#1136 closed Bug / Defect (notabug)
crl-verify option does'nt work in chroot
Reported by: | port | Owned by: | Antonio Quartulli |
---|---|---|---|
Priority: | major | Milestone: | |
Component: | Generic / unclassified | Version: | OpenVPN 2.4.6 (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
Cc: |
Description
Hello,
When I start server with chroot option I got such warning:
WARNING: Failed to stat CRL file, not (re)loading CRL.
And it is not possible to access with a client:
Mon Oct 29 17:43:26 2018 us=5754 :60155 TLS_ERROR: BIO read tls_read_plaintext error
Mon Oct 29 17:43:26 2018 us=5778 :60155 TLS Error: TLS object -> incoming plaintext read error
Mon Oct 29 17:43:26 2018 us=5801 :60155 TLS Error: TLS handshake failed
Mon Oct 29 17:43:26 2018 us=5906 :60155 SIGUSR1[soft,tls-error] received, client-instance restarting
Disabling crl-verify fixes the issue.
In config:
chroot /home/jail
crl-verify crl.pem
Thank you!
Change History (13)
comment:1 follow-up: 3 Changed 5 years ago by
comment:2 Changed 5 years ago by
Milestone: | release 2.4.6 |
---|---|
Owner: | set to Antonio Quartulli |
Status: | new → assigned |
Version: | easyrsa-3.x → OpenVPN 2.4.6 (Community Ed) |
comment:3 Changed 5 years ago by
comment:4 Changed 5 years ago by
can you show the full server config please? I just tested it here and it just works.
comment:5 Changed 5 years ago by
# Secure OpenVPN Server Config
chroot /home/jail
# Basic Connection Config
dev tun
proto udp
port 1194
keepalive 10 120
max-clients 5
# Certs
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh.pem
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
# Ciphers and Hardening
reneg-sec 0
remote-cert-tls client
crl-verify crl.pem
tls-version-min 1.2
cipher AES-256-CBC
auth SHA512
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
# Drop Privs
user nobody
group nobody
# IP pool
server 172.31.100.0 255.255.255.0
topology subnet
ifconfig-pool-persist ipp.txt
client-config-dir ccd
# Misc
persist-key
persist-tun
comp-lzo
# DHCP Push options force all traffic through VPN and sets DNS servers
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
# Logging
log-append /var/log/openvpn.log
verb 3
comment:6 follow-up: 7 Changed 5 years ago by
thanks.
And I guess crl.pem is accessible by the user nobody, right?
Just to clarify: crl.pem is accessed by openvpn every time a client connects. This way it can support runtime changes.
comment:7 Changed 5 years ago by
Replying to Antonio:
thanks.
And I guess crl.pem is accessible by the user nobody, right?
Just to clarify: crl.pem is accessed by openvpn every time a client connects. This way it can support runtime changes.
I tested several options, changed owner even tried give full perms to crl.pem, nothing helps, always:
WARNING: Failed to stat CRL file, not (re)loading CRL.
comment:8 Changed 5 years ago by
can you please confirm you are running 2.4.6 ?
would you also please provide a full server log with "verb 4"?
This needs further investigation as I can't reproduce it right now.
comment:9 Changed 5 years ago by
openvpn --version
OpenVPN 2.4.6 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 26 2018
library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <sales@…>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_iproute2=yes enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=yes enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no
comment:11 Changed 5 years ago by
Oh, I'm very sorry it was my misconfiguration.
Jail folder had incorrect owner.
After fix everything started without errors.
Sorry I took your time .
Thank you very much for fast response and sorry again ))
comment:12 follow-up: 13 Changed 5 years ago by
Resolution: | → notabug |
---|---|
Status: | assigned → closed |
no problem! Cool that you figured this out!
I am closing the ticket
comment:13 Changed 5 years ago by
Replying to Antonio:
no problem! Cool that you figured this out!
I am closing the ticket
Yes, close please.
Thank you one more time )
is the crl.pem available in the chroot folder?