----- Original Message ----- From: "Rui Santos" <rsan...@grupopie.com> To: <openvpn-users@lists.sourceforge.net> Sent: Thursday, August 20, 2015 3:10 PM Subject: Re: [Openvpn-users] CRL and --CApath usage
> > On 20-08-2015 15:01, debbie...@gmail.com wrote: >> >> ----- Original Message ----- From: "Rui Santos" <rsan...@grupopie.com> >> To: <openvpn-users@lists.sourceforge.net> >> Sent: Thursday, August 20, 2015 12:33 PM >> Subject: [Openvpn-users] CRL and --CApath usage >> >> >>> I'm using --CApath option for CA and CRL approving/checking >>> >>> I just revoked a certificate, copied the new CRL to CApath, overwriting >>> the old one, and the OpenVPN allowed > the connection with that >>> certificate. >>> >>> The openssl command for this: >>> ~# openssl verify -crl_check -CApath <cadir>Â cert.crt >>> error 23 at 0 depth lookup:certificate revoked >>> >>> I tried to connect several times, with success, which I shouldn't be >>> able >>> to. >>> >>> However, if I restart the OpenVPN service, it works as expected, with >>> the >>> error: >>> <IP>:42410 VERIFY ERROR: depth=0, error=certificate revoked: C=........ >>> Directories leading to CApath and files are accessible to all user: >>> 0755/0644 >>> >>> I wonder if there is any kind of bug on this. Is this an expected >>> behavior >>> ? >>> One should not need to restart the OpenVPN instance, just to reread the >>> CRL. >>> >>> Am I missing something ? >> >> The manual has this to say: >> >> Note: As the crl file (or directory) is read every time a peer >> connects, if >> you are dropping root privileges with --user, make sure that this user >> has >> sufficient privileges to read the file. > > Hi Debbie, > > I'm aware of that. OpenVPN is indeed running as user nobody. > But the accesses 0755/0644 for directories and files, respectively, > should take care of that issue, shouldn’t it ? Did you try *without* dropping root orivileges ? Perhaps the crl (in PEM format) is also effected by --persist-key ... Regards ------------------------------------------------------------------------------ _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
