openvpn webgui can't show full Peer Certificate Authority list.

yon 0

@jimp
I am the imported CA EC certificate, The previous PF2.4.5 version unanimously supports normal operation.

yon 0

openvpn support ecdh-curve secp256k1, i have running it longtime.

-----BEGIN CERTIFICATE-----
MIIBvzCCAWWgAwIBAgIUDgMzRJ5yKP1zLcUiqf886lh0cTAwCgYIKoZIzj0EAwIw
FzEVMBMGA1UEAwwMdi54aWFveXUubmV0MB4XDTIwMDUwMTE1MDM1NloXDTMwMDQy
OTE1MDM1NlowFzEVMBMGA1UEAwwMdi54aWFveXUubmV0MFYwEAYHKoZIzj0CAQYF
K4EEAAoDQgAEsusHCkEPcghM3QXkh6unuklTpga7TaaBVeQQQJ9Gvl1bgXtz30PX
XQr3HzcUBtpkebsXBntlJyT8oXSxLsQsSqOBkTCBjjAdBgNVHQ4EFgQUN5S+Pjbg
CRGh+710yLmn1VVBtmwwUgYDVR0jBEswSYAUN5S+PjbgCRGh+710yLmn1VVBtmyh
G6QZMBcxFTATBgNVBAMMDHYueGlhb3l1Lm5ldIIUDgMzRJ5yKP1zLcUiqf886lh0
cTAwDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwCgYIKoZIzj0EAwIDSAAwRQIg
MAT7FDOLCon2NXTAFAf/WrOtjMcCnwxHku1SEL6F7VwCIQCiCTqrbRPHN+CFUD0z
7el+fyGcN37LA/my30AgT/luIA==
-----END CERTIFICATE-----

yon 0

and please add Edward Curves for support, openvpn supported it also

https://github.com/OpenVPN/easy-rsa/releases

jimp

2.4.5 did not support EC certificates, and support for EC on 2.4.x won't happen. OpenVPN may support it, but other components on 2.4.x do not.

OpenVPN may support ED certs but PHP OpenSSL does not, so they cannot be added at this time.

These are the only acceptable compatible curves for each service that are known to work: https://github.com/pfsense/pfsense/blob/523d8c3fb74a3f2c6a8917df239e82d159a89436/src/etc/inc/certs.inc#L2423

The curve you mention is claimed to be supported by OpenVPN but does not function with OpenSSL 1.1.1: https://redmine.pfsense.org/issues/9744 https://community.openvpn.net/openvpn/ticket/1177

Stick to the curves we have tested and know to work. There is a reason we have limited the list.

yon 0

@jimp said in openvpn webgui can't show full Peer Certificate Authority list.:

OpenSSL 1.1.1

OpenSSL 1.1.1 support ed25519
https://www.openssl.org/docs/man1.1.1/man7/Ed25519.html

yon 0

@yon-0 said in openvpn webgui can't show full Peer Certificate Authority list.:

secp256k1

i have try use secp256k1 work in pf 2.4.5 openvpn , but new pf 2.5 not work.

jimp

I didn't say it didn't. Read my comment again.

jimp

@yon-0 said in [openvpn webgui can't show full Peer Certificate Authority

i have try use secp256k1 work in pf 2.4.5 openvpn , but new pf 2.5 not work.

I explained why in my comment. Read it again.

yon 0

@yon-0 said in openvpn webgui can't show full Peer Certificate Authority list.:

openvpn support ecdh-curve secp256k1, i have running it longtime.

-----BEGIN CERTIFICATE-----
MIIBvzCCAWWgAwIBAgIUDgMzRJ5yKP1zLcUiqf886lh0cTAwCgYIKoZIzj0EAwIw
FzEVMBMGA1UEAwwMdi54aWFveXUubmV0MB4XDTIwMDUwMTE1MDM1NloXDTMwMDQy
OTE1MDM1NlowFzEVMBMGA1UEAwwMdi54aWFveXUubmV0MFYwEAYHKoZIzj0CAQYF
K4EEAAoDQgAEsusHCkEPcghM3QXkh6unuklTpga7TaaBVeQQQJ9Gvl1bgXtz30PX
XQr3HzcUBtpkebsXBntlJyT8oXSxLsQsSqOBkTCBjjAdBgNVHQ4EFgQUN5S+Pjbg
CRGh+710yLmn1VVBtmwwUgYDVR0jBEswSYAUN5S+PjbgCRGh+710yLmn1VVBtmyh
G6QZMBcxFTATBgNVBAMMDHYueGlhb3l1Lm5ldIIUDgMzRJ5yKP1zLcUiqf886lh0
cTAwDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwCgYIKoZIzj0EAwIDSAAwRQIg
MAT7FDOLCon2NXTAFAf/WrOtjMcCnwxHku1SEL6F7VwCIQCiCTqrbRPHN+CFUD0z
7el+fyGcN37LA/my30AgT/luIA==
-----END CERTIFICATE-----

i am srue change back pf2.4.5-p1 and the secp256k1 ca cert is work for openvpn now.

just i mean that it can work pf2.4.5 version, but it can't work in pf 2.5 version.

jimp

That may be the case but it was never supported properly in pfSense. If it worked, it worked by accident.

And I already stated above why it does not work on 2.5.0 (Due to an OpenVPN/OpenSSL 1.1.1 bug)

yon 0

I hope to update the latest and safe advanced technology. Safer and better performance is our goal.

http://safecurves.cr.yp.to/

yon 0

cert bugs from pf2.4.5 to pf 2.5 upgrade

yon 0

just now it is work that using Ed448 curves for opnvpn in pf2.5 built on Thu Aug 13 13:04:02 EDT 2020 tls-version-min 1.3

this is great !