id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc 800,OpenVPN version 2.3.x and older do not check the CRL signature,eriktews,Steffan Karger,"OpenVPN version 2.3.x and older versions do not check the signature of a CRL at all. So when OpenVPN is used in a scenario in which the CRL is regularly updated from an unsecure HTTP server, an attacker might inject his own CRL here. Only the issuer of the CRL needs to match, signatures or expiration dates are not checked. It looks like this has been fixed with the rewrite of the CRL code in version 2.4.x.",Bug / Defect,closed,major,,Certificates,OpenVPN 2.3.9 (Community Ed),"Not set (select this one, unless your'e a OpenVPN developer)",fixed,"crl, signature",Steffan Karger