Upgrade, lost webgui and MinProtocol (DTLS)

Started by GreenMatter, July 17, 2026, 07:31:38 PM

Previous topic - Next topic
After upgrading to 26.7 I lost an access to webgui (https) and pkg stopped working correctly. I think I've found reason for this issue but not a root cause. Anyway, as long as in System - Trust - Settings - MinProtocol (DTLS) is set to "DTLSv1.1" webgui and pkg doesn't work... After changing it (had to switch webgui to http) to None or DTLSv1 all works again!
OPNsense on:
Intel(R) Xeon(R) E-2278G CPU @ 3.40GHz (4 cores)
8 GB RAM
50 GB HDD
and plenty of vlans ;-)

In general DTLS is for UDP, not HTTPS.  Might also be the KTLS thing, but the behaviour seems to be at least two different scenarios: one for server responses and one for client requests.


Cheers,
Franco

I also lost WEB GUI access on upgrade, or at least it was intermittently inaccesable for long periods of time.  This fixed it for me:

https://forum.opnsense.org/index.php?topic=52409.0
MinisForum MS-01 2 x i225-v 2 x X710 10 SFP+ (Core i5-12600H * 64GB * 1T SSD) Proxmox
Xfinity Gigabit (1.2G Down * 200M Up)

Hi..
I lost also die WEB Gui, but only via external access to the interface.
I can access the GUI without any issues via WireGuard.
Before the upgrade, accessing it via the Sense's external hostname also worked.
External login is still possible. However, the menu is jumbled, and most menu items are empty.
The character set, for instance, is also different compared to the VPN login.

Doing this and clearing the cache fixes the problem for me, too.

QuoteQuote from: mrpink on July 15, 2026, 11:51:42 PM
# sysctl kern.ipc.tls.enable=0
# configctl webgui restart

I know DTLS applies to UDP but this settings affects openssl (upgraded) package as pkg also didn't work properly:
# pkg update
Updating OPNsense repository catalogue...
pkg: An error occurred while fetching package: No error
pkg: An error occurred while fetching package: No error
repository OPNsense has no meta file, using default settings
pkg: An error occurred while fetching package: No error
pkg: An error occurred while fetching package: No error
pkg: An error occurred while fetching package: No error
pkg: An error occurred while fetching package: No error
Unable to update repository OPNsense
Error updating repositories!

And once I set DTLS to v1 all came back to normal....


OPNsense on:
Intel(R) Xeon(R) E-2278G CPU @ 3.40GHz (4 cores)
8 GB RAM
50 GB HDD
and plenty of vlans ;-)

Without more debug output this won't resolve easily so let's try this when it's not working:

# fetch -vv https://pkg.opnsense.org/FreeBSD:15:amd64/snapshots/latest/data.pkg
# curl -o data.pkg -vv https://pkg.opnsense.org/FreeBSD:15:amd64/snapshots/latest/data.pkg


Cheers,
Franco

Quote from: franco on Today at 09:03:19 AMWithout more debug output this won't resolve easily so let's try this when it's not working:

# fetch -vv https://pkg.opnsense.org/FreeBSD:15:amd64/snapshots/latest/data.pkg
# curl -o data.pkg -vv https://pkg.opnsense.org/FreeBSD:15:amd64/snapshots/latest/data.pkg

So, with DTLS set to "1" all works:

root@bkp-OPNsense:~ # pkg update
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
root@bkp-OPNsense:~ # fetch -vv https://pkg.opnsense.org/FreeBSD:15:amd64/snapshots/latest/data.pkg
resolving server address: pkg.opnsense.org:443
SSL options: 82004850
Peer verification enabled
Using OpenSSL default CA cert file and path
Verify hostname
TLSv1.3 connection established using TLS_AES_256_GCM_SHA384
Certificate subject: /CN=pkg.opnsense.org
Certificate issuer: /C=AT/O=ZeroSSL/CN=ZeroSSL RSA Domain Secure Site CA
requesting https://pkg.opnsense.org/FreeBSD:15:amd64/snapshots/latest/data.pkg
remote size / mtime: 322185 / 1784295958
data.pkg                                               314 kB 3342 kBps    00s
root@bkp-OPNsense:~ #  curl -o data.pkg -vv https://pkg.opnsense.org/FreeBSD:15:amd64/snapshots/latest/data.pkg
13:31:42.013785 [0-0] * [HTTPS-CONNECT] added
13:31:42.014044 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 0 socks
13:31:42.018466 [0-0] * [HTTPS-CONNECT] connect, init
13:31:42.018557 [0-0] * [HTTPS-CONNECT] 1st attempt uses h2 from wanted versions
13:31:42.018574 [0-0] * [SETUP] happy eyeballing to origin pkg.opnsense.org:443
13:31:42.018622 [0-0] *   Trying [2001:1af8:5300:a010:1::1]:443...
13:31:42.018826 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
13:31:42.018851 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
13:31:42.019480 [0-0] * Host pkg.opnsense.org:443 was resolved.
13:31:42.019526 [0-0] * IPv6: 2001:1af8:5300:a010:1::1
13:31:42.019549 [0-0] * IPv4: 89.149.222.99
13:31:42.019569 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
13:31:42.019586 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
13:31:42.221458 [0-0] *   Trying 89.149.222.99:443...
13:31:42.221591 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
13:31:42.221616 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 2 socks
13:31:42.245167 [0-0] * [SETUP] added SSL filter for origin
13:31:42.247120 [0-0] * ALPN: curl offers h2,http/1.1
13:31:42.247481 [0-0] } [5 bytes data]
13:31:42.247532 [0-0] * TLSv1.3 (OUT), TLS handshake, Client hello (1):
13:31:42.247546 [0-0] } [1562 bytes data]
13:31:42.247628 [0-0] * SSL Trust Anchors:
13:31:42.247649 [0-0] *   CApath: /etc/ssl/certs
13:31:42.247672 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
13:31:42.247693 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
13:31:42.274063 [0-0] { [5 bytes data]
13:31:42.274120 [0-0] * TLSv1.3 (IN), TLS handshake, Server hello (2):
13:31:42.274134 [0-0] { [122 bytes data]
13:31:42.274561 [0-0] * TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):
13:31:42.274584 [0-0] { [1 bytes data]
13:31:42.274619 [0-0] * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
13:31:42.274632 [0-0] { [25 bytes data]
13:31:42.274670 [0-0] * TLSv1.3 (IN), TLS handshake, Certificate (11):
13:31:42.274683 [0-0] { [3550 bytes data]
13:31:42.276081 [0-0] * TLSv1.3 (IN), TLS handshake, CERT verify (15):
13:31:42.276102 [0-0] { [264 bytes data]
13:31:42.276254 [0-0] * TLSv1.3 (IN), TLS handshake, Finished (20):
13:31:42.276283 [0-0] { [52 bytes data]
13:31:42.276354 [0-0] * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
13:31:42.276372 [0-0] } [1 bytes data]
13:31:42.276425 [0-0] * TLSv1.3 (OUT), TLS handshake, Finished (20):
13:31:42.276438 [0-0] } [52 bytes data]
13:31:42.276537 [0-0] * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / x25519 / RSASSA-PSS
13:31:42.276561 [0-0] * ALPN: server accepted http/1.1
13:31:42.276578 [0-0] * Server certificate:
13:31:42.276598 [0-0] *   subject: CN=pkg.opnsense.org
13:31:42.276615 [0-0] *   start date: Jan 20 00:00:00 2026 GMT
13:31:42.276628 [0-0] *   expire date: Jan 20 23:59:59 2027 GMT
13:31:42.276648 [0-0] *   issuer: C=AT; O=ZeroSSL; CN=ZeroSSL RSA Domain Secure Site CA
13:31:42.276673 [0-0] *   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha384WithRSAEncryption
13:31:42.276688 [0-0] *   Certificate level 1: Public key type RSA (4096/152 Bits/secBits), signed using sha384WithRSAEncryption
13:31:42.276701 [0-0] *   Certificate level 2: Public key type RSA (4096/152 Bits/secBits), signed using sha384WithRSAEncryption
13:31:42.276722 [0-0] *   subjectAltName: "pkg.opnsense.org" matches cert's "pkg.opnsense.org"
13:31:42.276736 [0-0] * OpenSSL verify result: 0
13:31:42.276748 [0-0] * SSL certificate verified via OpenSSL.
13:31:42.276763 [0-0] * [SETUP] query ALPN
13:31:42.276776 [0-0] * [HTTPS-CONNECT] connect -> 0, done=1
13:31:42.276801 [0-0] * Established connection to pkg.opnsense.org (89.149.222.99 port 443) from 172.16.99.4 port 56453
13:31:42.276814 [0-0] * [HTTPS-CONNECT] removing connected setup filter
13:31:42.276826 [0-0] * [HTTPS-CONNECT] destroy
13:31:42.276838 [0-0] * [SETUP] removing connected setup filter
13:31:42.276850 [0-0] * [SETUP] destroy
  % Total    % Received % Xferd  Average Speed  Time    Time    Time   Current
                                 Dload  Upload  Total   Spent   Left   Speed
  0      0   0      0   0      0      0      0                              013:31:42.276976 [0-0] * using HTTP/1.x
13:31:42.277008 [0-0] } [5 bytes data]
13:31:42.277056 [0-0] > GET /FreeBSD:15:amd64/snapshots/latest/data.pkg HTTP/1.1
13:31:42.277056 [0-0] > Host: pkg.opnsense.org
13:31:42.277056 [0-0] > User-Agent: curl/8.21.0
13:31:42.277056 [0-0] > Accept: */*
13:31:42.277056 [0-0] >
13:31:42.277116 [0-0] * Request completely sent off
13:31:42.300220 [0-0] { [5 bytes data]
13:31:42.300296 [0-0] * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
13:31:42.300310 [0-0] { [297 bytes data]
13:31:42.300416 [0-0] * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
13:31:42.300433 [0-0] { [297 bytes data]
13:31:42.301188 [0-0] < HTTP/1.1 200 OK
13:31:42.301216 [0-0] < Date: Sat, 18 Jul 2026 11:36:47 GMT
13:31:42.301230 [0-0] < Server: Apache
13:31:42.301242 [0-0] < Last-Modified: Fri, 17 Jul 2026 13:45:58 GMT
13:31:42.301255 [0-0] < ETag: "4ea89-656cec6c03180"
13:31:42.301280 [0-0] < Accept-Ranges: bytes
13:31:42.301293 [0-0] < Content-Length: 322185
13:31:42.301306 [0-0] < Content-Type: application/vnd.apple.installer+xml
13:31:42.301320 [0-0] <
13:31:42.301333 [0-0] { [7948 bytes data]
100 314.6k 100 314.6k   0      0 825.4k      0                              0
13:31:42.394953 [0-0] * Connection #0 to host pkg.opnsense.org:443 left intact



And after having it changed to "1.1"

root@bkp-OPNsense:~ # pkg update
Updating OPNsense repository catalogue...
pkg: An error occurred while fetching package: No error
pkg: An error occurred while fetching package: No error
repository OPNsense has no meta file, using default settings
pkg: An error occurred while fetching package: No error
pkg: An error occurred while fetching package: No error
pkg: An error occurred while fetching package: No error
pkg: An error occurred while fetching package: No error
Unable to update repository OPNsense
Error updating repositories!
root@bkp-OPNsense:~ # fetch -vv https://pkg.opnsense.org/FreeBSD:15:amd64/snapshots/latest/data.pkg
resolving server address: pkg.opnsense.org:443
SSL context creation failed
1050062A474C0000:error:0A000180:SSL routines:SSL_CONF_cmd:bad value:/usr/src/crypto/openssl/ssl/ssl_conf.c:995:cmd=MinProtocol, value=DTLSv1.1
1050062A474C0000:error:0A0001A3:SSL routines:SSL_CTX_new_ex:error in system default config:/usr/src/crypto/openssl/ssl/ssl_lib.c:4274:
fetch: https://pkg.opnsense.org/FreeBSD:15:amd64/snapshots/latest/data.pkg: Authentication error
root@bkp-OPNsense:~ # curl -o data.pkg -vv https://pkg.opnsense.org/FreeBSD:15:amd64/snapshots/latest/data.pkg
13:32:54.264461 [0-0] * [HTTPS-CONNECT] added
13:32:54.264665 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 0 socks
13:32:54.265958 [0-0] * Host pkg.opnsense.org:443 was resolved.
13:32:54.265987 [0-0] * IPv6: 2001:1af8:5300:a010:1::1
13:32:54.266003 [0-0] * IPv4: 89.149.222.99
13:32:54.266015 [0-0] * [HTTPS-CONNECT] connect, init
13:32:54.266026 [0-0] * [HTTPS-CONNECT] 1st attempt uses h2 from wanted versions
13:32:54.266043 [0-0] * [SETUP] happy eyeballing to origin pkg.opnsense.org:443
13:32:54.266068 [0-0] *   Trying [2001:1af8:5300:a010:1::1]:443...
13:32:54.266248 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
13:32:54.266284 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
13:32:54.266305 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
13:32:54.266318 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
13:32:54.474497 [0-0] *   Trying 89.149.222.99:443...
13:32:54.474649 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
13:32:54.474678 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 2 socks
13:32:54.498280 [0-0] * [SETUP] added SSL filter for origin
13:32:54.500281 [0-0] * SSL: could not create a context: error:0A000180:SSL routines::bad value
13:32:54.500308 [0-0] * [HTTPS-CONNECT] connect, all attempts failed
13:32:54.500321 [0-0] * [HTTPS-CONNECT] connect -> 27, done=0
13:32:54.500346 [0-0] * closing connection #0
curl: (27) SSL: could not create a context: error:0A000180:SSL routines::bad value








OPNsense on:
Intel(R) Xeon(R) E-2278G CPU @ 3.40GHz (4 cores)
8 GB RAM
50 GB HDD
and plenty of vlans ;-)

There it is then:

SSL context creation failed
1050062A474C0000:error:0A000180:SSL routines:SSL_CONF_cmd:bad value:/usr/src/crypto/openssl/ssl/ssl_conf.c:995:cmd=MinProtocol, value=DTLSv1.1
1050062A474C0000:error:0A0001A3:SSL routines:SSL_CTX_new_ex:error in system default config:/usr/src/crypto/openssl/ssl/ssl_lib.c:4274:

And from https://en.wikipedia.org/wiki/Datagram_Transport_Layer_Security

> DTLS 1.0 is based on TLS 1.1, DTLS 1.2 is based on TLS 1.2, and DTLS 1.3 is based on TLS 1.3. There is no DTLS 1.1 because this version-number was skipped in order to harmonize version numbers with TLS.[2] Like previous DTLS versions, DTLS 1.3 is intended to provide "equivalent security guarantees [to TLS 1.3] with the exception of order protection/non-replayability".

We know what to do then, thanks!

In the meantime: do not use DTLSv1.1. It's going away.


Cheers,
Franco

Quote from: franco on Today at 03:48:56 PMIn the meantime: do not use DTLSv1.1. It's going away.
Thanks! Are you going to introduce DTLS 1.2/1.3?
OPNsense on:
Intel(R) Xeon(R) E-2278G CPU @ 3.40GHz (4 cores)
8 GB RAM
50 GB HDD
and plenty of vlans ;-)