OPNsense Forum
Archive => 22.7 Legacy Series => Topic started by: Horstinator on September 02, 2022, 07:47:15 pm
-
Hi,
I just upgraded to 22.7.3_2 and my OpenVPN server stopped working.
On startup of the vpn server I see the following error in the log:
2022-09-01T22:01:21 Error php #7 {main}
2022-09-01T22:01:21 Error php #6 /usr/local/etc/rc.newwanip(170): plugins_configure('vpn', false, Array)
2022-09-01T22:01:21 Error php #5 /usr/local/etc/inc/plugins.inc(288): openvpn_configure_do(false, 'wan')
2022-09-01T22:01:21 Error php #4 /usr/local/etc/inc/plugins.inc.d/openvpn.inc(1153): openvpn_reconfigure('server', Array, false)
2022-09-01T22:01:21 Error php #3 /usr/local/etc/inc/plugins.inc.d/openvpn.inc(834): crl_update(Array)
2022-09-01T22:01:21 Error php #2 /usr/local/etc/inc/certs.inc(686): phpseclib3\File\X509->validateSignature(false)
2022-09-01T22:01:21 Error php #1 /usr/local/share/phpseclib/File/X509.php(1286): phpseclib3\File\X509->validateSignatureCountable(false, 0)
2022-09-01T22:01:21 Error php #0 /usr/local/share/phpseclib/File/X509.php(1412): phpseclib3\File\X509->validateSignatureHelper('rsaEncryption', '-----BEGIN PUBL...', 'id-RSASSA-PSS', '\xA3\xD4\x07\xCA\xCBX\f@\x7F\xD8j\xE19\x90m...', '0\x81\xC60\v\x06\t*\x86H\x86\xF7\r\x01\x01...')
2022-09-01T22:01:21 Error php Stack trace:
2022-09-01T22:01:21 Error php Cert revocation error: CRL signature invalid phpseclib3\Exception\UnsupportedAlgorithmException: Signature algorithm unsupported in /usr/local/share/phpseclib/File/X509.php:1455
The CRL cannot get loaded anymore and therefore any incoming sessions get denied.
The VPN worked fine on the last patch.
-
I can confirm this issue.
Since my CRL is currently empty, I managed to work around the problem by disabling the CRL in the OpenVPN server setup.
-
Most likely the same issue as on pfsense: https://redmine.pfsense.org/issues/13424 ?
-
Hi I am seeing the same thing here
Upgrade to 22.7 worked fine, after the upgrade to the latest version a few minute ago openvpn client access stopped working :-[
OpenVPN site-to-site seems to be fine though.. :)
-
I would expect this https://github.com/opnsense/core/commit/9606957ef84370f6a537b35de4fab9906d7f5620 fixes the issue. There likely is also a bug in the upstream phpseclib package, but changing the defaults back to how they where in version 2 should workaround signature padding issues with their new defaults.
Best regards,
Ad
-
Will be issuing 22.7.4 until Wednesday to address the CRL/phpseclib 3 situation further.
Cheers,
Franco
-
Hi!
In the new version, the error only seems to have an effect on OpenVPN if the CRL list is empty during the update. As soon as even one certificate is included in the blacklist, the update can be carried out successfully and OpenVPN works (although the above error is still displayed in the log).
Michael
-
Hi all,
the issue reappeared for me in Opnsense version 22.7.6, after it had been fixed in previous releases.
For me, openvpn with an empty CRL stopped working again. After disabling the CRL, it functions as expected.
Best,
J.
-
Same here after upgrading from 22.7.4 to 22.7.6.
OpenVPN with empty CRL List does not connect anymore.
Works fine after deleting and recreating the CRL List
-
Coincidentally this is mentioned in the 22.7.6 release notes in full.
Cheers,
Franco