Changes between Initial Version and Version 1 of Ticket #800, comment 5


Ignore:
Timestamp:
12/29/16 15:55:55 (6 years ago)
Author:
Bjoern Voigt
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #800, comment 5

    initial v1  
    1 Unfortunately the stricter CRL checking in version 2.4.0 results in configurations, which have worked in version 2.3.x and fail in 2.4.x. I could not find much documentation for tracking down problem with CRLs in 2.4.x. I found this changeset
     1Unfortunately the stricter CRL checking in version 2.4.0 can result in configurations, which have worked in version 2.3.x and fail in 2.4.x. I could not find much documentation for tracking down problem with CRLs in 2.4.x. I found this changeset
    22
    33https://github.com/OpenVPN/openvpn/commit/160504a2955c4478cd2c0323452929e07016a336
    44
    5 Debugging shows, that CRL checking fails for me, because the only "obj->type" in the list is X509_LU_X509, but not X509_LU_CRL in tls_verify_crl_missing in openvpn-2.4.0/src/openvpn/ssl_verify_openssl.c:
     5Better update instructions, documentation and/or error messages are welcome.
     6
     7I could fix a broken CA/CRL setup, but I needed the source code for this. One example for missing error/debugging messages from openvpn-2.4.0/src/openvpn/ssl_verify_openssl.c:
    68
    79{{{
    8     for (int i = 0; i < sk_X509_OBJECT_num(store->objs); i++)
    9     {
    1010        X509_OBJECT *obj = sk_X509_OBJECT_value(store->objs, i);
    1111        ASSERT(obj);
     
    1414            return false;
    1515        }
    16     }
    17     return true;
    1816}}}
    1917
    20 Better update instructions, documentation and/or error messages are welcome.
     18It would be nice to have an error message here, e.g. "configured CRL file has the invalid type X509_LU_X509 instead of X509_LU_CRL".