> -----Original Message----- > From: David Sommerseth [mailto:openvpn.l...@topphemmelig.net] > Sent: zondag 3 februari 2013 15:52 > To: Jan Just Keijser > Cc: openvpn-devel@lists.sourceforge.net > Subject: Re: [Openvpn-devel] option --crl-verify PATH dir > > On 03/02/13 12:02, Jan Just Keijser wrote: > > hi, > > > > what is the second option to '--crl-verify' supposed to do? in > > options.c it sets a flag SSLF_CRL_VERIFY_DIR which then triggers the > > function 'verify_check_crl_dir'. However, this function does not seem > > to do anything.... > > Quickly looked at the code ... with the 'dir' flag (which sets > SSLF_CRL_VERIFY_DIR), it's no longer a typical CRL file validation. If > you create (touch) a file in the defined directory with the file name > matching a particular client's serial number; the connection will be > denied. >
Confirmed, with the footnote that this is a weird way of going about things. I would like to suggest deprecating this option from 2.4 (or 2.3.1?) onwards, and forcing people to either: - Create an actual CRL file. This is not difficult. In general, people using OpenVPN should be managing their own CA in the OpenVPN world. - Failing that, create a custom script to do this. I'm always open for discussion, but imho this should not be core functionality in OpenVPN. Kind regards, Adriaan
