority but "certificateAuthority" which is generic.
    Yes... because OpenVPN is a CERTIFICATE AUTHORITY. It needs not a certificate that works online as you understand it, but a certificate that can issue other certificates.

    If you want that to be "valid" you have to become an authority yourself. That means, you're Verisign. Which isn't happening, at least not publicly and valid. And no, this doesn't invalidate PCI compliance.

    If it did the certificates used by AD would make you invalid.

    OpenVPN is a certificate authority that issues its own certificates to clients thereby maintaining its own unique trust chain. This chain is not publicly trustable, nor can it ever be so. The certificates are used as single use keys to authenticate a VPN client. The platform allows for username / password pairs to be used in tandem to improve the VPN's security.

    Any PCI compliant communications that should take place over the tunnel will need to utilize their own authentication and encryption mechanism. This is typically handed via https. And therefore, OpenVPN's use like any other VPN technology is largely irrelevant to PCI compliance mandates. Other than, there needs to be clear documentation of what certificates are issued to what devices, and a policy in place to identify compromised or decommissioned certificates and remove them from the authentication chain.

    This is a false positive on your scan, file the appropriate exemption.
    Last edited by sky-knight; 10-06-2020 at 12:50 PM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  6. #6
    Untanglit
    Join Date
    Nov 2016
    Posts
    17

    Default

    SSL isn't my strength so what you're saying does make sense. But I guess openVPN can't be compliant regardless.

    OpenVPN is external facing outside the firewall and subject to all vulnerabilities. Once you're inside the network the rules are much different.

  7. #7
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,263

    Default

    Yes... and this is where OpenVPN Shines! X.509 primer inbound!

    Certificates are infinitely stronger than the best passwords. When paired with username / password authentication you wind up with a security level that's the king of the hill in terms of all VPN anywhere... ever.

    But if you want to see the hole in the scanner take a look at this:
    Starting here: https://certs.godaddy.com/repository
    We get the GoDaddy Class 2 Certification Authority Root Certificate from here: https://certs.godaddy.com/repository/gd-class2-root.crt

    Which yields this:
    Code:
    -----BEGIN CERTIFICATE----- MIIEADCCAuigAwIBAgIBADANBgkqhkiG9w0BAQUFADBjMQswCQYDVQQGEwJVUzEh MB8GA1UEChMYVGhlIEdvIERhZGR5IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBE YWRkeSBDbGFzcyAyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA0MDYyOTE3 MDYyMFoXDTM0MDYyOTE3MDYyMFowYzELMAkGA1UEBhMCVVMxITAfBgNVBAoTGFRo ZSBHbyBEYWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR28gRGFkZHkgQ2xhc3Mg MiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASAwDQYJKoZIhvcNAQEBBQADggEN ADCCAQgCggEBAN6d1+pXGEmhW+vXX0iG6r7d/+TvZxz0ZWizV3GgXne77ZtJ6XCA PVYYYwhv2vLM0D9/AlQiVBDYsoHUwHU9S3/Hd8M+eKsaA7Ugay9qK7HFiH7Eux6w wdhFJ2+qN1j3hybX2C32qRe3H3I2TqYXP2WYktsqbl2i/ojgC95/5Y0V4evLOtXi EqITLdiOr18SPaAIBQi2XKVlOARFmR6jYGB0xUGlcmIbYsUfb18aQr4CUWWoriMY avx4A6lNf4DD+qta/KFApMoZFv6yyO9ecw3ud72a9nmYvLEHZ6IVDd2gWMZEewo+ YihfukEHU1jPEX44dMX4/7VpkI+EdOqXG68CAQOjgcAwgb0wHQYDVR0OBBYEFNLE sNKR1EwRcbNhyz2h/t2oatTjMIGNBgNVHSMEgYUwgYKAFNLEsNKR1EwRcbNhyz2h /t2oatTjoWekZTBjMQswCQYDVQQGEwJVUzEhMB8GA1UEChMYVGhlIEdvIERhZGR5 IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBEYWRkeSBDbGFzcyAyIENlcnRpZmlj YXRpb24gQXV0aG9yaXR5ggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQAD ggEBADJL87LKPpH8EsahB4yOd6AzBhRckB4Y9wimPQoZ+YeAEW5p5JYXMP80kWNy OO7MHAGjHZQopDH2esRU1/blMVgDoszOYtuURXO1v0XJJLXVggKtI3lpjbi2Tc7P TMozI+gciKqdi0FuFskg5YmezTvacPd+mSYgFFQlq25zheabIZ0KbIIOqPjCDPoQ HmyW74cNxA9hi63ugyuV+I6ShHI56yDqg+2DzZduCLzrTia2cyvk0/ZM/iZx4mER dEr/VxqHD3VILs9RaRegAhJhldXRQLIQTO7ErBBDpqWeCtWVYpoNz4iCxTIM5Cuf ReYNnyicsbkqWletNw+vHX/bvZ8= -----END CERTIFICATE-----
    Now... that's a root certificate for a Class 2 Authority, similar to what OpenVPN uses for itself.

    Now... go here: https://www.sslshopper.com/certificate-decoder.html And stuff the above text into it...

    we get this:

    Certificate Information:
    Organization: The Go Daddy Group, Inc.
    Organization Unit: Go Daddy Class 2 Certification Authority
    Country: US
    Valid From: June 29, 2004
    Valid To: June 29, 2034
    Issuer: The Go Daddy Group, Inc.
    Serial Number: 0 (0x0)

    That's a THIRTY YEAR CERTIFICATE.

    Are you saying that anyone using a Godaddy SSL certificate isn't compliant? Because honestly... this is the argument being made. ALL Godaddy certificates link to this one. They all start... here.

    This is just a false positive, your PCI scanner shouldn't be mucking with OpenVPN AT ALL to begin with. It doesn't muck with PPTP, and that mess has been broken so hard literally every known cypher it can use is trivially reversed. The certificate based authentication tokens issued by OpenVPN as a single factor are stronger than any username / password authentication you could ever use. And Untangle makes it trivial to ADD username / password auth to OpenVPN so you wind up with BOTH in play... which I've never in my professional career seen breached.

    Those scanners are a guide to your PCI compliance, not the final arbiter of all truth.

    You will also note, Godaddy issued this certificate to themselves. They didn't buy it from someone else... They're the START of the chain of trust their sold certificates build. OpenVPN is doing the exact same thing for your company right now. You choose to trust it or not, based on your usage.

    You don't have to be strong in certificate authentication to understand how the chain of trust works. But do not believe the scanner... you do NOT NEED a publicly valid certificate for Untangle for ANY purpose. Not for OpenVPN, not for admin access, none of it.

    The scanner is attempting to find a web server that might be accepting credit cards using a self signed certificate. THAT is a PCI violation.

    I would hate you see you downgrade your security swapping to say a Meraki that passes the scan with a vastly inferior VPN implementation. Yes the scanner claims there is a problem, but no there really isn't a problem.
    Last edited by sky-knight; 10-06-2020 at 01:17 PM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  8. #8
    Untanglit
    Join Date
    Nov 2016
    Posts
    17

    Default

    Thank you for the explanation. It just made me realize that the SSL isn't used to verify the authenticity of what its connecting to but used to secure the VPN tunnel and providing the cert to the other end.

  9. #9
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,263

    Default

    Correct! The server uses that chain to authenticate devices as they connect.

    The encryption happens separately. But, even if you're running card data over the tunnel, the card data should be running through your CC software, which... in every case I've worked with thus far... is a web browser connecting to a web server. Unless that web server is onsite, there isn't anything to scan!

    Which brings us back to the real question, why are you scanning Untangle to begin with?
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2