Do you restrict the number of states allowed on some connections? I noticed once I said for example 1 state allowed at a time for GUI it start to speed up a lot. Some I added expire timers on like my VPNs etc.

ACL for the HA proxy system should only have how many states??? Maybe just one as it is linked to the other proxy.

Screenshot 2024-03-15 at 13.15.33.png

I don't know if that helps, but some cookies kept creating multiple states for some weird reason and slowing everything down. But that was just me this fixed it for me with KEA use also.

@teward said in pfSense: Certificate Export only using Legacy SHA1 or MD5 exports/signatures:

@jimp I assume then that this will hit pfSense Plus, so for $FULLTIME_JOB I'll need to get us a pfSense+ license for commercial / corporate use. Because I don't know when CE will (if ever) receive the patch.

The code is in the upcoming Plus 23.01 release.

The code is also in CE 2.7.0 snapshots.

You can apply the patches to CE 2.6.0 or Plus 22.05 and get it on existing systems if you prefer.

When the OpenVPN client export changes are ready they will also be available on 2.6.0 and likely 22.05 in addition to 23.01 and 23.05/2.7.0

@jeffreyn said in No Clients Can Connect To OpenVPN Due to CRL Expiry:

@jimp I applied the patch when it was released. I'm reading the release notes for 23.01 and see Issue #13424 has been addressed in the new version. Do I need to do anything like remove the patch before or after I upgrade? Or does everything take care of itself?

You do not need to do anything with the patch after upgrading. You can delete the entry from the system patches package.

@stepinsky said in OpenSSL vulnerabiltiy: pfSense affected?:

I cannot judge the relavance of the vulnerability for pfSense users.

That is the big question for sure.. The analysis is still underway at nist

https://nvd.nist.gov/vuln/detail/CVE-2021-3712
This vulnerability is currently awaiting analysis.

The key really being
"If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit."

Would that be something that could be done with how and when pfsense uses openssl? And it seems there is a patch for freebsd
https://www.freebsd.org/security/advisories/FreeBSD-SA-21:16.openssl.asc

So when netgate/pfsense feels its prudent sure they will make it available.

edit: Well this openssl thing was in one of the many newsletters I get ;) In one today.. Doesn't seem like it is too much of a concern to be honest.

Here is the article if interested
https://nakedsecurity.sophos.com/2021/08/27/big-bad-decryption-bug-in-openssl-but-no-cause-for-alarm/