On 24/04/17 08:58, Samuli Seppänen wrote: > On 23/04/2017 11:02, Steffan Karger wrote: >> >> On 22-04-17 20:24, debbie10t wrote: >>> >>> On 02/01/17 15:39, Steffan Karger wrote: >>>> On 02-01-17 16:24, SviMik wrote: >>>>> >>>>>> On 02-01-17 15:26, Gert Doering wrote: >>>>>>> On Mon, Jan 02, 2017 at 03:17:23PM +0100, Alberto Gonzalez >>>>>>> Iniesta wrote: >>>>>>>> I just got this [1] bug report on OpenVPN 2.4 threating all >>>>>>>> certs as expired when upgrading from 2.3. I find this quite >>>>>>>> weird, but until I have some time to test it I thought asking >>>>>>>> here would be faster. >>>>>>> >>>>>>> From the bug report: >>>>>>> >>>>>>> Mon Jan 2 07:37:10 2017 us=466023 1.2.3.4:36241 VERIFY ERROR: >>>>>>> depth=0, >>>>>> error=CRL has expired: C=XX, ST=XX, L=XXX, O=None, CN=mycn, >>>>>> emailAddress=my@email >>>>>>> >>>>>>> "what the log says" :-) >>>>>>> >>>>>>> 2.4 checks CRLs much more rigidly than 2.3 (precisely: 2.3 had >>>>>>> some built-in checking which only looked at revocations, while >>>>>>> 2.4 leaves this to the crypto library, and they check all fields >>>>>>> more rigidly). >>>>>>> >>>>>>> Specifically, CRLs with an expired "next update" field are >>>>>>> flagged as "expired" by OpenSSL, while the built-in check in 2.3 >>>>>>> did not. >>>>>> >>>>>> This. I replied something similar on the debian bug tracker, but I >>>>>> have no clue what will happen with that mail. >>>>>> >>>>>>> Since this bit a few people already, I wonder how we could >>>>>>> communicate this better. >>>>>> >>>>>> I wonder about that too. Maybe some more verbose text on a wiki >>>>>> page? We could even detect this specific error and add a link to >>>>>> that page in the warning. >>>>>> >>>>> >>>>> Is there an option to disable this check? It would be extremely >>>>> useful to maintain (at least optional) backward compatibility with >>>>> already existing setups, which originally relied on 2.3 behaviour. >>>>> >>>> >>>> No, there is not. And I don't think there is an easy way to implement >>>> that either. >>>> >>>> But, the fix is just as easy as the workaround: just regenerate the >>>> CRL, with a more correct nextUpdate value. If you don't want your CRLs >>>> expire, just put that value far enough into the future. >>> >>> Following this up, something like: >>> https://community.openvpn.net/openvpn/wiki/SandBox >> >> Excellent text! Thanks. Let's give this a good spot on the wiki. >> >> -Steffan >> > > Perhaps a condensed version of that text should go to the --crl-verify > section on the man-page? >
Please feel free to edit, improve, correct and use it as preferred. -- ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel