----- Original Message ----- From: "David Sommerseth" <openvpn.l...@topphemmelig.net> To: <debbie...@gmail.com>; "Rui Santos" <rsan...@grupopie.com> Cc: <openvpn-users@lists.sourceforge.net> Sent: Thursday, August 20, 2015 6:40 PM Subject: Re: [Openvpn-users] CRL and --CApath usage
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 20/08/15 19:11, debbie...@gmail.com wrote: > > ----- Original Message ----- From: "Rui Santos" > <rsan...@grupopie.com> To: <openvpn-users@lists.sourceforge.net> > Sent: Thursday, August 20, 2015 3:10 PM Subject: Re: > [Openvpn-users] CRL and --CApath usage > > >> >> On 20-08-2015 15:01, debbie...@gmail.com wrote: >>> >>> ----- Original Message ----- From: "Rui Santos" >>> <rsan...@grupopie.com> To: >>> <openvpn-users@lists.sourceforge.net> Sent: Thursday, August >>> 20, 2015 12:33 PM Subject: [Openvpn-users] CRL and --CApath >>> usage >>> >>> >>>> I'm using --CApath option for CA and CRL approving/checking >>>> >>>> I just revoked a certificate, copied the new CRL to CApath, >>>> overwriting the old one, and the OpenVPN allowed > the >>>> connection with that certificate. >>>> >>>> The openssl command for this: ~# openssl verify -crl_check >>>> -CApath <cadir>Â cert.crt error 23 at 0 depth >>>> lookup:certificate revoked >>>> >>>> I tried to connect several times, with success, which I >>>> shouldn't be able to. >>>> >>>> However, if I restart the OpenVPN service, it works as >>>> expected, with the error: <IP>:42410 VERIFY ERROR: depth=0, >>>> error=certificate revoked: C=........ Directories leading to >>>> CApath and files are accessible to all user: 0755/0644 >>>> >>>> I wonder if there is any kind of bug on this. Is this an >>>> expected behavior ? One should not need to restart the >>>> OpenVPN instance, just to reread the CRL. >>>> >>>> Am I missing something ? >>> >>> The manual has this to say: >>> >>> Note: As the crl file (or directory) is read every time a peer >>> connects, if you are dropping root privileges with --user, make >>> sure that this user has sufficient privileges to read the >>> file. >> >> Hi Debbie, >> >> I'm aware of that. OpenVPN is indeed running as user nobody. But >> the accesses 0755/0644 for directories and files, respectively, >> should take care of that issue, shouldn’t it ? > > Did you try *without* dropping root orivileges ? Nonsense. If files and directories have 0655/0744, even the 'nobody' user should be able to read these files. Also consider that *connecting* to the server DO work. > Perhaps the crl (in PEM format) is also effected by --persist-key > ... This is just pure guesswork, debbie10t. The CRL file is *NOT* affected by --persist-key. Rui: How have you configured --crl? Did you add the 'dir' flag when pointing to the directory? Or did you point directly to a CRL file? - -- Due to a lack of config files and logs I was mearly offering suggestions. Also, I now know that --persist-key does not effect the crl PEM file.. The manual is not clear: --persist-key Don't re-read key files across SIGUSR1 or --ping-restart Could be construed as: "fileS which are keyS" or "fileS which are key to operation." Thankyou ------------------------------------------------------------------------------ _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users