----- Original Message ----- From: "Rui Santos" <rsan...@grupopie.com> To: <openvpn-users@lists.sourceforge.net> Sent: Thursday, August 20, 2015 12:33 PM Subject: [Openvpn-users] CRL and --CApath usage
> I'm using --CApath option for CA and CRL approving/checking > > I just revoked a certificate, copied the new CRL to CApath, overwriting > the old one, and the OpenVPN allowed > the connection with that > certificate. > > The openssl command for this: > ~# openssl verify -crl_check -CApath <cadir>Â cert.crt > error 23 at 0 depth lookup:certificate revoked > > I tried to connect several times, with success, which I shouldn't be able > to. > > However, if I restart the OpenVPN service, it works as expected, with the > error: > <IP>:42410 VERIFY ERROR: depth=0, error=certificate revoked: C=........ > Directories leading to CApath and files are accessible to all user: > 0755/0644 > > I wonder if there is any kind of bug on this. Is this an expected behavior > ? > One should not need to restart the OpenVPN instance, just to reread the > CRL. > > Am I missing something ? The manual has this to say: Note: As the crl file (or directory) is read every time a peer connects, if you are dropping root privileges with --user, make sure that this user has sufficient privileges to read the file. Regards ------------------------------------------------------------------------------ _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
