On 20/08/15 21:16, debbie...@gmail.com wrote: > > ----- Original Message ----- From: "David Sommerseth" > <openvpn.l...@topphemmelig.net> > To: <debbie...@gmail.com>; "Rui Santos" <rsan...@grupopie.com> > Cc: <openvpn-users@lists.sourceforge.net> > Sent: Thursday, August 20, 2015 6:40 PM > Subject: Re: [Openvpn-users] CRL and --CApath usage > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 20/08/15 19:11, debbie...@gmail.com wrote: >> >> ----- Original Message ----- From: "Rui Santos" >> <rsan...@grupopie.com> To: <openvpn-users@lists.sourceforge.net> >> Sent: Thursday, August 20, 2015 3:10 PM Subject: Re: >> [Openvpn-users] CRL and --CApath usage >> >> >>> >>> On 20-08-2015 15:01, debbie...@gmail.com wrote: >>>> >>>> ----- Original Message ----- From: "Rui Santos" >>>> <rsan...@grupopie.com> To: >>>> <openvpn-users@lists.sourceforge.net> Sent: Thursday, August >>>> 20, 2015 12:33 PM Subject: [Openvpn-users] CRL and --CApath >>>> usage >>>> >>>> >>>>> I'm using --CApath option for CA and CRL approving/checking >>>>> >>>>> I just revoked a certificate, copied the new CRL to CApath, >>>>> overwriting the old one, and the OpenVPN allowed > the >>>>> connection with that certificate. >>>>> >>>>> The openssl command for this: ~# openssl verify -crl_check >>>>> -CApath <cadir>Â cert.crt error 23 at 0 depth >>>>> lookup:certificate revoked >>>>> >>>>> I tried to connect several times, with success, which I >>>>> shouldn't be able to. >>>>> >>>>> However, if I restart the OpenVPN service, it works as >>>>> expected, with the error: <IP>:42410 VERIFY ERROR: depth=0, >>>>> error=certificate revoked: C=........ Directories leading to >>>>> CApath and files are accessible to all user: 0755/0644 >>>>> >>>>> I wonder if there is any kind of bug on this. Is this an >>>>> expected behavior ? One should not need to restart the >>>>> OpenVPN instance, just to reread the CRL. >>>>> >>>>> Am I missing something ? >>>> >>>> The manual has this to say: >>>> >>>> Note: As the crl file (or directory) is read every time a peer >>>> connects, if you are dropping root privileges with --user, make >>>> sure that this user has sufficient privileges to read the >>>> file. >>> >>> Hi Debbie, >>> >>> I'm aware of that. OpenVPN is indeed running as user nobody. But >>> the accesses 0755/0644 for directories and files, respectively, >>> should take care of that issue, shouldn’t it ? >> >> Did you try *without* dropping root orivileges ? > > Nonsense. If files and directories have 0655/0744, even the 'nobody' > user should be able to read these files. Also consider that > *connecting* to the server DO work. > > >> Perhaps the crl (in PEM format) is also effected by --persist-key >> ... > > This is just pure guesswork, debbie10t. The CRL file is *NOT* > affected by --persist-key. > > > Rui: How have you configured --crl? Did you add the 'dir' flag when > pointing to the directory? Or did you point directly to a CRL file? > > > - -- > Due to a lack of config files and logs I was mearly offering suggestions. > Also, I now know that --persist-key does not effect the crl PEM file.. > The manual is not clear: > > --persist-key > Don't re-read key files across SIGUSR1 or --ping-restart > > Could be construed as: > "fileS which are keyS" or "fileS which are key to operation."
CRL files are not KEYS. But there exists three different types of key files, --secret, --key and --tls-auth. IMO, the man page is correct. -- kind regards, David Sommerseth
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users