openvpn quits on bad crl with crl-verify set

[rram]

If the openvpn server is configured to verify certificates against a CRL list and the crl isn't valid when someone attempts to login, the openssl server will completely exit. This can happen if the CRL file is being updated in place and someone tries to log in at the right time.

The openvpn server shouldn't quit, but just should just refuse the connection which will keep current connections running. This could also be set as a configurable option.

[Samuli Seppänen]

Can someone reproduce this on latest release or Git master?

[limburgher]

We've hit this on 2.3.2.

​https://bugzilla.redhat.com/show_bug.cgi?id=996892

[deno]

i can confirm on 2.3.2 and on 2.09, both tested on Debian Squeeze i486
At least for me it was allways like that, not only when i change the file "during" connect.

i changed the file and restarted openvpn, just to have a reproduceable environment .
/usr/sbin/openvpn --version
OpenVPN 2.3.2 i486-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Jun 3 2013

Tested with latest debian snapshot from repos.openvpn.net

crl file empty:
Aug 20 10:50:24 openvpn[3052]: CRL: cannot read CRL from file /etc/openvpn2/crl.pem
Aug 20 10:50:24 openvpn[3052]: Exiting

with one revoked cert in the crl.pem file:

Aug 20 10:53:43 openvpn[705]: [test1] Peer Connection Initiated

[achapela]

Veirfy you don't have configured chroot in your config server file.

[Gert Döring]

I agree we should fix this, as rram says - if the CRL is invalid, log that and reject access, but do not stop the server.

Anyone volunteering to do a patch for 2.3.2 or master? syzzer, do you feel like looking into this?

[Steffan Karger]

Yes, I agree the server should not quit. Putting this on my list.

[Steffan Karger]

Fixes have been merged into the release/2.3 and master branches. The next OpenVPN release will include these.