openvpn webgui can't show full Peer Certificate Authority list.

yon 0

i have input CA cert via Certificate Manager, but openvpn webgui Peer Certificate Authority not show in list. test version is pfSense: 2.5.0.a.20200808.0050

1596994906039-51640b2e-4b1e-447c-b1e1-5e18964f55b4-image.png

jimp

What kind of CA is that? What settings were used to create it? (Click the "i" next to the CA and see what it shows)

Most likely guess is that's an ECDSA CA using a EC curve not supported by OpenVPN, so it was excluded from the list. When creating a CA on 2.5.0, pfSense marks the curves compatible with different services/protocols, and if an incompatible curve if used, it won't be made available because the daemons would fail in various ways when trying to use it.

yon 0

@jimp
I am the imported CA EC certificate, The previous PF2.4.5 version unanimously supports normal operation.

yon 0

openvpn support ecdh-curve secp256k1, i have running it longtime.

yon 0

and please add Edward Curves for support, openvpn supported it also

https://github.com/OpenVPN/easy-rsa/releases

jimp

2.4.5 did not support EC certificates, and support for EC on 2.4.x won't happen. OpenVPN may support it, but other components on 2.4.x do not.

OpenVPN may support ED certs but PHP OpenSSL does not, so they cannot be added at this time.

These are the only acceptable compatible curves for each service that are known to work: https://github.com/pfsense/pfsense/blob/523d8c3fb74a3f2c6a8917df239e82d159a89436/src/etc/inc/certs.inc#L2423

The curve you mention is claimed to be supported by OpenVPN but does not function with OpenSSL 1.1.1: https://redmine.pfsense.org/issues/9744 https://community.openvpn.net/openvpn/ticket/1177

Stick to the curves we have tested and know to work. There is a reason we have limited the list.

yon 0

@jimp said in openvpn webgui can't show full Peer Certificate Authority list.:

OpenSSL 1.1.1

OpenSSL 1.1.1 support ed25519
https://www.openssl.org/docs/man1.1.1/man7/Ed25519.html

yon 0

@yon-0 said in openvpn webgui can't show full Peer Certificate Authority list.:

secp256k1

i have try use secp256k1 work in pf 2.4.5 openvpn , but new pf 2.5 not work.

jimp

I didn't say it didn't. Read my comment again.

jimp

@yon-0 said in [openvpn webgui can't show full Peer Certificate Authority

i have try use secp256k1 work in pf 2.4.5 openvpn , but new pf 2.5 not work.

I explained why in my comment. Read it again.

yon 0

@yon-0 said in openvpn webgui can't show full Peer Certificate Authority list.:

openvpn support ecdh-curve secp256k1, i have running it longtime.

i am srue change back pf2.4.5-p1 and the secp256k1 ca cert is work for openvpn now.

just i mean that it can work pf2.4.5 version, but it can't work in pf 2.5 version.

jimp

That may be the case but it was never supported properly in pfSense. If it worked, it worked by accident.

And I already stated above why it does not work on 2.5.0 (Due to an OpenVPN/OpenSSL 1.1.1 bug)

yon 0

I hope to update the latest and safe advanced technology. Safer and better performance is our goal.

http://safecurves.cr.yp.to/

yon 0

cert bugs from pf2.4.5 to pf 2.5 upgrade

System_ Certificate Manager_ CAs.jpg

yon 0

just now it is work that using Ed448 curves for opnvpn in pf2.5 built on Thu Aug 13 13:04:02 EDT 2020 tls-version-min 1.3

this is great !