CRL has expired
-
Thank you ! Worked like a charm on 22.05-RELEASE (amd64)
-
Same issue here. Patch solved it within a minute. Thanks.
This has some additional information: https://blog.nuvotex.de/pfsense-crl-has-expired/
-
Y2K all over again
had this same problem, applied the patch, fixed
Thanks Jim
-
P pigbrother referenced this topic on
-
P pigbrother referenced this topic on
-
P pigbrother referenced this topic on
-
P pigbrother referenced this topic on
-
I had the same issue with version 2.5 and 22.05, i wonder if netgate has permanent fix for that
-
Dear All,
Are we really really shure that the patch does fix this? I did apply it and it did work for the moment. After rebooting one of my four pfSense devices (2.6.0-RELEASE (amd64)), I was shut out of all of OpenVPN. The log did contain many entries like this:
Sep 1 18:09:39 openvpn 91912 xxx.xxx.xxx.185:31089 Certificate does not have key usage extension
Sep 1 18:09:39 openvpn 91912 xxx.xxx.xxx.185:31089 OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
Sep 1 18:09:39 openvpn 91912 xxx.xxx.xxx.185:31089 TLS_ERROR: BIO read tls_read_plaintext error
Sep 1 18:09:39 openvpn 91912 xxx.xxx.xxx.185:31089 TLS Error: TLS object -> incoming plaintext read error
Sep 1 18:09:39 openvpn 91912 xxx.xxx.xxx.185:31089 TLS Error: TLS handshake failedThe certificate did work before. After unchecking "Client Certificate Key Usage Validation", everything was OK again. Until the reboot today, it was no problem to leave "Client Certificate Key Usage Validation" checked.
Regards,
Michael
-
@michaelschefczyk I think that is a separate issue:
-
@ads76 Thank you very much. I did install the patches and I am "thrilled" to see what will happen next. I also hope that the system patches package will not become the replacement for regular system updates
-
Those are the changes on the patch
https://github.com/pfsense/pfsense/commit/a3c1589086ea67d25a28ec14ab95d7fd9ab25fa2#diff-d2a6b2f1c6de8faca0eb12c53221e1874fa9943f07f6df127fb153cd1e03ba34
From a3c1589086ea67d25a28ec14ab95d7fd9ab25fa2 Mon Sep 17 00:00:00 2001
From: jim-p jimp@netgate.com
Date: Wed, 17 Aug 2022 12:09:36 -0400
Subject: [PATCH] CRL lifetime fixes to avoid rollover. Fixes #13424
src/etc/inc/certs.inc | 29 +++++++++++++++++++++++--
src/usr/local/www/system_crlmanager.php | 6 ++---
2 files changed, 30 insertions(+), 5 deletions(-)diff --git a/src/etc/inc/certs.inc b/src/etc/inc/certs.inc
index c73a964f3ab..16a011d21eb 100644
--- a/src/etc/inc/certs.inc
+++ b/src/etc/inc/certs.inc
@@ -54,6 +54,9 @@ $cert_altname_types = array(
global $cert_max_lifetime;
$cert_max_lifetime = 12000;+global $crl_max_lifetime;
+$crl_max_lifetime = 9999;
+
function & lookup_ca($refid) {
global $config;@@ -978,9 +981,31 @@ function cert_get_max_lifetime() {
return min($max, $cert_max_lifetime);
}+/* Detect a rollover at 2050 with UTCTime
-
- See: https://redmine.pfsense.org/issues/9098 */
+function crl_get_max_lifetime() {
- See: https://redmine.pfsense.org/issues/9098 */
- global $crl_max_lifetime;
- $max = $crl_max_lifetime;
- $now = new DateTime("now");
- $utctime_before_roll = DateTime::createFromFormat('Ymd', '20491231');
- if ($date !== false) {
-
$interval = $now->diff($utctime_before_roll); -
$max_days = abs($interval->days); -
/* Reduce the max well below the rollover time */ -
if ($max_days > 1000) { -
$max_days -= 1000; -
} -
return min($max_days, cert_get_max_lifetime()); - }
- /* Cannot use date functions, so use a lower default max. */
- return min(7000, cert_get_max_lifetime());
+}
function crl_create(& $crl, $caref, $name, $serial = 0, $lifetime = 3650) {
global $config;- $max_lifetime = cert_get_max_lifetime();
-
$max_lifetime = crl_get_max_lifetime();
$ca =& lookup_ca($caref);
if (!$ca) {
return false;
@@ -1017,7 +1042,7 @@ function crl_update(& $crl) {
require_once('X509_CRL.php');global $config;
- $max_lifetime = cert_get_max_lifetime();
- $max_lifetime = crl_get_max_lifetime();
$ca =& lookup_ca($crl['caref']);
if (!$ca) {
return false;
diff --git a/src/usr/local/www/system_crlmanager.php b/src/usr/local/www/system_crlmanager.php
index d471209d3e3..4b3ed0a6f33 100644
--- a/src/usr/local/www/system_crlmanager.php
+++ b/src/usr/local/www/system_crlmanager.php
@@ -34,8 +34,8 @@
require_once("pfsense-utils.inc");
require_once("vpn.inc");
-$max_lifetime = cert_get_max_lifetime();
-$default_lifetime = min(9999, $max_lifetime);
+$max_lifetime = crl_get_max_lifetime();
+$default_lifetime = min(730, $max_lifetime);global $openssl_crl_status;
@@ -255,7 +255,7 @@
}if ($pconfig['method'] == "internal") {-
$crl['serial'] = empty($pconfig['serial']) ? 9999 : $pconfig['serial'];
-
$crl['serial'] = empty($pconfig['serial']) ? '0' : $pconfig['serial']; $crl['lifetime'] = empty($pconfig['lifetime']) ? $default_lifetime : $pconfig['lifetime']; $crl['cert'] = array(); }
-
-
K khodorb referenced this topic on
-
Is this patch still valid or have the changes for this now been rolled into the latest build?
-
Why ? You still use 22.05 from 2022 ?
These days, its 24.11 or 2.7.2 - I don't recall issues from 2022. -
@Gertjan No i'm using the latest version but this was still in my custom patches i applied - wasn't sure if i should remove it from custom patches or if I still need to keep it there.
-
@jagradang said in CRL has expired:
but this was still in my custom patches i applied
If it still shows applied - or: you can Revert it, then the patch isn't part of the version you use.
In that case : if it works for you, keep it ^^ -
@Gertjan perfect thank you. Still shows as applied and has the revert option so i'll keep it applied
