Opened 3 years ago
Last modified 7 weeks ago
#1257 assigned Bug / Defect
capath does not refresh CRL and also disable crl-verify
Reported by: | luizluca | Owned by: | |
---|---|---|---|
Priority: | major | Milestone: | |
Component: | Crypto | Version: | OpenVPN 2.4.6 (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | capath crl |
Cc: |
Description
Hello,
I'm using capath in order to validate certificates issued by multiple CAs.
Without crl-verify, it does check CRL correctly (files *.r* inside capath). However, it does not refresh them when they are updated and even after they expire. I need to restart openvpn (which is not ideal) when I update any CRL.
I tried to use crl-verify again with:
crl-verify /same/path/of/capath/ dir
But it does not change the behavior. I also tried a different path, moving all *.r* files into the new directory.
crl-verify /different/path/of/capath.crl/ dir
However, openvpn simply ignored it (when capath is in use). I did a strace and it stat()s only /same/path/of/capath/*.r* (only once) and never /different/path/of/capath.crl/*.r*. As now capath had no CRL, it accepted a revoked cert.
Please, add all CRL inside capath to the "files to refresh on client connect" list.
I'm actually using 2.4.5. However, nothing in changelog touched that area since then.
Change History (5)
comment:1 Changed 3 years ago by
comment:2 follow-up: 4 Changed 2 years ago by
Owner: | Steffan Karger deleted |
---|---|
Status: | new → assigned |
Does it work if you concatenate all the CA certificates into one file, and reference that with --ca
? (This is a fairly recent fix to the OpenVPN SSL backend, included in 2.4.9, so you can do without --capath)
comment:4 Changed 2 years ago by
Replying to Gert Döring:
Does it work if you concatenate all the CA certificates into one file, and reference that with
--ca
? (This is a fairly recent fix to the OpenVPN SSL backend, included in 2.4.9, so you can do without --capath)
I think you meant "contatenating CRLs into one file", and "referencing that with --crl-verify
".
This is the recent fix you're probably referring to: https://github.com/OpenVPN/openvpn/commit/ed925c0a8d3e6aa8bc26de8c0e7ed79a47e5c7d6
comment:5 Changed 7 weeks ago by
How to proceed here? Is the patch by WGH good enough? If not what is missing?
Have you seen ticket:623#comment:7?