Hi,

On Mon, Jan 02, 2017 at 03:17:23PM +0100, Alberto Gonzalez Iniesta wrote:
> I just got this [1] bug report on OpenVPN 2.4 threating all certs as
> expired when upgrading from 2.3. I find this quite weird, but until I have
> some time to test it I thought asking here would be faster.

From the bug report:

Mon Jan  2 07:37:10 2017 us=466023 1.2.3.4:36241 VERIFY ERROR: depth=0, 
error=CRL has expired: C=XX, ST=XX, L=XXX, O=None, CN=mycn, 
emailAddress=my@email

"what the log says" :-)

2.4 checks CRLs much more rigidly than 2.3 (precisely: 2.3 had some
built-in checking which only looked at revocations, while 2.4 leaves this 
to the crypto library, and they check all fields more rigidly).

Specifically, CRLs with an expired "next update" field are flagged as
"expired" by OpenSSL, while the built-in check in 2.3 did not.


Since this bit a few people already, I wonder how we could communicate
this better.

gert


-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             g...@greenie.muc.de
fax: +49-89-35655025                        g...@net.informatik.tu-muenchen.de

Attachment: signature.asc
Description: PGP signature

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to