From 3b39e2d1f637e0c2ca9216ed25e4499d263df273 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Thu, 1 Sep 2022 16:46:21 +0200
Subject: [PATCH] OpenVPN / CRL - trap validateSignature() exceptions to syslog

---
 src/etc/inc/certs.inc | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/etc/inc/certs.inc b/src/etc/inc/certs.inc
index 2a0564dfc..5edd02802 100644
--- a/src/etc/inc/certs.inc
+++ b/src/etc/inc/certs.inc
@@ -677,8 +677,13 @@ function crl_update(&$crl)
     $x509_crl->loadCRL($x509_crl->saveCRL($x509_crl->signCRL($ca_cert, $x509_crl)));
 
     /* Now validate the CRL to see if everything went well */
-    if (!$x509_crl->validateSignature(false)) {
-        syslog(LOG_ERR, 'Cert revocation error: CRL signature invalid');
+    try {
+        if (!$x509_crl->validateSignature(false)) {
+            syslog(LOG_ERR, 'Cert revocation error: CRL signature invalid');
+            return false;
+        }
+    } catch (Exception $e) {
+        syslog(LOG_ERR, 'Cert revocation error: CRL signature invalid ' . $e);
         return false;
     }