Messages

Hi

besides the issue with the certificate see other post. Create a CSR a let it sign by the FW ICA.

I still get the bad client SSL cert.

I debugged the TLS auth using Openssl & saw this:

Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 5732 bytes and written 2107 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
<<< TLS 1.2, RecordHeader [length 0005]
    17 03 03 00 13
<<< TLS 1.3, InnerContent [length 0001]
    15
<<< TLS 1.3, Alert [length 0002], fatal unknown_ca
    02 30
2C6D0000:error:0A000418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:ssl\record\rec_layer_s3.c:865:SSL alert number 48


looking foward to comments &  help!

Wim

Hi again.

next test I did is to create a CSR with openssl and let it sign by the ICA on the FW.

I downloaded the CRT created a PFX.

I could read the PFX using Openssl without a problem

Wim

Hi out there,

while debugging another issue  (Stuck on OPNWAF) I got a strange issue with a Client SSL cert that I created in the Opnsense FW

under System -> trust -> certificates I created a client auth cert, that I signed with a Root & ICA that I created on the FW also.

I exported the pub + priv key (P12)

I was debugging the auth using OpenSSL and go the error:

Could not find client certificate private key from .\CLIENT_SSL_WIM.p12
14530000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto\evp\evp_fetch.c:355:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()

so I was interested in the P12 itself:

'C:\Program Files\OpenSSL-Win64\bin\openssl' pkcs12 -in .\CLIENT_SSL_WIM1.p12 -info
Enter Import Password:

MAC: sha1, Iteration 1
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Error outputting keys and certificates
8C6E0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto\evp\evp_fetch.c:355:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()


Is this me, or do we have an issue ?

Wim

gents,

I fixed somehow the firewall rule issue, so far so good.

Now I'm having an issue with the authenication using certificates.

- created in the FW a Root certificate
- created in the FW a intermediate certificate signed by the Root
- created a server certificate for the Virt Server signed by the intermediate
- created a CRL for the intermediate
I exported the above public keys and imported them in my windows trust store.
- created in the FW a client certificate signed by the intermediate
I exported the P12 client cert (priv + Pub ) key and installed in my browser.

in the gateway under virt server:
* server cert = the server cert created above
* CA for client Auth = intermediate CA
*CRL for client auth = On
*ACME = off

*header sec = default
*TLS security = modern




But!! i get now this issue
<FQDN< didn't accept your login certificate or a login certificate may not have been provided.
Try contacting your organisation.
ERR_BAD_SSL_CLIENT_AUTH_CERT

We calling the FQDN of the virtual server, Edge asks me to select a client cert in a pop-up, providing the one I created above and imported.


So what am I doing wrong this time

Thanks !

Patrick,

I did all this, but this rule is at the bottom, after all the default rules it never gets to that rule,
as I mentioned the 2nd rule is the automatic created rule , deny everything from outside.
and I cannot move the rule before this automatic created rule.

KR Wim

Monviech,

I just tried the following, according what I understood for your initial feedback, the firewall is blocking incomming request because it uses the 443 also for its management.

so I changes the Port were the Virt server is listing on to 444 and i tried from outside the url :https://my-fqdn>:444 but this also hits the 'block everything from outside" rule.

thanks for looking into this.

Wim

Monviech,

The issue is that it keep hitting the following rule : 'default deny/ state violation rule'.
This is the 2nd rule in the list and I cannot add  rule before this.

How does you solution help overriding this ?

Thanks for elaborating on it

Wim

Hi out there

I want to protect a Internal server using OPNWAF

so I created a DNS record ie. out.mydomain.net

On the firewall under Web Application I created
- Gateways
>> Virtual server out.mydomain.net port 443
>> defined a certificate (internal) for this
-Locations
>>Path = /
>>Remote dest = https://internal-server:8443
>>virtual = out (above)

- testing .. did not work, I saw request coming in being blocked by the "default deny state violation rule"
so I thought we need a additional rule ... but got lost what to next.
-  a friend told to just add a port forwarding rule .. but don't get how

Thanks for looking into this
Wim

Hi,

I 've similar issue on my system to , Insight Aggregator fails
2021-10-04T07:58:02   /flowd_aggregate.py[11055]   flowd aggregate died with message Traceback (most recent call last): File "/usr/local/opnsense/scripts/netflow/flowd_aggregate.py", line 160, in run aggregate_flowd(self.config, do_vacuum) File "/usr/local/opnsense/scripts/netflow/flowd_aggregate.py", line 80, in aggregate_flowd stream_agg_object.add(copy.copy(flow_record)) File "/usr/local/opnsense/scripts/netflow/lib/aggregates/interface.py", line 72, in add super(FlowInterfaceTotals, self).add(flow) File "/usr/local/opnsense/scripts/netflow/lib/aggregates/__init__.py", line 187, in add self._update_cur.execute(self._insert_stmt, flow) sqlite3.DatabaseError: database disk image is malformed

Franco,
I upgraded via SSH option 12 .. without problems

thanks for the help & guidenance

Wim

All,

I just updated my firewall .. at the end of the upgade I got the following message:

Fetching kernel-16.1.14-amd64.txz: ........ done
Fetching base-16.1.14-amd64.txz: .......... done
Fetching base-16.1.14-amd64.obsolete: ... failed

Before starting the update .. it notified that is was going to reboot ...; that did not happen

please advise

regards

Wim

Franco,

thanks just rebooted the system .. no problems ... works like a charm !

Thanks for the assistance

regards
Wim

Hi Franco,

thanks for the swift response..

This is what I see on the dashboard:

OPNsense 16.1.13-amd64
FreeBSD 10.2-RELEASE-p14
OpenSSL 1.0.2h 3 May 2016

I presume, as you mentioned, that the FW is upgraded ...

I'll do a reboot this evening

keep you posted

Regards

Wim

Hi out there,

this evening I tried to upgrade my Firewall to 16.1.13 .. it stopped and di not continue ( ie reboot) ..

please find below the output from the upgrade & error messages from the log file.

please advise.

thkx
Wim

***GOT REQUEST TO UPGRADE: all***
Updating OPNsense repository catalogue...
OPNsense repository is up-to-date.
All repositories are up-to-date.
Updating OPNsense repository catalogue...
OPNsense repository is up-to-date.
All repositories are up-to-date.
Checking for upgrades (49 candidates): .......... done
Processing candidates (49 candidates): ........ done
The following 38 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
   opnsense-lang: 16.1.13
   p7zip: 15.14

Installed packages to be UPGRADED:
   suricata: 3.0_1 -> 3.0.1
   strongswan: 5.3.5_4 -> 5.4.0
   squid: 3.5.15_1 -> 3.5.17
   sqlite3: 3.11.1 -> 3.12.1
   smartmontools: 6.4_1 -> 6.4_2
   python27: 2.7.11_1 -> 2.7.11_2
   py27-Babel: 2.2.0_1 -> 2.3.3
   php56-zlib: 5.6.19 -> 5.6.21
   php56-xml: 5.6.19 -> 5.6.21
   php56-sqlite3: 5.6.19 -> 5.6.21
   php56-sockets: 5.6.19 -> 5.6.21
   php56-simplexml: 5.6.19 -> 5.6.21
   php56-session: 5.6.19 -> 5.6.21
   php56-pdo: 5.6.19 -> 5.6.21
   php56-openssl: 5.6.19 -> 5.6.21
   php56-mcrypt: 5.6.19 -> 5.6.21
   php56-ldap: 5.6.19 -> 5.6.21
   php56-json: 5.6.19 -> 5.6.21
   php56-hash: 5.6.19 -> 5.6.21
   php56-gettext: 5.6.19 -> 5.6.21
   php56-filter: 5.6.19 -> 5.6.21
   php56-dom: 5.6.19 -> 5.6.21
   php56-curl: 5.6.19 -> 5.6.21
   php56-ctype: 5.6.19 -> 5.6.21
   php56: 5.6.19 -> 5.6.21
   perl5: 5.20.3_8 -> 5.20.3_12
   pcre: 8.38 -> 8.38_1
   opnsense-update: 16.1.8 -> 16.1.9_1
   opnsense: 16.1.8 -> 16.1.13
   openvpn: 2.3.10 -> 2.3.10_2
   openssl: 1.0.2_11 -> 1.0.2_12
   ntp: 4.2.8p6 -> 4.2.8p7
   libedit: 3.1.20150325_1 -> 3.1.20150325_2
   curl: 7.47.1 -> 7.48.0_2
   bind910: 9.10.3P4 -> 9.10.4
   apinger: 0.6.1_4 -> 0.6.1_9

The process will require 11 MiB more space.
60 MiB to be downloaded.
Fetching suricata-3.0.1.txz: .......... done
Fetching strongswan-5.4.0.txz: .......... done
Fetching squid-3.5.17.txz: .......... done
Fetching sqlite3-3.12.1.txz: .......... done
Fetching smartmontools-6.4_2.txz: .......... done
Fetching python27-2.7.11_2.txz: .......... done
Fetching py27-Babel-2.3.3.txz: .......... done
Fetching php56-zlib-5.6.21.txz: .. done
Fetching php56-xml-5.6.21.txz: .. done
Fetching php56-sqlite3-5.6.21.txz: .. done
Fetching php56-sockets-5.6.21.txz: .... done
Fetching php56-simplexml-5.6.21.txz: ... done
Fetching php56-session-5.6.21.txz: ... done
Fetching php56-pdo-5.6.21.txz: ..... done
Fetching php56-openssl-5.6.21.txz: ..... done
Fetching php56-mcrypt-5.6.21.txz: .. done
Fetching php56-ldap-5.6.21.txz: .. done
Fetching php56-json-5.6.21.txz: .. done
Fetching php56-hash-5.6.21.txz: .......... done
Fetching php56-gettext-5.6.21.txz: . done
Fetching php56-filter-5.6.21.txz: .. done
Fetching php56-dom-5.6.21.txz: ...... done
Fetching php56-curl-5.6.21.txz: ... done
Fetching php56-ctype-5.6.21.txz: . done
Fetching php56-5.6.21.txz: .......... done
Fetching perl5-5.20.3_12.txz: .......... done
Fetching pcre-8.38_1.txz: .......... done
Fetching opnsense-update-16.1.9_1.txz: ... done
Fetching opnsense-16.1.13.txz: .......... done
Fetching openvpn-2.3.10_2.txz: .......... done
Fetching openssl-1.0.2_12.txz: .......... done
Fetching ntp-4.2.8p7.txz: .......... done
Fetching libedit-3.1.20150325_2.txz: .......... done
Fetching curl-7.48.0_2.txz: .......... done
Fetching bind910-9.10.4.txz: .......... done
Fetching apinger-0.6.1_9.txz: .... done
Fetching opnsense-lang-16.1.13.txz: .......... done
Fetching p7zip-15.14.txz: .......... done
Checking integrity... done (1 conflicting)
Checking integrity... done (0 conflicting)
Conflicts with the existing packages have been found.
One more solver iteration is needed to resolve them.
The following 39 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
   opnsense-lang: 16.1.13
   p7zip: 15.14

Installed packages to be UPGRADED:
   openssl: 1.0.2_11 -> 1.0.2_12
   python27: 2.7.11_1 -> 2.7.11_2
   pcre: 8.38 -> 8.38_1
   sqlite3: 3.11.1 -> 3.12.1
   php56: 5.6.19 -> 5.6.21
   perl5: 5.20.3_8 -> 5.20.3_12
   libedit: 3.1.20150325_1 -> 3.1.20150325_2
   curl: 7.47.1 -> 7.48.0_2
   suricata: 3.0_1 -> 3.0.1
   strongswan: 5.3.5_4 -> 5.4.0
   squid: 3.5.15_1 -> 3.5.17
   php56-zlib: 5.6.19 -> 5.6.21
   php56-xml: 5.6.19 -> 5.6.21
   php56-sqlite3: 5.6.19 -> 5.6.21
   php56-sockets: 5.6.19 -> 5.6.21
   php56-simplexml: 5.6.19 -> 5.6.21
   php56-session: 5.6.19 -> 5.6.21
   php56-openssl: 5.6.19 -> 5.6.21
   php56-mcrypt: 5.6.19 -> 5.6.21
   php56-ldap: 5.6.19 -> 5.6.21
   php56-json: 5.6.19 -> 5.6.21
   php56-hash: 5.6.19 -> 5.6.21
   php56-gettext: 5.6.19 -> 5.6.21
   php56-filter: 5.6.19 -> 5.6.21
   php56-dom: 5.6.19 -> 5.6.21
   php56-curl: 5.6.19 -> 5.6.21
   php56-ctype: 5.6.19 -> 5.6.21
   opnsense-update: 16.1.8 -> 16.1.9_1
   openvpn: 2.3.10 -> 2.3.10_2
   ntp: 4.2.8p6 -> 4.2.8p7
   bind910: 9.10.3P4 -> 9.10.4
   apinger: 0.6.1_4 -> 0.6.1_9
   smartmontools: 6.4_1 -> 6.4_2
   py27-Babel: 2.2.0_1 -> 2.3.3
   php56-pdo: 5.6.19 -> 5.6.21

The process will require 12 MiB more space.
[1/39] Upgrading openssl from 1.0.2_11 to 1.0.2_12...
[1/39] Extracting openssl-1.0.2_12: .......... done
[2/39] Upgrading python27 from 2.7.11_1 to 2.7.11_2...
[2/39] Extracting python27-2.7.11_2: .......... done
[3/39] Upgrading pcre from 8.38 to 8.38_1...
[3/39] Extracting pcre-8.38_1: .......... done
[4/39] Upgrading php56 from 5.6.19 to 5.6.21...
[4/39] Extracting php56-5.6.21: .......... done
[5/39] Upgrading sqlite3 from 3.11.1 to 3.12.1...
[5/39] Extracting sqlite3-3.12.1: .......... done
[6/39] Upgrading perl5 from 5.20.3_8 to 5.20.3_12...
[6/39] Extracting perl5-5.20.3_12: .......... done
[7/39] Upgrading libedit from 3.1.20150325_1 to 3.1.20150325_2...
[7/39] Extracting libedit-3.1.20150325_2: .......... done
[8/39] Upgrading php56-session from 5.6.19 to 5.6.21...
[8/39] Extracting php56-session-5.6.21: ......... done
[9/39] Upgrading php56-hash from 5.6.19 to 5.6.21...
[9/39] Extracting php56-hash-5.6.21: .......... done
[10/39] Upgrading php56-pdo from 5.6.19 to 5.6.21...
[10/39] Extracting php56-pdo-5.6.21: ......... done
[11/39] Upgrading curl from 7.47.1 to 7.48.0_2...
[11/39] Extracting curl-7.48.0_2: .......... done
[12/39] Deinstalling opnsense-16.1.8...
Resetting root shell
-----------------------------------
log file
_______________________

May 8 21:32:18    lighttpd[40012]: (connections.c.1550) SSL: 1 -1 error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
May 8 21:32:18    lighttpd[40012]: (connections.c.1550) SSL: 1 -1 error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
May 8 21:32:07    kernel: em1: promiscuous mode enabled
May 8 21:31:19    configd.py: generate template container OPNsense.Syslog
May 8 21:31:19    configd.py: generate template container OPNsense.Sample.sub2
May 8 21:31:19    configd.py: generate template container OPNsense.Sample.sub1
May 8 21:31:19    configd.py: generate template container OPNsense.Sample
May 8 21:31:19    lighttpd[40012]: (connections.c.1550) SSL: 1 -1 error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
May 8 21:31:19    lighttpd[40012]: (connections.c.1550) SSL: 1 -1 error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
May 8 21:31:16    configd.py: generate template container OPNsense.Proxy
May 8 21:31:16    configd.py: generate template container OPNsense.Macros
May 8 21:31:15    configd.py: generate template container OPNsense.IPFW
May 8 21:31:14    configd.py: generate template container OPNsense.IDS
May 8 21:31:14    configd.py: generate template container OPNsense.Cron
May 8 21:31:13    configd.py: generate template container OPNsense.Captiveportal
May 8 21:31:13    configd.py: generate template container OPNsense
May 8 21:31:12    configd.py: [2c49bdad-1593-4ee5-a7a5-0a29a3950bb2] generate template *
May 8 21:31:12    kernel: done.
May 8 21:31:12    configd.py: generate template container OPNsense.Syslog
May 8 21:31:11    configd.py: [45974c25-410e-4f02-bfb4-f3184b5ecbf8] generate template OPNsense.Syslog
May 8 21:31:11    kernel: done.
May 8 21:31:11    opnsense: /usr/local/etc/rc.bootup: miniupnpd: Starting service on interface: lan
May 8 21:31:11    kernel: done.
May 8 21:31:11    opnsense: /usr/local/etc/rc.bootup: Creating rrd update script