Opened 9 years ago

Closed 18 months ago

Last modified 18 months ago

#330 closed Bug / Defect (fixed)

crl-verify and client-config-dir paths are incorrectly checked in 2.3.*

Reported by: io7m Owned by: JoshC
Priority: major Milestone: release 2.3.3
Component: Configuration Version: OpenVPN 2.3.1 (Community Ed)
Severity: Patch Queue: In progress Keywords:


The following config file works correctly with 2.2.1:

chroot /vpn/chroot
ca /vpn/ca.crt
cert /vpn/
client-config-dir /client-configs
crl-verify /crl.pem
dh /vpn/dh2048.pem
key /vpn/
tls-auth /vpn/tls-auth.key 0

That is, there's a /vpn/chroot directory and inside that, a crl.pem file and
a client-configs directory. 2.2.1 would accept the config and work correctly,
loading client configs and revocations from inside the chroot. 2.3, however,

Options error: --crl-verify fails with '/crl.pem': No such file or directory
Options error: --client-config-dir fails with '/client-configs': No such file or directory
Options error: Please correct these errors.

Specifying an absolute path for either of those simply fails when clients
connect instead.

Change History (9)

comment:1 Changed 9 years ago by JoshC

Owner: set to JoshC
Status: newassigned

I've confirmed and been able to reproduce this issue and a fix is in the works.

In the meantime, a workaround exists if downgrading to <2.3 is undesirable; use --cd and point to the --chroot dir, then use relative file paths to specify the files with their path inside the chroot. A proper fix will be made available shortly.

The issue in the code is that additional access checks were added, but they don't account for file paths that differ once the chroot operation is performed.

Last edited 9 years ago by JoshC (previous) (diff)

comment:2 Changed 9 years ago by JoshC

Severity: Not set (if unsure, select this one)Patch Queue: In progress

An initial patch I wrote that resolves this issue is being processed through our patch review system (see: for details.)

Once a merge to source control takes place I'll update this ticket.

comment:3 Changed 9 years ago by Samuli Seppänen

At the moment JoshC's patch is awaiting some modifications, but we should eventually get there. For details look into this email thread.

comment:4 Changed 9 years ago by Gert Döring

commit b77bffe8186647c6fd1f2f76aac41fd45719edb8 (master)
commit c79fa3b0bb63bf7833f5a1c163bd30433c213b6a (release/2.3)

(Not actually JoshC's patch, but Dazo's, after long discussions in #openvpn-devel)

Please verify that it works for you, and we can close this :-)

comment:5 Changed 9 years ago by Gert Döring

Milestone: release 2.3.3

setting the milestone so it's clear where this fix went in, but since it already *is* in, I'm just waiting for a "yes, it works for me" confirmation from io7m.

If I don't hear by Jan 15, I'll close the ticket and assume everything is good.

comment:6 Changed 9 years ago by Gert Döring

Resolution: fixed
Status: assignedclosed

As announced :-) - reopen if needed.

comment:7 Changed 18 months ago by tct

Resolution: fixed
Status: closedreopened


Added here because of this comment:
Although, #299 seems to be more appropriate now.

If --client-config-dir is also defined then that is effected in the same way.


dev tun
topology subnet
keepalive 10 120
verb 4

chroot /tmp/easytls

dh none






Options error: Temporary directory (--tmp-dir) fails with 
'/tmp/easytls//tmp': No such file or directory (errno=2)
Options error: Please correct these errors.
Use --help for more information.


OpenVPN 2.6_git [git:master/2b9bbaadf44d4978] x86_64-pc-linux-gnu 
[SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on 
Aug 12 2021
library versions: OpenSSL 1.1.1f  31 Mar 2020, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2021 OpenVPN Inc <>
Compile time defines: enable_async_push=no enable_comp_stub=no 
enable_crypto_ofb_cfb=yes enable_debug=yes enable_dlopen=unknown 
enable_dlopen_self=unknown enable_dlopen_self_static=unknown 
enable_fast_install=needless enable_fragment=yes 
enable_iproute2=yes enable_libtool_lock=yes enable_lz4=yes 
enable_lzo=yes enable_management=yes enable_pam_dlopen=no 
enable_pedantic=no enable_pf=yes enable_pkcs11=no 
enable_plugin_auth_pam=yes enable_plugin_down_root=yes 
enable_plugins=yes enable_port_share=yes enable_selinux=no 
enable_shared=yes enable_shared_with_static_runtimes=no 
enable_small=no enable_static=yes enable_strict=no 
enable_strict_options=no enable_systemd=yes enable_werror=no 
enable_win32_dll=yes enable_wolfssl_options_h=yes 
enable_x509_alt_username=no with_aix_soname=aix 
with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no 
Last edited 18 months ago by tct (previous) (diff)

comment:8 Changed 18 months ago by Gert Döring

Resolution: fixed
Status: reopenedclosed

--tmp-dir defaults to /tmp if not specified. In combination with chroot, this requires $chrootdir/tmp to exists.

No bug here. Either create a /tmp in /tmp/easytls/ or specify a different --tmp-dir with a directory that exists in chroot.

comment:9 in reply to:  8 Changed 18 months ago by tct

Replying to Gert Döring:

No bug here.

Indeed, my mistake.

And a word to the wise: Openvpn --up script cannot be used to create a chroot from scratch.

Note: See TracTickets for help on using tickets.