pfSense: Certificate Export only using Legacy SHA1 or MD5 exports/signatures
-
This is a Security Concern, one which I filed a bug about that was promptly closed with vague reference to an "internal issue".
In the recent year or two with major OpenSSL changes and standards for certificates, SHA1 and older signature algos are deprecated and not available in default configs, and most if not all browsers refuse to accept the certificate due to older signature algos.
As a result, VPN certificates, site certificates, etc. do not function on other systems when pfSense exports them, due to the nature of SSL certificate deprecations.
UNFORTUNATELY, I have not found anything in any changelogs or otherwise to suggest this has changed. Does pfSense have a fix for the outdated certificate algos and export problem? It was suggested this was a PHP problem, in which case why not just wrap it around a standard openssl call on the exec/command line and export that file directly?
-
Your statement is unfortunately vague but I can only assume you're talking about PKCS #12 export (and that #13472 was your previous report)?
That has been addressed in development in the base system: https://redmine.pfsense.org/issues/13257 and it's even mentioned in the release notes for the upcoming 23.01 release.
We are still working on an update to the OpenVPN client export package to address it there as well:
https://redmine.pfsense.org/issues/13255For the base system, the changes will be included in the next release(s) but you can install the System Patches package and then create entries for
9efec2778cd9a6379716fc32891614f1d4551cf4anda7e50981ec30d5844d59b5fa7c324fb89d415d42(and apply them both one after the other) to bring in the new PKCS#12 export options. -
@jimp Yep my vagueness is due to my brain malfunctioning - less than 4 hours sleep consistently every night for a week does nasty things.
Thanks for the detailed layout of the fixes, tickets, and workaround solutions. This PKCS issue with certs, etc. is one of the only reasons I moved to a different firewall (temporarily) at home because of the certificate algos issue.
At least it looks like there's good progress on this!
-
@jimp I assume then that this will hit pfSense Plus, so for $FULLTIME_JOB I'll need to get us a pfSense+ license for commercial / corporate use. Because I don't know when CE will (if ever) receive the patch.
-
@teward said in pfSense: Certificate Export only using Legacy SHA1 or MD5 exports/signatures:
@jimp I assume then that this will hit pfSense Plus, so for $FULLTIME_JOB I'll need to get us a pfSense+ license for commercial / corporate use. Because I don't know when CE will (if ever) receive the patch.
The code is in the upcoming Plus 23.01 release.
The code is also in CE 2.7.0 snapshots.
You can apply the patches to CE 2.6.0 or Plus 22.05 and get it on existing systems if you prefer.
When the OpenVPN client export changes are ready they will also be available on 2.6.0 and likely 22.05 in addition to 23.01 and 23.05/2.7.0
