capath does not refresh CRL and also disable crl-verify

[luizluca]

Hello,

I'm using capath in order to validate certificates issued by multiple CAs.

Without crl-verify, it does check CRL correctly (files *.r* inside capath). However, it does not refresh them when they are updated and even after they expire. I need to restart openvpn (which is not ideal) when I update any CRL.

I tried to use crl-verify again with:

crl-verify /same/path/of/capath/ dir

But it does not change the behavior. I also tried a different path, moving all *.r* files into the new directory.

crl-verify /different/path/of/capath.crl/ dir

However, openvpn simply ignored it (when capath is in use). I did a strace and it stat()s only /same/path/of/capath/*.r* (only once) and never /different/path/of/capath.crl/*.r*. As now capath had no CRL, it accepted a revoked cert.

Please, add all CRL inside capath to the "files to refresh on client connect" list.

I'm actually using 2.4.5. However, nothing in changelog touched that area since then.

[WGH]

Have you seen ticket:623#comment:7?

[Gert Döring]

Does it work if you concatenate all the CA certificates into one file, and reference that with --ca? (This is a fairly recent fix to the OpenVPN SSL backend, included in 2.4.9, so you can do without --capath)

[Gert Döring]

same bug as #1240?

[WGH]

Replying to Gert Döring:

Does it work if you concatenate all the CA certificates into one file, and reference that with --ca? (This is a fairly recent fix to the OpenVPN SSL backend, included in 2.4.9, so you can do without --capath)

I think you meant "contatenating CRLs into one file", and "referencing that with --crl-verify".

This is the recent fix you're probably referring to: ​https://github.com/OpenVPN/openvpn/commit/ed925c0a8d3e6aa8bc26de8c0e7ed79a47e5c7d6

[Gert Döring]

How to proceed here? Is the patch by WGH good enough? If not what is missing?