Felipe Sanchez <i...@asic-linux.com.mx> said: > > Hi, I've been using openvpn for about a month now with great success, I > have already setup about a dozen VPN connections in various environments. > > Lately I began wondering what would happen if I don't want some peer to be > able to connect to my server anymore? From reading the docs I think I have > these options: > > a) Use a different CA for signing the certificate of each client, so when > I don't want that client to connect I just stop using the related > CA's certificate and key at the server. > > b) Use my organization's CA for signing all the certificates (Which is > what I'm currently doing) and use --tls-verify and some scripting to > verify if the certificate presented by the peer is still acceptable > > c) Use a Certificate Revocation List (CRL) to invalidate any certificates > I don't want to accept anymore. > > > Looks like c) could be done in the same way that b) by using --tls-verify > and the OpenSSL tools. My question is: Do I have to do that or does > OpenVPN have built-in CRL support? I have found no mention of it in the > documentation. > > Felipe Sanchez.
You are right that while (a) and (b) are currently supported, (c) is not. Having said that, I would imagine that adding CRL support would be straightforward. If you are interested in writing a patch, init_ssl() in ssl.c would be the place to look + the OpenSSL docs concerning CRLs. It's probably just a matter of adding the right OpenSSL calls to init_ssl to add the CRL to the SSL context. James
