CRL don't works.

darimar78

Hello,
I dont't know if this is the right place to talk about this problem: I have a VM with 2.4.5-RELEASE-p1 and I can't revoke certificates issued for openvpn clients.

When I try to add a certificate to a CRL, I get this error:

[18-Jun-2020 17:34:26 Europe/Rome] PHP Fatal error: Uncaught Exception: Can't parse time from string '†°î>Œã>†-ÒÏê¶g£Bâx' in /usr/local/share/openssl_x509_crl/ASN1_GENERALTIME.php:73
Stack trace:
#0 /usr/local/share/openssl_x509_crl/ASN1.php(136): Ukrbublik\openssl_x509_crl\ASN1_GENERALTIME->decodeSimple('0\x82\x04H0\x82\x030\xA0\x03\x02\x01\x02\x02\x01...', 962, 21)
#1 /usr/local/share/openssl_x509_crl/ASN1.php(314): Ukrbublik\openssl_x509_crl\ASN1->decode('0\x82\x04H0\x82\x030\xA0\x03\x02\x01\x02\x02\x01...', 962, 21)
#2 /usr/local/share/openssl_x509_crl/ASN1_BITSTRING.php(51): Ukrbublik\openssl_x509_crl\ASN1->decodeConstructed('0\x82\x04H0\x82\x030\xA0\x03\x02\x01\x02\x02\x01...', 844, 256)
#3 /usr/local/share/openssl_x509_crl/ASN1.php(138): Ukrbublik\openssl_x509_crl\ASN1_BITSTRING->decodeConstructed('0\x82\x04H0\x82\x030\xA0\x03\x02\x01\x02\x02\x01...', 843, 257)
#4 /usr/local/share/openssl_x509_crl/ASN1.php(314): Ukrbublik\openssl_x509_crl\ASN1->decode('0\x82\x04H0\x82\x030\xA0\x03\x02\x01\x02\x02\x01...', 843, 257)
#5 /usr/local/share/openssl_x509_cr in /usr/local/share/openssl_x509_crl/ASN1_GENERALTIME.php on line 73
[18-Jun-2020 19:25:06 Europe/Rome] PHP Fatal error: Uncaught Exception: Can't parse time from string '†°î>Œã>†-ÒÏê¶g£Bâx' in /usr/local/share/openssl_x509_crl/ASN1_GENERALTIME.php:73
Stack trace:
#0 /usr/local/share/openssl_x509_crl/ASN1.php(136): Ukrbublik\openssl_x509_crl\ASN1_GENERALTIME->decodeSimple('0\x82\x04H0\x82\x030\xA0\x03\x02\x01\x02\x02\x01...', 962, 21)
#1 /usr/local/share/openssl_x509_crl/ASN1.php(314): Ukrbublik\openssl_x509_crl\ASN1->decode('0\x82\x04H0\x82\x030\xA0\x03\x02\x01\x02\x02\x01...', 962, 21)
#2 /usr/local/share/openssl_x509_crl/ASN1_BITSTRING.php(51): Ukrbublik\openssl_x509_crl\ASN1->decodeConstructed('0\x82\x04H0\x82\x030\xA0\x03\x02\x01\x02\x02\x01...', 844, 256)
#3 /usr/local/share/openssl_x509_crl/ASN1.php(138): Ukrbublik\openssl_x509_crl\ASN1_BITSTRING->decodeConstructed('0\x82\x04H0\x82\x030\xA0\x03\x02\x01\x02\x02\x01...', 843, 257)
#4 /usr/local/share/openssl_x509_crl/ASN1.php(314): Ukrbublik\openssl_x509_crl\ASN1->decode('0\x82\x04H0\x82\x030\xA0\x03\x02\x01\x02\x02\x01...', 843, 257)
#5 /usr/local/share/openssl_x509_cr in /usr/local/share/openssl_x509_crl/ASN1_GENERALTIME.php on line 73
[18-Jun-2020 19:43:32 Europe/Rome] PHP Fatal error: Uncaught Exception: Can't parse time from string '†°î>Œã>†-ÒÏê¶g£Bâx' in /usr/local/share/openssl_x509_crl/ASN1_GENERALTIME.php:73
Stack trace:
#0 /usr/local/share/openssl_x509_crl/ASN1.php(136): Ukrbublik\openssl_x509_crl\ASN1_GENERALTIME->decodeSimple('0\x82\x04H0\x82\x030\xA0\x03\x02\x01\x02\x02\x01...', 962, 21)
#1 /usr/local/share/openssl_x509_crl/ASN1.php(314): Ukrbublik\openssl_x509_crl\ASN1->decode('0\x82\x04H0\x82\x030\xA0\x03\x02\x01\x02\x02\x01...', 962, 21)
#2 /usr/local/share/openssl_x509_crl/ASN1_BITSTRING.php(51): Ukrbublik\openssl_x509_crl\ASN1->decodeConstructed('0\x82\x04H0\x82\x030\xA0\x03\x02\x01\x02\x02\x01...', 844, 256)
#3 /usr/local/share/openssl_x509_crl/ASN1.php(138): Ukrbublik\openssl_x509_crl\ASN1_BITSTRING->decodeConstructed('0\x82\x04H0\x82\x030\xA0\x03\x02\x01\x02\x02\x01...', 843, 257)
#4 /usr/local/share/openssl_x509_crl/ASN1.php(314): Ukrbublik\openssl_x509_crl\ASN1->decode('0\x82\x04H0\x82\x030\xA0\x03\x02\x01\x02\x02\x01...', 843, 257)
#5 /usr/local/share/openssl_x509_cr in /usr/local/share/openssl_x509_crl/ASN1_GENERALTIME.php on line 73

I see this error only in this psSense instance. I have other pfsense installation and CRL works perfectly.

Has someone some ideas about it ?

Thanks,
Dario.

viktor_g

@darimar78 Unable to reproduce this issue -
I can successfully create CRL on my 2.4.5-p1 VM

Please provide more detail about your appliance and CA/cert

jimp

This appears to be the same as https://redmine.pfsense.org/issues/10699 though it is probably better to keep the discussion here until we have a better idea what is happening.

There have been other people who hit PHP errors with CRLs in the past but I don't see any that are an exact match for this one.

I just received and decrypted the certs you sent, I'll see what I can find and report back here.

jimp

I was able to reproduce the problem with that CA, so I should be able to dig into it from here. Thanks!

jimp

I posted an update on the Redmine issue but the tl;dr of it is: There doesn't appear to be anything wrong with the CA from what I can see in the data parsed by OpenSSL, but the PHP X509 library we use for CRLs clearly doesn't like something about the data in that CA. I don't see anything we can do about it in our code, unfortunately, and even tracing through the code in that library, nothing stood out as an obvious issue.

Even if we handled that error condition more gracefully, all it could do is refuse to make the CRL, which doesn't help the issue, it would only prevent that particular error from being printed.

Since it only affects that one single CA and no others on anyone else's firewalls, and it appears to be a fairly deep rooted issue with that library, your only viable path forward would be to make a new CA and distribute it to your clients.

darimar78

Hi Jim,
thank you for your time. I've supposed that the problem is the php library. I'll move to build and use a new CA.

Thanks,
Dario.