Opened 5 years ago

Closed 4 years ago

#330 closed Bug / Defect (fixed)

crl-verify and client-config-dir paths are incorrectly checked in 2.3.*

Reported by: io7m Owned by: JoshC
Priority: major Milestone: release 2.3.3
Component: Configuration Version: OpenVPN 2.3.1 (Community Ed)
Severity: Patch Queue: In progress Keywords:


The following config file works correctly with 2.2.1:

chroot /vpn/chroot
ca /vpn/ca.crt
cert /vpn/
client-config-dir /client-configs
crl-verify /crl.pem
dh /vpn/dh2048.pem
key /vpn/
tls-auth /vpn/tls-auth.key 0

That is, there's a /vpn/chroot directory and inside that, a crl.pem file and
a client-configs directory. 2.2.1 would accept the config and work correctly,
loading client configs and revocations from inside the chroot. 2.3, however,

Options error: --crl-verify fails with '/crl.pem': No such file or directory
Options error: --client-config-dir fails with '/client-configs': No such file or directory
Options error: Please correct these errors.

Specifying an absolute path for either of those simply fails when clients
connect instead.

Change History (6)

comment:1 Changed 5 years ago by JoshC

Owner: set to JoshC
Status: newassigned

I've confirmed and been able to reproduce this issue and a fix is in the works.

In the meantime, a workaround exists if downgrading to <2.3 is undesirable; use --cd and point to the --chroot dir, then use relative file paths to specify the files with their path inside the chroot. A proper fix will be made available shortly.

The issue in the code is that additional access checks were added, but they don't account for file paths that differ once the chroot operation is performed.

Last edited 5 years ago by JoshC (previous) (diff)

comment:2 Changed 5 years ago by JoshC

Severity: Not set (if unsure, select this one)Patch Queue: In progress

An initial patch I wrote that resolves this issue is being processed through our patch review system (see: for details.)

Once a merge to source control takes place I'll update this ticket.

comment:3 Changed 4 years ago by Samuli Seppänen

At the moment JoshC's patch is awaiting some modifications, but we should eventually get there. For details look into this email thread.

comment:4 Changed 4 years ago by Gert Döring

commit b77bffe8186647c6fd1f2f76aac41fd45719edb8 (master)
commit c79fa3b0bb63bf7833f5a1c163bd30433c213b6a (release/2.3)

(Not actually JoshC's patch, but Dazo's, after long discussions in #openvpn-devel)

Please verify that it works for you, and we can close this :-)

comment:5 Changed 4 years ago by Gert Döring

Milestone: release 2.3.3

setting the milestone so it's clear where this fix went in, but since it already *is* in, I'm just waiting for a "yes, it works for me" confirmation from io7m.

If I don't hear by Jan 15, I'll close the ticket and assume everything is good.

comment:6 Changed 4 years ago by Gert Döring

Resolution: fixed
Status: assignedclosed

As announced :-) - reopen if needed.

Note: See TracTickets for help on using tickets.