On Mon, Jan 02, 2017 at 03:26:46PM +0100, Gert Doering wrote: > Hi, > > On Mon, Jan 02, 2017 at 03:17:23PM +0100, Alberto Gonzalez Iniesta wrote: > > I just got this [1] bug report on OpenVPN 2.4 threating all certs as > > expired when upgrading from 2.3. I find this quite weird, but until I have > > some time to test it I thought asking here would be faster. > > From the bug report: > > Mon Jan 2 07:37:10 2017 us=466023 1.2.3.4:36241 VERIFY ERROR: depth=0, > error=CRL has expired: C=XX, ST=XX, L=XXX, O=None, CN=mycn, > emailAddress=my@email > > "what the log says" :-) > > 2.4 checks CRLs much more rigidly than 2.3 (precisely: 2.3 had some > built-in checking which only looked at revocations, while 2.4 leaves this > to the crypto library, and they check all fields more rigidly). > > Specifically, CRLs with an expired "next update" field are flagged as > "expired" by OpenSSL, while the built-in check in 2.3 did not. > > > Since this bit a few people already, I wonder how we could communicate > this better. > > gert > >
Oh! I see. Thanks Gert!! I can/will add a note on the Debian package, but that has a limited audience. Cheers, Alberto -- Alberto Gonzalez Iniesta | Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred | http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55 ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel