Certificate Revocation List cannot be edited after Update to pfsense 2.1.1

Vertec · Apr 9, 2014, 11:18 AM

Since upgrading to the latest firmware, I cannot edit CRLs anymore.
When hitting the "e" (edit) button nothing happens.

Firebug says:
TypeError: document.iform is undefined
method = document.iform.method.selectedIndex;

I have tried it with Firefox, Opera and IE.

Is this a known issue with the latest firmware version or is there a possible solution?

doktornotor · Apr 9, 2014, 11:34 AM

Confirmed, plus, sucks badly due to the openssl bug…

https://redmine.pfsense.org/issues/3591
https://redmine.pfsense.org/issues/3588#note-16

Vertec · Apr 9, 2014, 11:53 AM

Exactly, I just updated because of the heartleed bug…
I think there should be a fix asap.

jimp · Apr 9, 2014, 12:51 PM

A fix is coming but ideally you'd create a whole new CA and Cert structure if you believe yours has been compromised. Re-using the CA + Revoking certs should only be done if the CA's key had no chance of being compromised.

New CA + New certs is also faster than Revoking eleventy hundred certs plus regenerating them all. If you have to reissue all new clients anyway, there's little benefit to taking the revocation path.

phil.davis · Apr 9, 2014, 2:01 PM

I expect it would be safe to leave the old CA and certs in your pfSense, and not even bother making a huge CRL for them, if you want to retain that data about what old certs you had etc.
Make a new CA, server cert, and user certs. Change the OpenVPN server/s to use the new CA, server cert…
Then the old CA and certs will never be used by anything for authentication, so they are just a dangling piece of history that can stay around as long as you care.

jimp · Apr 9, 2014, 2:13 PM

It's also important to keep in mind that if you used a TLS Key in addition to your CA and Certs and used them only for OpenVPN, then you were not vulnerable to Heartbleed anyway.

doktornotor · Apr 9, 2014, 2:27 PM

While at this, are you upgrading the OpenVPN client export package with the latest client version as well? 'cause it's shipping openssl as well… :(

http://openvpn.net/index.php/open-source/downloads.html

jimp · Apr 9, 2014, 2:31 PM

Yeah I'm doing that right now actually. Going to move it to 2.3.3. I'll bump the export pkg version when I'm done.

jimp · Apr 9, 2014, 3:22 PM

@jimp:

Yeah I'm doing that right now actually. Going to move it to 2.3.3. I'll bump the export pkg version when I'm done.

Export should be OK now – https://forum.pfsense.org/index.php?topic=74948.0