While i was having an issue with OpenVPN i found a new Problem.
My OpenVPN could not connect. I Configured a CRL in the openvpn settings. The CRL is empty. No client could connect.
While searching for the problem I generated a certificate just for revocation. While trying to revoke the certificate i got this error:
OPNsense 22.7.3_2-amd64
FreeBSD 13.1-RELEASE-p2
OpenSSL 1.1.1q 5 Jul 2022
2022-09-03T00:45:35 Error opnsense #5 {main}
2022-09-03T00:45:35 Error opnsense #4 /usr/local/www/system_crlmanager.php(172): cert_revoke(Array, Array, '-1')
2022-09-03T00:45:35 Error opnsense #3 /usr/local/etc/inc/certs.inc(733): crl_update(Array)
2022-09-03T00:45:35 Error opnsense #2 /usr/local/etc/inc/certs.inc(686): phpseclib3\File\X509->validateSignature(false)
2022-09-03T00:45:35 Error opnsense #1 /usr/local/share/phpseclib/File/X509.php(1286): phpseclib3\File\X509->validateSignatureCountable(false, 0)
2022-09-03T00:45:35 Error opnsense #0 /usr/local/share/phpseclib/File/X509.php(1412): phpseclib3\File\X509->validateSignatureHelper('rsaEncryption', '-----BEGIN PUBL...', 'id-RSASSA-PSS', '\x82\xD5\x8D}D\xBB\x87Wh\xE7)\xD2\xB2`X...', '0\x81\x970\v\x06\t*\x86H\x86\xF7\r\x01\x01...')
2022-09-03T00:45:35 Error opnsense Stack trace:
2022-09-03T00:45:35 Error opnsense Cert revocation error: CRL signature invalid phpseclib3\Exception\UnsupportedAlgorithmException: Signature algorithm unsupported in /usr/local/share/phpseclib/File/X509.php:1455
Hi
some regression with phpseclib3 migration (phpseclib3 internal validation function doing strange things with "public key algorithm" vs. "signature algorithm" when validating signatures)
if the matter is urgent I can suggest a temporary workaround for the OPN internal CA's CRLs. but it will not match the final solution (when it appears)
or you can just disable crl check temporary