Bug#849909: openvpn: Openvpn 2.4 sees all client certificates as expired if i use crl-verify

Sun, 01 Jan 2017 22:15:36 -0800 

Package: openvpn
Version: 2.4.0-3
Severity: important

Dear Maintainer,

*** Reporter, please consider answering these questions, where appropriate ***

   * What led up to the situation?
   * What exactly did you do (or not do) that was effective (or
     ineffective)?
   * What was the outcome of this action?
   * What outcome did you expect instead?

*** End of the template - remove these template lines ***
Since version 2.4 appeared in Testing clients cannot connect to my openvpn 
servers 
(i have 2 running on my desktop). 
They are working fine if i downgrade to 2.3.11, but 2.4 versions seem to treat 
all certificates as expired if crl-verify is enabled. 
I checked all certificates and are valid until 2021-2026.

Commenting out the crl-verify line from the server config will make it work, but
i have revoked certificates and without this option those certificates will be 
allowed to connect. 

Excerpt from server log (removed IP addresses and other personal info):

Mon Jan  2 07:37:10 2017 us=426660 1.2.3.4:36241 TLS: Initial packet from 
[AF_INET]1.2.3.4:36241, sid=66129e86 1e790a7e
Mon Jan  2 07:37:10 2017 us=466023 1.2.3.4:36241 VERIFY ERROR: depth=0, 
error=CRL has expired: C=XX, ST=XX, L=XXX, O=None, CN=mycn, 
emailAddress=my@email
Mon Jan  2 07:37:10 2017 us=466182 1.2.3.4:36241 OpenSSL: error:14089086:SSL 
routines:ssl3_get_client_certificate:certificate verify failed
Mon Jan  2 07:37:10 2017 us=466201 1.2.3.4:36241 TLS_ERROR: BIO read 
tls_read_plaintext error
Mon Jan  2 07:37:10 2017 us=466215 1.2.3.4:36241 TLS Error: TLS object -> 
incoming plaintext read error
Mon Jan  2 07:37:10 2017 us=466228 1.2.3.4:36241 TLS Error: TLS handshake failed
Mon Jan  2 07:37:10 2017 us=466290 1.2.3.4:36241 SIGUSR1[soft,tls-error] 
received, client-instance restarting


-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing'), (2, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.8.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages openvpn depends on:
ii  debconf [debconf-2.0]  1.5.59
ii  init-system-helpers    1.46
ii  iproute2               4.9.0-1
ii  libc6                  2.24-8
ii  liblz4-1               0.0~r131-2
ii  liblzo2-2              2.08-1.2
ii  libpam0g               1.1.8-3.4
ii  libpkcs11-helper1      1.11-6
ii  libssl1.0.2            1.0.2j-4
ii  libsystemd0            232-8
ii  lsb-base               9.20161125

Versions of packages openvpn recommends:
ii  easy-rsa  2.2.2-2

Versions of packages openvpn suggests:
ii  openssl     1.1.0c-2
pn  resolvconf  <none>

-- debconf information:
  openvpn/create_tun: false

Reply via email to