Hi, Gert Thank you. I'd appreciate if patch could be applied to release/2.4 too, no changes are required - related code is the same, just hunks offset in ssl_verify.c and ssl_verify_openssl.c I've tested 2.4.9 [git:release/2.4/7c428ca19a8df6b9+] with patch on sample certificates, please refer log is below:
OpenSSL, --crl-verify sample-keys/ca.crl Wed Aug 5 17:18:49 2020 127.0.0.1:16001 VERIFY ERROR: depth=0, error=certificate revoked: C=KG, ST=NA, O=OpenVPN-TEST, CN=client-revoked, emailAddress=me@myhost.mydomain, serial=3 Wed Aug 5 17:18:49 2020 127.0.0.1:16001 OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed Wed Aug 5 17:18:49 2020 127.0.0.1:16001 TLS_ERROR: BIO read tls_read_plaintext error mbedTLS, --crl-verify sample-keys/ca.crl Wed Aug 5 17:25:28 2020 127.0.0.1:16001 VERIFY OK: depth=1, C=KG, ST=NA, L=BISHKEK, O=OpenVPN-TEST, emailAddress=me@myhost.mydomain Wed Aug 5 17:25:28 2020 127.0.0.1:16001 VERIFY ERROR: depth=0, subject=C=KG, ST=NA, O=OpenVPN-TEST, CN=client-revoked, emailAddress=me@myhost.mydomain, serial=3: The certificate has been revoked (is on a CRL) Wed Aug 5 17:25:28 2020 127.0.0.1:16001 TLS_ERROR: read tls_read_plaintext error: X509 - Certificate verification failed, e.g. CRL, CA or signature check failed touch sample-keys/3, --crl-verify sample-keys/ dir Wed Aug 5 17:18:12 2020 127.0.0.1:16001 VERIFY OK: depth=1, C=KG, ST=NA, L=BISHKEK, O=OpenVPN-TEST, emailAddress=me@myhost.mydomain Wed Aug 5 17:18:12 2020 127.0.0.1:16001 VERIFY CRL: depth=0, C=KG, ST=NA, O=OpenVPN-TEST, CN=client-revoked, emailAddress=me@myhost.mydomain, serial=3 is revoked Wed Aug 5 17:18:12 2020 127.0.0.1:16001 OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed Wed Aug 5 17:18:12 2020 127.0.0.1:16001 TLS_ERROR: BIO read tls_read_plaintext error -- Best Regards, Vladislav Grishenko -----Original Message----- From: Gert Doering <g...@greenie.muc.de> Sent: Wednesday, August 5, 2020 4:55 PM To: Vladislav Grishenko <themi...@yandex-team.ru> Cc: openvpn-devel@lists.sourceforge.net Subject: [PATCH applied] Re: Log serial number of revoked certificate Your patch has been applied to the master branch. I have not done much testing, just a test run "make check" on an OpenSSL and mbedTLS build. I have not looked into applying it to "release/2.4" - if you think it's needed, let me know (or if it needs more work because the code has diverged too much, send a 2.4 patch) - thanks. commit 992e9cec40539a155afa9eae10502aa62f617965 Author: Vladislav Grishenko Date: Wed Aug 5 15:23:33 2020 +0500 Log serial number of revoked certificate Signed-off-by: Vladislav Grishenko <themi...@yandex-team.ru> Acked-by: Lev Stipakov <lstipa...@gmail.com> Message-Id: <20200805102333.3109-1-themi...@yandex-team.ru> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20642.ht ml Signed-off-by: Gert Doering <g...@greenie.muc.de> -- kind regards, Gert Doering _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel