Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#550 closed Bug / Defect (notabug)

crl-verify not recognized in server config, but accepted as command line.

Reported by: timr Owned by:
Priority: major Milestone:
Component: Certificates Version: OpenVPN 2.3.6 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: crl-verify
Cc:

Description

The "crl-verify" option works as a command line option, but not in a server config file. But in a client config file, it does...

My server.conf:

port 1194
proto udp
dev tun

ca root-ca.crt
extra-certs sub-ca.crt
cert server.crt
key server.key
crl-verfiy root-ca.crl

dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 9

Starting this leads to this:

[root@server openvpn]$ openvpn server.conf
Options error: Unrecognized option or missing parameter(s) in server.conf:82: crl-verfiy (2.3.6)
Use --help for more information.

BUT, if I comment out the two lines with "crl-verify" in the config file and add them manually as command line options, it works:

# openvpn --crl-verify root-ca.crl --config server.conf

Wed May 6 15:12:58 2015 us=942358 Current Parameter Settings:
Wed May 6 15:12:58 2015 us=942611 config = 'server.conf'
Wed May 6 15:12:58 2015 us=942644 mode = 1
<-snip->
Wed May 6 15:12:58 2015 us=947703 crl_file = 'root-ca.crl'

It fully works, when I configure openvpn as a client! Both as command line option and in the config file.

My client.conf:

client
dev tun
proto udp
remote 10.0.0.10 1194
resolv-retry infinite
nobind
persist-key
persist-tun

ca root-ca.crt
extra-certs sub-ca.crt
cert client.crt
key client.key
crl-verify root-ca.crl
remote-cert-tls server

comp-lzo
verb 9

# openvpn client.conf
Wed May 6 15:19:23 2015 us=571578 Current Parameter Settings:
Wed May 6 15:19:23 2015 us=571650 config = 'client.conf'
Wed May 6 15:19:23 2015 us=571662 mode = 0
<-snip->
Wed May 6 15:19:23 2015 us=572964 crl_file = 'root-ca.crl'

crl-verify root-ca.crl is commented out in client.conf now and given via command line:

# openvpn --crl-verify root-ca.crl --config client.conf
Wed May 6 15:24:37 2015 us=513032 Current Parameter Settings:
Wed May 6 15:24:37 2015 us=513225 config = 'client.conf'
Wed May 6 15:24:37 2015 us=513256 mode = 0
<-snip->
Wed May 6 15:24:37 2015 us=517558 crl_file = 'root-ca.crl'

So only the parsing of the crl-verify parameter in a SERVER config seems to be defect.
I cannot use certificate revocation lists on server side.

Please find the full debug output as attachments.
My environment:

CentOS release 6.6 (Final)
OpenSSL 1.0.1e-fips 11 Feb 2013

openvpn package from epel:
# rpm -qi openvpn
Name : openvpn Relocations: (not relocatable)
Version : 2.3.6 Vendor: Fedora Project
Release : 1.el6 Build Date: Tue 02 Dec 2014 08:46:18 PM UTC
Install Date: Tue 05 May 2015 02:00:45 PM UTC Build Host: buildvm-15.phx2.fedoraproject.org
Group : Applications/Internet? Source RPM: openvpn-2.3.6-1.el6.src.rpm
Size : 943461 License: GPLv2
Signature : RSA/8, Wed 03 Dec 2014 04:37:59 AM UTC, Key ID 3b49df2a0608b895
Packager : Fedora Project
URL : http://openvpn.net/
Summary : A full-featured SSL VPN solution
Description :
OpenVPN is a robust and highly flexible tunneling application that uses all
of the encryption, authentication, and certification features of the
OpenSSL library to securely tunnel IP networks over a single UDP or TCP
port. It can use the Marcus Franz Xaver Johannes Oberhumer's LZO library
for compression.

Attachments (4)

client-debug.out.gz (35.9 KB) - added by timr 5 years ago.
server-debug.out.gz (41.4 KB) - added by timr 5 years ago.
client-debug.zip (33.0 KB) - added by timr 5 years ago.
server-debug.zip (38.2 KB) - added by timr 5 years ago.

Download all attachments as: .zip

Change History (6)

Changed 5 years ago by timr

Attachment: client-debug.out.gz added

Changed 5 years ago by timr

Attachment: server-debug.out.gz added

Changed 5 years ago by timr

Attachment: client-debug.zip added

Changed 5 years ago by timr

Attachment: server-debug.zip added

comment:1 Changed 5 years ago by Gert Döring

Resolution: notabug
Status: newclosed

Well, if your config and error messages above are copy-and-paste'd, and not transcribed, it's fairly easy - spell "verfy" with an "i" in the server config (clr-verify instead of crl-verfy) and it will work.

Reopen if it still doesn't work with the correct spelling :-)

comment:2 Changed 5 years ago by timr

o..m..g!
Sorry and thank you :-)

Note: See TracTickets for help on using tickets.