OpenVPN stopped working after upgrade to 22.7.3_2 (CRL cannot be loaded)

Started by Horstinator, September 02, 2022, 07:47:15 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 02, 2022, 07:47:15 PM Last Edit: September 02, 2022, 07:58:21 PM by Horstinator
Hi,

I just upgraded to 22.7.3_2 and my OpenVPN server stopped working.

On startup of the vpn server I see the following error in the log:
Code Select
2022-09-01T22:01:21 Error php #7 {main}
2022-09-01T22:01:21 Error php #6 /usr/local/etc/rc.newwanip(170): plugins_configure('vpn', false, Array)
2022-09-01T22:01:21 Error php #5 /usr/local/etc/inc/plugins.inc(288): openvpn_configure_do(false, 'wan')
2022-09-01T22:01:21 Error php #4 /usr/local/etc/inc/plugins.inc.d/openvpn.inc(1153): openvpn_reconfigure('server', Array, false)
2022-09-01T22:01:21 Error php #3 /usr/local/etc/inc/plugins.inc.d/openvpn.inc(834): crl_update(Array)
2022-09-01T22:01:21 Error php #2 /usr/local/etc/inc/certs.inc(686): phpseclib3\File\X509->validateSignature(false)
2022-09-01T22:01:21 Error php #1 /usr/local/share/phpseclib/File/X509.php(1286): phpseclib3\File\X509->validateSignatureCountable(false, 0)
2022-09-01T22:01:21 Error php #0 /usr/local/share/phpseclib/File/X509.php(1412): phpseclib3\File\X509->validateSignatureHelper('rsaEncryption', '-----BEGIN PUBL...', 'id-RSASSA-PSS', '\xA3\xD4\x07\xCA\xCBX\f@\x7F\xD8j\xE19\x90m...', '0\x81\xC60\v\x06\t*\x86H\x86\xF7\r\x01\x01...')
2022-09-01T22:01:21 Error php Stack trace:
2022-09-01T22:01:21 Error php Cert revocation error: CRL signature invalid phpseclib3\Exception\UnsupportedAlgorithmException: Signature algorithm unsupported in /usr/local/share/phpseclib/File/X509.php:1455

The CRL cannot get loaded anymore and therefore any incoming sessions get denied.

The VPN worked fine on the last patch.

September 03, 2022, 12:57:57 PM #1
I can confirm this issue.

Since my CRL is currently empty, I managed to work around the problem by disabling the CRL in the OpenVPN server setup.
September 03, 2022, 03:29:43 PM #2
Most likely the same issue as on pfsense: https://redmine.pfsense.org/issues/13424 ?
September 05, 2022, 12:16:40 PM #3
Hi I am seeing the same thing here

Upgrade to 22.7 worked fine, after the upgrade to the latest version a few minute ago openvpn client access stopped working  :-[

OpenVPN  site-to-site seems to be fine though..   :)
September 05, 2022, 09:46:16 PM #4
I would expect this https://github.com/opnsense/core/commit/9606957ef84370f6a537b35de4fab9906d7f5620 fixes the issue. There likely is also a bug in the upstream phpseclib package, but changing the defaults back to how they where in version 2 should workaround signature padding issues with their new defaults.

Best regards,

Ad
September 05, 2022, 10:16:59 PM #5
Will be issuing 22.7.4 until Wednesday to address the CRL/phpseclib 3 situation further.


Cheers,
Franco
September 06, 2022, 08:31:41 AM #6
Hi!

In the new version, the error only seems to have an effect on OpenVPN if the CRL list is empty during the update. As soon as even one certificate is included in the blacklist, the update can be carried out successfully and OpenVPN works (although the above error is still displayed in the log).

Michael
November 01, 2022, 09:52:45 AM #7
Hi all,

the issue reappeared for me in Opnsense version 22.7.6, after it had been fixed in previous releases.
For me, openvpn with an empty CRL stopped working again. After disabling the CRL, it functions as expected.

Best,
J.
November 03, 2022, 06:35:59 PM #8
Same here after upgrading from 22.7.4 to 22.7.6.
OpenVPN with empty CRL List does not connect anymore.
Works fine after deleting and recreating the CRL List
November 03, 2022, 06:58:06 PM #9
Coincidentally this is mentioned in the 22.7.6 release notes in full.


Cheers,
Franco
Print
Go Up Pages1
User actions