search

theinvisible / openfortigui

VPN-GUI to connect to Fortigate-Hardware, based on openfortivpn
https://hadler.me/linux/openfortigui/
GNU General Public License v3.0
489 stars 54 forks source link

0.9.8 trusted-cert ignored #184

Open kaytrance opened 1 year ago

kaytrance commented 1 year ago

In mentioned version connection attempt fails with following errors (sensitive info replaced with xxxxx). Then it seems it tries to reconnect, fails again, and it keep doing that in a loop.

Dec 9 10:58:08 INFO:   Start tunnel.
Dec 9 10:58:08 ERROR:  Gateway certificate validation failed, and the certificate digest is not in the local whitelist. If you trust it, rerun with:
ERROR:      --trusted-cert b4ecba868189b92axxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ERROR:  or add this line to your configuration file:
ERROR:      trusted-cert = b4ecba868189b92axxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ERROR:  Gateway certificate:
ERROR:      subject:
ERROR:          CN=xxxxxxxx
ERROR:      issuer:
ERROR:          C=xxxx
ERROR:          L=xxxx
ERROR:          O=xxxx
ERROR:          CN=xxxx
ERROR:      sha256 digest:
ERROR:          b4ecba868189b92axxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
INFO:   Closed connection to gateway.
ERROR:  Gateway certificate validation failed, and the certificate digest is not in the local whitelist. If you trust it, rerun with:
ERROR:      --trusted-cert b4ecba868189b92axxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ERROR:  or add this line to your configuration file:
ERROR:      trusted-cert = b4ecba868189b92axxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ERROR:  Gateway certificate:
ERROR:      subject:
ERROR:          CN=xxxxxxx
ERROR:      issuer:
ERROR:          C=xxxx
ERROR:          L=xxxx
ERROR:          O=xxxx
ERROR:          CN=xxxx
ERROR:      sha256 digest:
ERROR:          b4ecba868189b92axxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
INFO:   Could not log out.

Here's an output from ~/.openfortigui/logs/openfortigui.log

Dec 9 11:17:44 openfortiGUI::Debug: tiConfVpnProfile::readVpnProfiles() -> vpnprofile found: "/home/user/.openfortigui/vpnprofiles/VPN.conf"
Dec 9 11:17:44 openfortiGUI::Debug: MainWindow::refreshVpnProfileList() -> vpnprofiles found:: "VPN"
Dec 9 11:17:47 openfortiGUI::Debug: active-tab:: 0
Dec 9 11:17:47 openfortiGUI::Debug: start vpn: "VPN" active-tab:: 0
Dec 9 11:17:47 openfortiGUI::Debug: tiConfVpnProfile::readVpnProfiles() -> vpnprofile found: "/home/user/.openfortigui/vpnprofiles/VPN.conf"
Dec 9 11:17:47 openfortiGUI::Debug: Start vpn:: "VPN"
Dec 9 11:17:47 openfortiGUI::Debug: add logger "/home/user/.openfortigui/main.conf"
Dec 9 11:17:47 openfortiGUI::Debug: tiConfVpnProfile::readVpnProfiles() -> vpnprofile found: "/home/user/.openfortigui/vpnprofiles/VPN.conf"
Dec 9 11:17:47 openfortiGUI::Debug: vpnManager::onClientConnected()
Dec 9 11:17:47 openfortiGUI::Debug: client api helo command:: 0 ::name:: "VPN"
Dec 9 11:17:47 openfortiGUI::Debug: tiConfVpnProfile::readVpnProfiles() -> vpnprofile found: "/home/user/.openfortigui/vpnprofiles/VPN.conf"
Dec 9 11:17:47 openfortiGUI::Debug: vpnClientConnection::sendCMD:: "VPN" :: 8
Dec 9 11:17:48 openfortiGUI::Debug: 1670577468816 bytes avail:: 22
Dec 9 11:17:49 openfortiGUI::Debug: 1670577469033 bytes avail:: 1447
Dec 9 11:17:49 openfortiGUI::Debug: certificatefailedrequest from vpnmanager
Dec 9 11:17:49 openfortiGUI::Debug: tiConfVpnProfile::readVpnProfiles() -> vpnprofile found: "/home/user/.openfortigui/vpnprofiles/VPN.conf"
Dec 9 11:17:49 openfortiGUI::Debug: client disconnected:: "VPN"
Dec 9 11:17:49 openfortiGUI::Debug: vpnManager::onClientVPNStatusChanged() "VPN" status 0
Dec 9 11:17:49 openfortiGUI::Debug: MainWindow::onClientVPNStatusChanged:: "VPN" ::status:: 0
Dec 9 11:17:49 openfortiGUI::Debug: VPN process  "VPN"  error occurred!
Dec 9 11:17:49 openfortiGUI::Debug: VPN process  "VPN"  finished!
Dec 9 11:17:50 openfortiGUI::Debug: tiConfVpnProfile::readVpnProfiles() -> vpnprofile found: "/home/user/.openfortigui/vpnprofiles/VPN.conf"
Dec 9 11:17:50 openfortiGUI::Debug: MainWindow::refreshVpnProfileList() -> vpnprofiles found:: "VPN"
Dec 9 11:18:23 openfortiGUI::Debug: stop vpn:: 0
Dec 9 11:18:24 openfortiGUI::Debug: stop vpn:: 0

And this is ~/.openfortigui/vpnprofiles/VPN.conf

[cert]
ca_file=
trust_all_gw_certs=true
trusted_cert=b4ecba868189b92axxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
user_cert=
user_key=
verify_cert=false

[options]
always_ask_otp=false
autostart=true
debug=false
half_internet_routers=false
insecure_ssl=false
min_tls=Default
otp_delay=0
otp_prompt=
pppd_call=
pppd_ifname=
pppd_ipparam=
pppd_log_file=
pppd_no_peerdns=true
pppd_plugin_file=
realm=
seclevel1=false
set_dns=true
set_routes=true

[vpn]
device_type=0
gateway_host=xxxxxxx
gateway_port=443
name=VPN
password=xxxxxx
persistent=false
username=xxxxxx

Running openfortivpn with --trusted-cert b4ecba868189b92axxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx parameter connects without any issues, so I assume openfortigui somewhat does not include --trusted-cert parameter when connecting.

edmundlaugasson commented 3 months ago

Using already OpenfortiGUI 0.9.9-3 currently but issue still persist.

I can confirm this issue, which preventing also me to connect. In OpenfortiGUI log I see:

ERROR:  Gateway certificate validation failed, and the certificate digest is not in the local whitelist. If you trust it, rerun with:
ERROR:      --trusted-cert .....

.... but no way to provide that trusted-cert parameter via GUI. When trying to run openfortigui via CLI, then there is no such parameter like --trusted-cert, only openfortivpn has. Even connecting with Trust all certs does not help.

Actually in file ~/.openfortigui/vpnprofiles/profilename.conf is parameter _trustedcert= set with proper hash but openfortigui seems to ignore it. Also tested same cert with openfortivpn at CLI and connects properly. Just OpenfortiGUI does not connect.