Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#1136 closed Bug / Defect (notabug)

crl-verify option does'nt work in chroot

Reported by: port Owned by: Antonio Quartulli
Priority: major Milestone:
Component: Generic / unclassified Version: OpenVPN 2.4.6 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

Hello,

When I start server with chroot option I got such warning:
WARNING: Failed to stat CRL file, not (re)loading CRL.

And it is not possible to access with a client:
Mon Oct 29 17:43:26 2018 us=5754 :60155 TLS_ERROR: BIO read tls_read_plaintext error
Mon Oct 29 17:43:26 2018 us=5778 :60155 TLS Error: TLS object -> incoming plaintext read error
Mon Oct 29 17:43:26 2018 us=5801 :60155 TLS Error: TLS handshake failed
Mon Oct 29 17:43:26 2018 us=5906 :60155 SIGUSR1[soft,tls-error] received, client-instance restarting

Disabling crl-verify fixes the issue.

In config:
chroot /home/jail
crl-verify crl.pem

Thank you!

Change History (13)

comment:1 Changed 5 years ago by Antonio Quartulli

is the crl.pem available in the chroot folder?

comment:2 Changed 5 years ago by Antonio Quartulli

Milestone: release 2.4.6
Owner: set to Antonio Quartulli
Status: newassigned
Version: easyrsa-3.xOpenVPN 2.4.6 (Community Ed)

comment:3 in reply to:  1 Changed 5 years ago by port

Replying to Antonio:

is the crl.pem available in the chroot folder?

Yes

comment:4 Changed 5 years ago by Antonio Quartulli

can you show the full server config please? I just tested it here and it just works.

comment:5 Changed 5 years ago by port

# Secure OpenVPN Server Config

chroot /home/jail

# Basic Connection Config
dev tun
proto udp
port 1194
keepalive 10 120
max-clients 5

# Certs
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh.pem
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0

# Ciphers and Hardening
reneg-sec 0
remote-cert-tls client

crl-verify crl.pem

tls-version-min 1.2
cipher AES-256-CBC
auth SHA512
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256

# Drop Privs
user nobody
group nobody

# IP pool
server 172.31.100.0 255.255.255.0
topology subnet
ifconfig-pool-persist ipp.txt
client-config-dir ccd

# Misc
persist-key
persist-tun
comp-lzo

# DHCP Push options force all traffic through VPN and sets DNS servers
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

# Logging
log-append /var/log/openvpn.log
verb 3

Last edited 5 years ago by port (previous) (diff)

comment:6 Changed 5 years ago by Antonio Quartulli

thanks.
And I guess crl.pem is accessible by the user nobody, right?

Just to clarify: crl.pem is accessed by openvpn every time a client connects. This way it can support runtime changes.

comment:7 in reply to:  6 Changed 5 years ago by port

Replying to Antonio:

thanks.
And I guess crl.pem is accessible by the user nobody, right?

Just to clarify: crl.pem is accessed by openvpn every time a client connects. This way it can support runtime changes.

I tested several options, changed owner even tried give full perms to crl.pem, nothing helps, always:
WARNING: Failed to stat CRL file, not (re)loading CRL.

comment:8 Changed 5 years ago by Antonio Quartulli

can you please confirm you are running 2.4.6 ?
would you also please provide a full server log with "verb 4"?

This needs further investigation as I can't reproduce it right now.

comment:9 Changed 5 years ago by port

openvpn --version
OpenVPN 2.4.6 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 26 2018
library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <sales@…>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_iproute2=yes enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=yes enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no

comment:10 Changed 5 years ago by port

Last edited 5 years ago by port (previous) (diff)

comment:11 Changed 5 years ago by port

Oh, I'm very sorry it was my misconfiguration.
Jail folder had incorrect owner.
After fix everything started without errors.
Sorry I took your time .
Thank you very much for fast response and sorry again ))


comment:12 Changed 5 years ago by Antonio Quartulli

Resolution: notabug
Status: assignedclosed

no problem! Cool that you figured this out!

I am closing the ticket

comment:13 in reply to:  12 Changed 5 years ago by port

Replying to Antonio:

no problem! Cool that you figured this out!

I am closing the ticket

Yes, close please.

Thank you one more time )

Note: See TracTickets for help on using tickets.