Changes between Version 1 and Version 2 of CertificateRevocationListExpired


Ignore:
Timestamp:
10/25/17 16:12:11 (5 years ago)
Author:
tct
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • CertificateRevocationListExpired

    v1 v2  
    1 = OpenVPN 2.4 new Certificate Revocation List method. =
    2 
    3 Processing the Certificate Revocation List (CRL) in OpenVPN 2.4 is now
    4 handled by the Crypto Library with which OpenVPN has been built.  This
    5 means the list is processed much more rigidly than before.
    6 (Previously, in OpenVPN 2.3, a ''built-in'' check was used).
    7 
    8 Specifically, the Crypto Library (Usually OpenSSL) will check '''all'''
    9 fields,  this check includes the `nextUpdate` field and CRLs with an
    10 expired `nextUpdate` field are flagged as '''expired''' by OpenSSL (The
    11 ''built-in'' check in OpenVPN 2.3 did not check this field).
    12 
    13 In order to fix this, regenerate the CRL with a new `nextUpdate` value.
    14 If you don't want your CRLs
    15 expire put that value far enough into the future.
    16 
    17 Using [https://github.com/OpenVPN/easy-rsa/releases EasyRSA] a new CRL
    18 can be generated with `./easyrsa gen-crl`
    19 
    20 Source:
    21 https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13806.html