opnsense
OpenVPN: Allow Nonce Validation to be disabled when using OCSP
Hi,
Here is an implementation of Nonce validation disabling, initially proposed by the author of OCSP validation: https://github.com/opnsense/core/pull/7082#issue-2045378161
Additionally there might be some more settings that should be at least considered if they should be configurable: nonce usage (https://www.openssl.org/docs/man3.0/man3/OCSP_check_nonce.html)
Validation is done this way, by checking if the first line is an OK response ($output corresponds to the lines)
https://github.com/opnsense/core/blob/5eddbce452d36dad8883a785f1f2fa7f42820c6c/src/opnsense/mvc/app/library/OPNsense/Trust/Store.php#L646
In cases where the OCSP Responder does not support Nonce, a response of this type is returned
# openssl ocsp -resp_no_certs -timeout 10 -nonce -CAfile $OCSP_CA -issuer $OCSP_CA -url $OCSP_URL -serial 463050772713033790379517141507295683732909432205
WARNING: no nonce in response
Response verify OK
463050772713033790379517141507295683732909432205: good
This Update: Sep 25 14:33:37 2025 GMT
Next Update: Sep 26 02:33:37 2025 GMT
By changing the -nonce parameter to -no_nonce, we get a request that can be parsed correctly
# openssl ocsp -resp_no_certs -timeout 10 -no_nonce -CAfile $OCSP_CA -issuer $OCSP_CA -url $OCSP_URL -serial 463050772713033790379517141507295683732909432205
Response verify OK
463050772713033790379517141507295683732909432205: good
This Update: Sep 25 14:33:42 2025 GMT
Next Update: Sep 26 02:33:42 2025 GMT
I use the OCSP Responder integrated into Vault community (Hashicorp).
... initially proposed by the author of OCSP validation
well, technically, that's not completely true, the code originates from https://github.com/opnsense/core/commit/318a1ae322037953eff53d7f77c8172382858ea2 ;)
I don't mind that much adding an advanced option, although I do find it a bit odd they don't implement nonce on their end as apparently it's quite common to require them (https://github.com/hashicorp/vault/issues/29364)
