Hi Rui, On 20/08/15 21:19, David Sommerseth wrote: > On 20/08/15 21:16, debbie...@gmail.com wrote: >> ----- Original Message ----- From: "David Sommerseth" >> <openvpn.l...@topphemmelig.net> >> To: <debbie...@gmail.com>; "Rui Santos" <rsan...@grupopie.com> >> Cc: <openvpn-users@lists.sourceforge.net> >> Sent: Thursday, August 20, 2015 6:40 PM >> Subject: Re: [Openvpn-users] CRL and --CApath usage >> >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On 20/08/15 19:11, debbie...@gmail.com wrote: >>> ----- Original Message ----- From: "Rui Santos" >>> <rsan...@grupopie.com> To: <openvpn-users@lists.sourceforge.net> >>> Sent: Thursday, August 20, 2015 3:10 PM Subject: Re: >>> [Openvpn-users] CRL and --CApath usage >>> >>> >>>> On 20-08-2015 15:01, debbie...@gmail.com wrote: >>>>> ----- Original Message ----- From: "Rui Santos" >>>>> <rsan...@grupopie.com> To: >>>>> <openvpn-users@lists.sourceforge.net> Sent: Thursday, August >>>>> 20, 2015 12:33 PM Subject: [Openvpn-users] CRL and --CApath >>>>> usage >>>>> >>>>> >>>>>> I'm using --CApath option for CA and CRL approving/checking >>>>>> >>>>>> I just revoked a certificate, copied the new CRL to CApath, >>>>>> overwriting the old one, and the OpenVPN allowed > the >>>>>> connection with that certificate. >>>>>> >>>>>> The openssl command for this: ~# openssl verify -crl_check >>>>>> -CApath <cadir>Â cert.crt error 23 at 0 depth >>>>>> lookup:certificate revoked >>>>>> >>>>>> I tried to connect several times, with success, which I >>>>>> shouldn't be able to. >>>>>> >>>>>> However, if I restart the OpenVPN service, it works as >>>>>> expected, with the error: <IP>:42410 VERIFY ERROR: depth=0, >>>>>> error=certificate revoked: C=........ Directories leading to >>>>>> CApath and files are accessible to all user: 0755/0644 >>>>>> >>>>>> I wonder if there is any kind of bug on this. Is this an >>>>>> expected behavior ? One should not need to restart the >>>>>> OpenVPN instance, just to reread the CRL. >>>>>> >>>>>> Am I missing something ? I know this worked in a previous release of OpenVPN - my setup relied on it. I will check next week when I am back home to see if it still works for v2.3+
stay tuned, JJK ------------------------------------------------------------------------------ _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
