#550 closed Bug / Defect (notabug)
crl-verify not recognized in server config, but accepted as command line.
Reported by: | timr | Owned by: | |
---|---|---|---|
Priority: | major | Milestone: | |
Component: | Certificates | Version: | OpenVPN 2.3.6 (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | crl-verify |
Cc: |
Description
The "crl-verify" option works as a command line option, but not in a server config file. But in a client config file, it does...
My server.conf:
port 1194
proto udp
dev tun
ca root-ca.crt
extra-certs sub-ca.crt
cert server.crt
key server.key
crl-verfiy root-ca.crl
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 9
Starting this leads to this:
[root@server openvpn]$ openvpn server.conf
Options error: Unrecognized option or missing parameter(s) in server.conf:82: crl-verfiy (2.3.6)
Use --help for more information.
BUT, if I comment out the two lines with "crl-verify" in the config file and add them manually as command line options, it works:
# openvpn --crl-verify root-ca.crl --config server.conf
Wed May 6 15:12:58 2015 us=942358 Current Parameter Settings:
Wed May 6 15:12:58 2015 us=942611 config = 'server.conf'
Wed May 6 15:12:58 2015 us=942644 mode = 1
<-snip->
Wed May 6 15:12:58 2015 us=947703 crl_file = 'root-ca.crl'
It fully works, when I configure openvpn as a client! Both as command line option and in the config file.
My client.conf:
client
dev tun
proto udp
remote 10.0.0.10 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca root-ca.crt
extra-certs sub-ca.crt
cert client.crt
key client.key
crl-verify root-ca.crl
remote-cert-tls server
comp-lzo
verb 9
# openvpn client.conf
Wed May 6 15:19:23 2015 us=571578 Current Parameter Settings:
Wed May 6 15:19:23 2015 us=571650 config = 'client.conf'
Wed May 6 15:19:23 2015 us=571662 mode = 0
<-snip->
Wed May 6 15:19:23 2015 us=572964 crl_file = 'root-ca.crl'
crl-verify root-ca.crl is commented out in client.conf now and given via command line:
# openvpn --crl-verify root-ca.crl --config client.conf
Wed May 6 15:24:37 2015 us=513032 Current Parameter Settings:
Wed May 6 15:24:37 2015 us=513225 config = 'client.conf'
Wed May 6 15:24:37 2015 us=513256 mode = 0
<-snip->
Wed May 6 15:24:37 2015 us=517558 crl_file = 'root-ca.crl'
So only the parsing of the crl-verify parameter in a SERVER config seems to be defect.
I cannot use certificate revocation lists on server side.
Please find the full debug output as attachments.
My environment:
CentOS release 6.6 (Final)
OpenSSL 1.0.1e-fips 11 Feb 2013
openvpn package from epel:
# rpm -qi openvpn
Name : openvpn Relocations: (not relocatable)
Version : 2.3.6 Vendor: Fedora Project
Release : 1.el6 Build Date: Tue 02 Dec 2014 08:46:18 PM UTC
Install Date: Tue 05 May 2015 02:00:45 PM UTC Build Host: buildvm-15.phx2.fedoraproject.org
Group : Applications/Internet? Source RPM: openvpn-2.3.6-1.el6.src.rpm
Size : 943461 License: GPLv2
Signature : RSA/8, Wed 03 Dec 2014 04:37:59 AM UTC, Key ID 3b49df2a0608b895
Packager : Fedora Project
URL : http://openvpn.net/
Summary : A full-featured SSL VPN solution
Description :
OpenVPN is a robust and highly flexible tunneling application that uses all
of the encryption, authentication, and certification features of the
OpenSSL library to securely tunnel IP networks over a single UDP or TCP
port. It can use the Marcus Franz Xaver Johannes Oberhumer's LZO library
for compression.
Attachments (4)
Change History (6)
Changed 9 years ago by
Attachment: | client-debug.out.gz added |
---|
Changed 9 years ago by
Attachment: | server-debug.out.gz added |
---|
Changed 9 years ago by
Attachment: | client-debug.zip added |
---|
Changed 9 years ago by
Attachment: | server-debug.zip added |
---|
comment:1 Changed 9 years ago by
Resolution: | → notabug |
---|---|
Status: | new → closed |
Well, if your config and error messages above are copy-and-paste'd, and not transcribed, it's fairly easy - spell "verfy" with an "i" in the server config (clr-verify instead of crl-verfy) and it will work.
Reopen if it still doesn't work with the correct spelling :-)