Changes between Version 2 and Version 3 of CertificateRevocationListExpired


Ignore:
Timestamp:
10/25/17 16:12:33 (6 years ago)
Author:
tct
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • CertificateRevocationListExpired

    v2 v3  
     1= OpenVPN 2.4 new Certificate Revocation List method. =
     2
     3Processing the Certificate Revocation List (CRL) in OpenVPN 2.4 is now
     4handled by the Crypto Library with which OpenVPN has been built.  This
     5means the list is processed much more rigidly than before.
     6(Previously, in OpenVPN 2.3, a ''built-in'' check was used).
     7
     8Specifically, the Crypto Library (Usually OpenSSL) will check '''all'''
     9fields,  this check includes the `nextUpdate` field and CRLs with an
     10expired `nextUpdate` field are flagged as '''expired''' by OpenSSL (The
     11''built-in'' check in OpenVPN 2.3 did not check this field).
     12
     13In order to fix this, regenerate the CRL with a new `nextUpdate` value.
     14If you don't want your CRLs
     15expire put that value far enough into the future.
     16
     17Using [https://github.com/OpenVPN/easy-rsa/releases EasyRSA] a new CRL
     18can be generated with `./easyrsa gen-crl`
     19
     20Source:
     21https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13806.html