Opened 4 months ago
Last modified 4 months ago
#1257 new Bug / Defect
capath does not refresh CRL and also disable crl-verify
| Reported by: | luizluca | Owned by: | Steffan Karger |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | Crypto | Version: | OpenVPN 2.4.6 (Community Ed) |
| Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | capath crl |
| Cc: |
Description
Hello,
I'm using capath in order to validate certificates issued by multiple CAs.
Without crl-verify, it does check CRL correctly (files *.r* inside capath). However, it does not refresh them when they are updated and even after they expire. I need to restart openvpn (which is not ideal) when I update any CRL.
I tried to use crl-verify again with:
crl-verify /same/path/of/capath/ dir
But it does not change the behavior. I also tried a different path, moving all *.r* files into the new directory.
crl-verify /different/path/of/capath.crl/ dir
However, openvpn simply ignored it (when capath is in use). I did a strace and it stat()s only /same/path/of/capath/*.r* (only once) and never /different/path/of/capath.crl/*.r*. As now capath had no CRL, it accepted a revoked cert.
Please, add all CRL inside capath to the "files to refresh on client connect" list.
I'm actually using 2.4.5. However, nothing in changelog touched that area since then.
Have you seen ticket:623#comment:7?