Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
22.7 Legacy Series
»
Certificate Revocation fails
« previous
next »
Print
Pages: [
1
]
Author
Topic: Certificate Revocation fails (Read 1011 times)
seed
Full Member
Posts: 174
Karma: 12
Certificate Revocation fails
«
on:
September 03, 2022, 12:49:45 am »
While i was having an issue with OpenVPN i found a new Problem.
My OpenVPN could not connect. I Configured a CRL in the openvpn settings. The CRL is empty. No client could connect.
While searching for the problem I generated a certificate just for revocation. While trying to revoke the certificate i got this error:
OPNsense 22.7.3_2-amd64
FreeBSD 13.1-RELEASE-p2
OpenSSL 1.1.1q 5 Jul 2022
2022-09-03T00:45:35 Error opnsense #5 {main}
2022-09-03T00:45:35 Error opnsense #4 /usr/local/www/system_crlmanager.php(172): cert_revoke(Array, Array, '-1')
2022-09-03T00:45:35 Error opnsense #3 /usr/local/etc/inc/certs.inc(733): crl_update(Array)
2022-09-03T00:45:35 Error opnsense #2 /usr/local/etc/inc/certs.inc(686): phpseclib3\File\X509->validateSignature(false)
2022-09-03T00:45:35 Error opnsense #1 /usr/local/share/phpseclib/File/X509.php(1286): phpseclib3\File\X509->validateSignatureCountable(false, 0)
2022-09-03T00:45:35 Error opnsense #0 /usr/local/share/phpseclib/File/X509.php(1412): phpseclib3\File\X509->validateSignatureHelper('rsaEncryption', '-----BEGIN PUBL...', 'id-RSASSA-PSS', '\x82\xD5\x8D}D\xBB\x87Wh\xE7)\xD2\xB2`X...', '0\x81\x970\v\x06\t*\x86H\x86\xF7\r\x01\x01...')
2022-09-03T00:45:35 Error opnsense Stack trace:
2022-09-03T00:45:35 Error opnsense Cert revocation error: CRL signature invalid phpseclib3\Exception\UnsupportedAlgorithmException: Signature algorithm unsupported in /usr/local/share/phpseclib/File/X509.php:1455
Logged
i want all services to run with wirespeed and therefore run this dedicated hardware configuration:
AMD Ryzen 7 9700x
ASUS Pro B650M-CT-CSM
64GB DDR5 ECC (2x KSM56E46BD8KM-32HA)
Intel XL710-BM1
Intel i350-T4
2x SSD with ZFS mirror
PiKVM for remote maintenance
private user, no business use
Fright
Hero Member
Posts: 1777
Karma: 164
Re: Certificate Revocation fails
«
Reply #1 on:
September 03, 2022, 07:21:16 am »
Hi
some regression with phpseclib3 migration (phpseclib3 internal validation function doing strange things with "public key algorithm" vs. "signature algorithm" when validating signatures)
if the matter is urgent I can suggest a temporary workaround for the OPN internal CA's CRLs. but it will not match the final solution (when it appears)
or you can just disable crl check temporary
«
Last Edit: September 04, 2022, 05:51:08 pm by Fright
»
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
22.7 Legacy Series
»
Certificate Revocation fails