On 20-08-2015 15:01, debbie...@gmail.com wrote: > > ----- Original Message ----- From: "Rui Santos" <rsan...@grupopie.com> > To: <openvpn-users@lists.sourceforge.net> > Sent: Thursday, August 20, 2015 12:33 PM > Subject: [Openvpn-users] CRL and --CApath usage > > >> I'm using --CApath option for CA and CRL approving/checking >> >> I just revoked a certificate, copied the new CRL to CApath, overwriting >> the old one, and the OpenVPN allowed > the connection with that >> certificate. >> >> The openssl command for this: >> ~# openssl verify -crl_check -CApath <cadir>Â cert.crt >> error 23 at 0 depth lookup:certificate revoked >> >> I tried to connect several times, with success, which I shouldn't be >> able >> to. >> >> However, if I restart the OpenVPN service, it works as expected, with >> the >> error: >> <IP>:42410 VERIFY ERROR: depth=0, error=certificate revoked: C=........ >> Directories leading to CApath and files are accessible to all user: >> 0755/0644 >> >> I wonder if there is any kind of bug on this. Is this an expected >> behavior >> ? >> One should not need to restart the OpenVPN instance, just to reread the >> CRL. >> >> Am I missing something ? > > The manual has this to say: > > Note: As the crl file (or directory) is read every time a peer > connects, if > you are dropping root privileges with --user, make sure that this user > has > sufficient privileges to read the file.
Hi Debbie, I'm aware of that. OpenVPN is indeed running as user nobody. But the accesses 0755/0644 for directories and files, respectively, should take care of that issue, shouldn’t it ? Regards, > > Regards > > > ------------------------------------------------------------------------------ _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
