Opened 9 years ago

Closed 6 years ago

#421 closed Feature Wish (wontfix)

Inline CRL

Reported by: lucha Owned by:
Priority: trivial Milestone:
Component: Generic / unclassified Version: OpenVPN 2.3.4 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: inline, crl


Currently is possible to include inline files for the configuration options -ca, --cert, --dh, --extra-certs, --key, --pkcs12, --secret and --tls-auth. It seems to me that crl-verify is missing, and that it would be nice to be able to put also that file inline.

The certificate revocation list, while mainly used on the server side, is sometimes needed also on the client side. In that case, the possibility of inlining it makes possible to have a single file containing all the needed configuration and data, which makes it easier to distribute to the final user. (I guess this was the original motivation for allowing inlining of the other files).

Change History (5)

comment:1 Changed 8 years ago by Samuli Seppänen

I guess inlining has not been implemented because it's heavily geared towards server usage. I think having the list in a separate file or a directory makes it more maintainable in the long run. However, I guess that having the option to inline it would not hurt and would make things more consistent.

comment:2 Changed 8 years ago by Samuli Seppänen

Priority: majorminor

comment:3 Changed 8 years ago by Samuli Seppänen

Priority: minortrivial

Discussed this issue in the Munich 2014 hackathon. Agreed that inlining CRLs is not particularly useful, becqause:

  • CRLs tend to get updated
  • It's easier to upgrade a CRL file than an entire config file

comment:4 Changed 8 years ago by Samuli Seppänen

Cron2: can we close this? If not, I'll add a "volunteer" tag to this ticket.

comment:5 Changed 6 years ago by David Sommerseth

Resolution: wontfix
Status: newclosed

This feature does not seem to be practical without a way how to distribute the CRLs.

CRLs usually have an expiry date. You can circumvent that by having an expiry date set far into the future, but that will not resolve anything related to certificates revoked since the last local update of the CRL. CRLs must be updated regularly to have an effect. And in-lining CRLs means updating configuration files; which scales poorly when you have more than a few handful users.

So closing this request.

Note: See TracTickets for help on using tickets.