Hi Antonio, Thanks for taking a look!
> Mh... I have tried to reproduce this issue, but I was not able to. > Would you be able to provide me with the exact steps to hit this > situation? This bug happens only if the CRL file can't be opened in init_ssl(). (Un-openable CRL files and un-parseable CRL files cause different behaviors.) Realistically, this only happens when using chroot: 1) Have a valid CRL in /path/to/chroot/crl.pem 2) Run with --chroot /path/to/chroot and --crl-verify /crl.pem. (Note the absolute path for crl-verify!) 3) OpenVPN will ignore the CRL. (In principle, this could happen without chroot if the CRL file gets deleted right after OpenVPN detected that it exists in options.c.) I've written it up in more detail in an earlier e-mail: https://sourceforge.net/p/openvpn/mailman/message/37254045/ > To fix this issue, wouldn't be enough to reload the CRL *before* calling > mbedtls_ssl_setup()? > This way we know that a new ssl_ctx is always initialized with the > latest CRL, rather than having the old one still around? > > I have attached a proposal for your review. Please let me know what you > think about it. I tried your diff with the chroot setup above. The first connection attempt causes a restart (whether the client cert was revoked or not). 2021-04-08 09:54:05 VERIFY ERROR: CRL not loaded 2021-04-08 09:54:05 VERIFY ERROR: CRL not loaded 2021-04-08 09:54:05 TLS_ERROR: read tls_read_plaintext error: X509 - Certificate verification failed, e.g. CRL, CA or signature check failed 2021-04-08 09:54:05 TLS Error: TLS object -> incoming plaintext read error 2021-04-08 09:54:05 TLS Error: TLS handshake failed 2021-04-08 09:54:05 Closing TUN/TAP interface 2021-04-08 09:54:05 SIGUSR1[soft,tls-error] received, process restarting After the restart, it works correctly: Revoked certificates are rejected, and non-revoked ones are accepted. Also, the reason why I want to keep old CRLs around is not directly related to this bug. It's because every key_state_ssl struct contains a mbedtls_ssl_context and a corresponding mbedtls_ssl_config. That config is not supposed to be changed, according to the mbedtls documentation. However, every config struct in OpenVPN contains a pointer to tls_root_ctx->crl. (Well, at least as long as you're not running in a chroot.) This crl is modified in-place whenever we run tls_ctx_reload_crl(). It does not seem like a big deal in practice. Because OpenVPN is single-threaded we're not at risk of overwriting the CRL while it is used, but I thought while I'm already working on the code, I could try to make it conform to the documentation better... > As a side note: how did you notice this issue? Compumatica has found this bug in OpenVPN-NL and they reported it to us at Fox-IT. I've reproduced it with stock OpenVPN using mbedtls. It does not happen with OpenSSL. _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
