Opened 13 years ago
Closed 10 years ago
#83 closed Bug / Defect (fixed)
openvpn quits on bad crl with crl-verify set
Reported by: | rram | Owned by: | Steffan Karger |
---|---|---|---|
Priority: | minor | Milestone: | release 2.3.5 |
Component: | Certificates | Version: | OpenVPN 2.3.2 (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
Cc: | Steffan Karger |
Description
If the openvpn server is configured to verify certificates against a CRL list and the crl isn't valid when someone attempts to login, the openssl server will completely exit. This can happen if the CRL file is being updated in place and someone tries to log in at the right time.
The openvpn server shouldn't quit, but just should just refuse the connection which will keep current connections running. This could also be set as a configurable option.
Change History (9)
comment:1 Changed 11 years ago by
comment:3 Changed 11 years ago by
i can confirm on 2.3.2 and on 2.09, both tested on Debian Squeeze i486
At least for me it was allways like that, not only when i change the file "during" connect.
i changed the file and restarted openvpn, just to have a reproduceable environment .
/usr/sbin/openvpn --version
OpenVPN 2.3.2 i486-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Jun 3 2013
Tested with latest debian snapshot from repos.openvpn.net
crl file empty:
Aug 20 10:50:24 openvpn[3052]: CRL: cannot read CRL from file /etc/openvpn2/crl.pem
Aug 20 10:50:24 openvpn[3052]: Exiting
with one revoked cert in the crl.pem file:
Aug 20 10:53:43 openvpn[705]: [test1] Peer Connection Initiated
comment:4 Changed 11 years ago by
Verify you don't have configured chroot in your config server file.
comment:5 Changed 10 years ago by
Version: | 2.1.0 / 2.1.1 → 2.3.2 |
---|
comment:6 Changed 10 years ago by
I agree we should fix this, as rram says - if the CRL is invalid, log that and reject access, but do not stop the server.
Anyone volunteering to do a patch for 2.3.2 or master? syzzer, do you feel like looking into this?
comment:7 Changed 10 years ago by
Cc: | Steffan Karger added |
---|
comment:8 Changed 10 years ago by
Component: | Generic / unclassified → Certificates |
---|---|
Owner: | set to Steffan Karger |
Status: | new → accepted |
Yes, I agree the server should not quit. Putting this on my list.
comment:9 Changed 10 years ago by
Milestone: | → release 2.3.5 |
---|---|
Resolution: | → fixed |
Status: | accepted → closed |
Fixes have been merged into the release/2.3 and master branches. The next OpenVPN release will include these.
Can someone reproduce this on latest release or Git master?