No VPN connection with CRL enabled after upgrade to 22.7

Started by coolmint, July 30, 2022, 11:51:47 AM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
August 07, 2022, 09:01:53 PM #15
Thanks!
at least:
the certificate is no longer added to the revocation list
we know the step at which the error occurs

unfortunately phpseclib does not provide any debugging info (at least I did not find it in the docs) about the reasons for failed sign verification. is it possible for you to share the certificates (without private keys) of the CA and the client (perhaps phpseclib does not like one of the fields)? i will try to reproduce

thnks!
August 08, 2022, 10:04:52 PM #16
I did some more tests today - I noticed the following:

If I use the ECDSA algorithm when creating the CA, I cannot revoke any certificates afterwards - the familiar error message appears.

However, if the CA is created with the RSA algorithm, everything works as it should - no errors, I can add certificates to the CRL.

It also doesn't matter how the client certificate was created (RSA or ECDSA) - it depends on how the CA was created.

If I now use the new (RSA generated) CA in the VPN server configuration, the '.crl-verify' file is also filled accordingly and no more errors appear in the OpenVPN log.

The system cannot work with the CA certificate which was generated using the Elliptic Curve Digital Signature Algorithm (ECDSA).

August 09, 2022, 12:05:16 PM #17
ah. i think phpseclib > 3.0 supports  algo other then RSA. OPN uses phpseclib 2.0.37 for now.
https://github.com/phpseclib/phpseclib/blob/master/CHANGELOG.md#300---2020-12-16
so all we can to do now is check key type and throw an error if key type is not RSA?
August 09, 2022, 01:22:28 PM #18
Yeah, we should be migrating to phpseclib 3 to address this properly.

Thanks to both of you for figuring out the issue. Ticket is welcome.


Cheers,
Franco
August 09, 2022, 03:07:36 PM #19
@franco got it, thanks!
@coolmint
can you check with
Code Select
opnsense-patch -a kulikov-a 18e3704
please (with 91e13ae applied)?
is it adds debug message to general log for "EC" CA (RSA should work well) crls? (works for me but it's always good to double check before making ticket)
Thanks!
August 09, 2022, 09:19:28 PM #20 Last Edit: August 09, 2022, 09:21:42 PM by coolmint
Jep, you are right - the 'phpseclib' currently installed doesn't support EC.

After applying the latest patch, the general log shows the following:

Code Select
2022-08-09T21:09:06 Error opnsense Cert revocation error: Only RSA key type currently supported for CRL signing.

Great - thank you for your assistance! :)
Print
Go Up Pages 1 2
User actions