Opened 4 months ago

Last modified 4 months ago

#1257 new Bug / Defect

capath does not refresh CRL and also disable crl-verify

Reported by: luizluca Owned by: Steffan Karger
Priority: major Milestone:
Component: Crypto Version: OpenVPN 2.4.6 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: capath crl



I'm using capath in order to validate certificates issued by multiple CAs.

Without crl-verify, it does check CRL correctly (files *.r* inside capath). However, it does not refresh them when they are updated and even after they expire. I need to restart openvpn (which is not ideal) when I update any CRL.

I tried to use crl-verify again with:

crl-verify /same/path/of/capath/ dir

But it does not change the behavior. I also tried a different path, moving all *.r* files into the new directory.

crl-verify /different/path/of/capath.crl/ dir

However, openvpn simply ignored it (when capath is in use). I did a strace and it stat()s only /same/path/of/capath/*.r* (only once) and never /different/path/of/capath.crl/*.r*. As now capath had no CRL, it accepted a revoked cert.

Please, add all CRL inside capath to the "files to refresh on client connect" list.

I'm actually using 2.4.5. However, nothing in changelog touched that area since then.

Change History (1)

comment:1 Changed 4 months ago by WGH

Have you seen ticket:623#comment:7?

Note: See TracTickets for help on using tickets.