Changes between Initial Version and Version 1 of Ticket #800, comment 5
- Timestamp:
- 12/29/16 15:55:55 (7 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #800, comment 5
initial v1 1 Unfortunately the stricter CRL checking in version 2.4.0 resultsin configurations, which have worked in version 2.3.x and fail in 2.4.x. I could not find much documentation for tracking down problem with CRLs in 2.4.x. I found this changeset1 Unfortunately the stricter CRL checking in version 2.4.0 can result in configurations, which have worked in version 2.3.x and fail in 2.4.x. I could not find much documentation for tracking down problem with CRLs in 2.4.x. I found this changeset 2 2 3 3 https://github.com/OpenVPN/openvpn/commit/160504a2955c4478cd2c0323452929e07016a336 4 4 5 Debugging shows, that CRL checking fails for me, because the only "obj->type" in the list is X509_LU_X509, but not X509_LU_CRL in tls_verify_crl_missing in openvpn-2.4.0/src/openvpn/ssl_verify_openssl.c: 5 Better update instructions, documentation and/or error messages are welcome. 6 7 I could fix a broken CA/CRL setup, but I needed the source code for this. One example for missing error/debugging messages from openvpn-2.4.0/src/openvpn/ssl_verify_openssl.c: 6 8 7 9 {{{ 8 for (int i = 0; i < sk_X509_OBJECT_num(store->objs); i++)9 {10 10 X509_OBJECT *obj = sk_X509_OBJECT_value(store->objs, i); 11 11 ASSERT(obj); … … 14 14 return false; 15 15 } 16 }17 return true;18 16 }}} 19 17 20 Better update instructions, documentation and/or error messages are welcome.18 It would be nice to have an error message here, e.g. "configured CRL file has the invalid type X509_LU_X509 instead of X509_LU_CRL".