https://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162019-11-23T10:49:53ZpfSense bugtrackerpfSense - Bug #9920: system_crlmanager.php: CRL export file is empty if CA key type is ECDSAhttps://redmine.pfsense.org/issues/9920?journal_id=430082019-11-23T10:49:53ZViktor Gurov
<ul></ul><p>in case of ECDSA CA <text></text> field of <crl></crl> is always empty in config.xml</p> pfSense - Bug #9920: system_crlmanager.php: CRL export file is empty if CA key type is ECDSAhttps://redmine.pfsense.org/issues/9920?journal_id=430092019-11-23T11:03:31ZJim Pingle
<ul><li><strong>Assignee</strong> set to <i>Jim Pingle</i></li><li><strong>Target version</strong> set to <i>2.5.0</i></li></ul> pfSense - Bug #9920: system_crlmanager.php: CRL export file is empty if CA key type is ECDSAhttps://redmine.pfsense.org/issues/9920?journal_id=430102019-11-23T11:12:49ZViktor Gurov
<ul></ul><p>it looks like ukrbublik/openssl_x509_crl do not support ECDSA -</p>
<p><a class="external" href="https://github.com/ukrbublik/openssl_x509_crl/blob/master/src/X509_CRL.php">https://github.com/ukrbublik/openssl_x509_crl/blob/master/src/X509_CRL.php</a>:<br /><pre>
if($ca_pkey_type == OPENSSL_KEYTYPE_EC || $ca_pkey_type == -1)
return false;
</pre></p> pfSense - Bug #9920: system_crlmanager.php: CRL export file is empty if CA key type is ECDSAhttps://redmine.pfsense.org/issues/9920?journal_id=430212019-11-25T10:01:37ZJim Pingle
<ul></ul><p>I submitted a PR to their project to add support for ECDSA CAs, it didn't take much:</p>
<p><a class="external" href="https://github.com/ukrbublik/openssl_x509_crl/pull/4">https://github.com/ukrbublik/openssl_x509_crl/pull/4</a></p> pfSense - Bug #9920: system_crlmanager.php: CRL export file is empty if CA key type is ECDSAhttps://redmine.pfsense.org/issues/9920?journal_id=430222019-11-25T10:27:07ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Feedback</i></li></ul><p>I added that patch to our port:</p>
<p><a class="external" href="https://github.com/pfsense/FreeBSD-ports/commit/1bdb4e58dd3802abbd25acc5ff8da23336ad1a61">https://github.com/pfsense/FreeBSD-ports/commit/1bdb4e58dd3802abbd25acc5ff8da23336ad1a61</a></p>
<p>Once the new version is in a build, it can be tested.</p> pfSense - Bug #9920: system_crlmanager.php: CRL export file is empty if CA key type is ECDSAhttps://redmine.pfsense.org/issues/9920?journal_id=430392019-11-27T00:08:15ZViktor Gurov
<ul></ul><p>Jim Pingle wrote:</p>
<blockquote>
<p>I added that patch to our port:</p>
<p><a class="external" href="https://github.com/pfsense/FreeBSD-ports/commit/1bdb4e58dd3802abbd25acc5ff8da23336ad1a61">https://github.com/pfsense/FreeBSD-ports/commit/1bdb4e58dd3802abbd25acc5ff8da23336ad1a61</a></p>
<p>Once the new version is in a build, it can be tested.</p>
</blockquote>
<p>tested on pfSense 2.5.0.a.20191126.1832</p>
<p>CRL export file is ok now, Resolved</p> pfSense - Bug #9920: system_crlmanager.php: CRL export file is empty if CA key type is ECDSAhttps://redmine.pfsense.org/issues/9920?journal_id=430492019-11-27T07:45:09ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>Resolved</i></li></ul><p>My PR was merged upstream and we're on the latest version as well now, without needing a patch. That was finished the same day, so it's all good and tested now.</p>