> On 02-01-17 15:26, Gert Doering wrote:
> > On Mon, Jan 02, 2017 at 03:17:23PM +0100, Alberto Gonzalez Iniesta wrote:
> >> I just got this [1] bug report on OpenVPN 2.4 threating all certs as
> >> expired when upgrading from 2.3. I find this quite weird, but until I have
> >> some time to test it I thought asking here would be faster.
> > 
> > From the bug report:
> > 
> > Mon Jan  2 07:37:10 2017 us=466023 1.2.3.4:36241 VERIFY ERROR: depth=0,
> error=CRL has expired: C=XX, ST=XX, L=XXX, O=None, CN=mycn,
> emailAddress=my@email
> > 
> > "what the log says" :-)
> > 
> > 2.4 checks CRLs much more rigidly than 2.3 (precisely: 2.3 had some
> > built-in checking which only looked at revocations, while 2.4 leaves this 
> > to the crypto library, and they check all fields more rigidly).
> > 
> > Specifically, CRLs with an expired "next update" field are flagged as
> > "expired" by OpenSSL, while the built-in check in 2.3 did not.
> 
> This.  I replied something similar on the debian bug tracker, but I have
> no clue what will happen with that mail.
> 
> > Since this bit a few people already, I wonder how we could communicate
> > this better.
> 
> I wonder about that too.  Maybe some more verbose text on a wiki page?
> We could even detect this specific error and add a link to that page in
> the warning.
> 

Is there an option to disable this check? It would be extremely useful to 
maintain (at least optional) backward compatibility with already existing 
setups, which originally relied on 2.3 behaviour.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to