Opened 5 years ago
Last modified 10 months ago
#1257 assigned Bug / Defect
capath does not refresh CRL and also disable crl-verify
| Reported by: | luizluca | Owned by: | |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | Crypto | Version: | OpenVPN 2.4.6 (Community Ed) |
| Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | capath crl |
| Cc: |
Description
Hello,
I'm using capath in order to validate certificates issued by multiple CAs.
Without crl-verify, it does check CRL correctly (files *.r* inside capath). However, it does not refresh them when they are updated and even after they expire. I need to restart openvpn (which is not ideal) when I update any CRL.
I tried to use crl-verify again with:
crl-verify /same/path/of/capath/ dir
But it does not change the behavior. I also tried a different path, moving all *.r* files into the new directory.
crl-verify /different/path/of/capath.crl/ dir
However, openvpn simply ignored it (when capath is in use). I did a strace and it stat()s only /same/path/of/capath/*.r* (only once) and never /different/path/of/capath.crl/*.r*. As now capath had no CRL, it accepted a revoked cert.
Please, add all CRL inside capath to the "files to refresh on client connect" list.
I'm actually using 2.4.5. However, nothing in changelog touched that area since then.
Change History (6)
comment:1 Changed 4 years ago by
comment:2 follow-up: 4 Changed 4 years ago by
| Owner: | Steffan Karger deleted |
|---|---|
| Status: | new → assigned |
Does it work if you concatenate all the CA certificates into one file, and reference that with --ca? (This is a fairly recent fix to the OpenVPN SSL backend, included in 2.4.9, so you can do without --capath)
comment:4 Changed 4 years ago by
Replying to Gert Döring:
Does it work if you concatenate all the CA certificates into one file, and reference that with
--ca? (This is a fairly recent fix to the OpenVPN SSL backend, included in 2.4.9, so you can do without --capath)
I think you meant "contatenating CRLs into one file", and "referencing that with --crl-verify".
This is the recent fix you're probably referring to: https://github.com/OpenVPN/openvpn/commit/ed925c0a8d3e6aa8bc26de8c0e7ed79a47e5c7d6
comment:5 Changed 21 months ago by
How to proceed here? Is the patch by WGH good enough? If not what is missing?
comment:6 Changed 10 months ago by
Hey,
we've come across the same issue. We're using --capath with multiple CAs (each with their own CRL). We update the CRL twice a day with a validity of 24 hours and openvpn does not update/reload it.
I believe we could work around with --crl-verify and multiple crl.
Have you seen ticket:623#comment:7?