Opened 10 years ago

Closed 6 years ago

#83 closed Bug / Defect (fixed)

openvpn quits on bad crl with crl-verify set

Reported by: rram Owned by: Steffan Karger
Priority: minor Milestone: release 2.3.5
Component: Certificates Version: OpenVPN 2.3.2 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc: Steffan Karger


If the openvpn server is configured to verify certificates against a CRL list and the crl isn't valid when someone attempts to login, the openssl server will completely exit. This can happen if the CRL file is being updated in place and someone tries to log in at the right time.

The openvpn server shouldn't quit, but just should just refuse the connection which will keep current connections running. This could also be set as a configurable option.

Change History (9)

comment:1 Changed 7 years ago by Samuli Seppänen

Can someone reproduce this on latest release or Git master?

comment:2 Changed 7 years ago by limburgher

comment:3 Changed 7 years ago by deno

i can confirm on 2.3.2 and on 2.09, both tested on Debian Squeeze i486
At least for me it was allways like that, not only when i change the file "during" connect.

i changed the file and restarted openvpn, just to have a reproduceable environment .
/usr/sbin/openvpn --version
OpenVPN 2.3.2 i486-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Jun 3 2013

Tested with latest debian snapshot from

crl file empty:
Aug 20 10:50:24 openvpn[3052]: CRL: cannot read CRL from file /etc/openvpn2/crl.pem
Aug 20 10:50:24 openvpn[3052]: Exiting

with one revoked cert in the crl.pem file:

Aug 20 10:53:43 openvpn[705]: [test1] Peer Connection Initiated

Last edited 7 years ago by deno (previous) (diff)

comment:4 Changed 7 years ago by achapela

Verify you don't have configured chroot in your config server file.

Last edited 7 years ago by achapela (previous) (diff)

comment:5 Changed 7 years ago by Samuli Seppänen

Version: 2.1.0 /

comment:6 Changed 7 years ago by Gert Döring

I agree we should fix this, as rram says - if the CRL is invalid, log that and reject access, but do not stop the server.

Anyone volunteering to do a patch for 2.3.2 or master? syzzer, do you feel like looking into this?

comment:7 Changed 7 years ago by Gert Döring

Cc: Steffan Karger added

comment:8 Changed 6 years ago by Steffan Karger

Component: Generic / unclassifiedCertificates
Owner: set to Steffan Karger
Status: newaccepted

Yes, I agree the server should not quit. Putting this on my list.

comment:9 Changed 6 years ago by Steffan Karger

Milestone: release 2.3.5
Resolution: fixed
Status: acceptedclosed

Fixes have been merged into the release/2.3 and master branches. The next OpenVPN release will include these.

Note: See TracTickets for help on using tickets.