Opened 7 months ago

Last modified 3 weeks ago

#1257 assigned Bug / Defect

capath does not refresh CRL and also disable crl-verify

Reported by: luizluca Owned by:
Priority: major Milestone:
Component: Crypto Version: OpenVPN 2.4.6 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: capath crl
Cc:

Description

Hello,

I'm using capath in order to validate certificates issued by multiple CAs.

Without crl-verify, it does check CRL correctly (files *.r* inside capath). However, it does not refresh them when they are updated and even after they expire. I need to restart openvpn (which is not ideal) when I update any CRL.

I tried to use crl-verify again with:

crl-verify /same/path/of/capath/ dir

But it does not change the behavior. I also tried a different path, moving all *.r* files into the new directory.

crl-verify /different/path/of/capath.crl/ dir

However, openvpn simply ignored it (when capath is in use). I did a strace and it stat()s only /same/path/of/capath/*.r* (only once) and never /different/path/of/capath.crl/*.r*. As now capath had no CRL, it accepted a revoked cert.

Please, add all CRL inside capath to the "files to refresh on client connect" list.

I'm actually using 2.4.5. However, nothing in changelog touched that area since then.

Change History (4)

comment:1 Changed 6 months ago by WGH

Have you seen ticket:623#comment:7?

comment:2 Changed 3 weeks ago by Gert Döring

Owner: Steffan Karger deleted
Status: newassigned

Does it work if you concatenate all the CA certificates into one file, and reference that with --ca? (This is a fairly recent fix to the OpenVPN SSL backend, included in 2.4.9, so you can do without --capath)

comment:3 Changed 3 weeks ago by Gert Döring

same bug as #1240?

comment:4 in reply to:  2 Changed 3 weeks ago by WGH

Replying to Gert Döring:

Does it work if you concatenate all the CA certificates into one file, and reference that with --ca? (This is a fairly recent fix to the OpenVPN SSL backend, included in 2.4.9, so you can do without --capath)

I think you meant "contatenating CRLs into one file", and "referencing that with --crl-verify".

This is the recent fix you're probably referring to: https://github.com/OpenVPN/openvpn/commit/ed925c0a8d3e6aa8bc26de8c0e7ed79a47e5c7d6

Note: See TracTickets for help on using tickets.