OPNsense Forum

English Forums => 24.7 Production Series => Topic started by: soupdiver on August 04, 2024, 11:09:22 pm

Title: Trying to setup auth via client certificate but downloaded p12 file is invalid
Post by: soupdiver on August 04, 2024, 11:09:22 pm

I try to setup web interface auth via client certificates.
I created a CA and a user certificate. But when I download the exported cert and try to add it to the keychain on my mac it errors out. Checking the file using gopenssl also shows an error:

Code: [Select]

openssl pkcs12 -info -in cert.p12
004C26F401000000:error:0680007B:asn1 encoding routines:ASN1_get_object:header too long:crypto/asn1/asn1_lib.c:105:

Any ideas?

Title: Re: Trying to setup auth via client certificate but downloaded p12 file is invalid
Post by: newsense on August 04, 2024, 11:40:35 pm

Apply the patch or wait for 24.7.1


https://github.com/opnsense/core/issues/7703 (https://github.com/opnsense/core/issues/7703)

Code: [Select]

opnsense-patch b3aa910

Title: Re: Trying to setup auth via client certificate but downloaded p12 file is invalid
Post by: soupdiver on August 04, 2024, 11:50:35 pm

ah interesting... of course what a timing to try this out. Thanks!

Question in genral: I sit possible to use a cert to login to the webinterface in general? It's hard to find some infos about that topic and chatgpt seems to hallucinate an answer

Title: Re: Trying to setup auth via client certificate but downloaded p12 file is invalid
Post by: franco on August 05, 2024, 09:58:31 am

Not sure if lighttpd supports this. Note that these types of features are not certificate-based, they are CA-based so any valid certificate will yield you a login with matching CN from that CA.


Cheers,
Franco

Title: Re: Trying to setup auth via client certificate but downloaded p12 file is invalid
Post by: soupdiver on August 05, 2024, 10:14:02 am

I think it does but seems I misundesrtood the intention for the client certificates in the UI then

Title: Re: Trying to setup auth via client certificate but downloaded p12 file is invalid
Post by: doktornotor on August 05, 2024, 10:19:36 am

Quote from: franco on August 05, 2024, 09:58:31 am

any valid certificate will yield you a login with matching CN from that CA.


Cheers,
Franco

Not necessarily, I think the key is the require part here - https://redmine.lighttpd.net/projects/lighttpd/wiki/Mod_auth

Code: [Select]

auth.require = ( "" =>
                 (
                   "method"  => "extern",
                   "realm"   => "certificate",
                   "require" => "user=agent007|user=agent008"
                 )
               )


Title: Re: Trying to setup auth via client certificate but downloaded p12 file is invalid
Post by: franco on August 05, 2024, 10:40:21 am

Ah, thanks. Missed that part. It appears to hook into the system trust store then?


Cheers,
Franco

Title: Re: Trying to setup auth via client certificate but downloaded p12 file is invalid
Post by: franco on August 05, 2024, 10:42:41 am

PS: this lighttpd stuff is pluggable: https://github.com/opnsense/core/blob/master/src/etc/lighttpd_webgui/conf.d/README