On 20-08-2015 20:16, debbie...@gmail.com wrote: > ----- Original Message ----- > From: "David Sommerseth" <openvpn.l...@topphemmelig.net> > To: <debbie...@gmail.com>; "Rui Santos" <rsan...@grupopie.com> > Cc: <openvpn-users@lists.sourceforge.net> > Sent: Thursday, August 20, 2015 6:40 PM > Subject: Re: [Openvpn-users] CRL and --CApath usage > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 20/08/15 19:11, debbie...@gmail.com wrote: >> ----- Original Message ----- From: "Rui Santos" >> <rsan...@grupopie.com> To: <openvpn-users@lists.sourceforge.net> >> Sent: Thursday, August 20, 2015 3:10 PM Subject: Re: >> [Openvpn-users] CRL and --CApath usage >> >> >>> On 20-08-2015 15:01, debbie...@gmail.com wrote: >>>> ----- Original Message ----- From: "Rui Santos" >>>> <rsan...@grupopie.com> To: >>>> <openvpn-users@lists.sourceforge.net> Sent: Thursday, August >>>> 20, 2015 12:33 PM Subject: [Openvpn-users] CRL and --CApath >>>> usage >>>> >>>> >>>>> I'm using --CApath option for CA and CRL approving/checking >>>>> >>>>> I just revoked a certificate, copied the new CRL to CApath, >>>>> overwriting the old one, and the OpenVPN allowed > the >>>>> connection with that certificate. >>>>> >>>>> The openssl command for this: ~# openssl verify -crl_check >>>>> -CApath <cadir>Â cert.crt error 23 at 0 depth >>>>> lookup:certificate revoked >>>>> >>>>> I tried to connect several times, with success, which I >>>>> shouldn't be able to. >>>>> >>>>> However, if I restart the OpenVPN service, it works as >>>>> expected, with the error: <IP>:42410 VERIFY ERROR: depth=0, >>>>> error=certificate revoked: C=........ Directories leading to >>>>> CApath and files are accessible to all user: 0755/0644 >>>>> >>>>> I wonder if there is any kind of bug on this. Is this an >>>>> expected behavior ? One should not need to restart the >>>>> OpenVPN instance, just to reread the CRL. >>>>> >>>>> Am I missing something ? >>>> The manual has this to say: >>>> >>>> Note: As the crl file (or directory) is read every time a peer >>>> connects, if you are dropping root privileges with --user, make >>>> sure that this user has sufficient privileges to read the >>>> file. >>> Hi Debbie, >>> >>> I'm aware of that. OpenVPN is indeed running as user nobody. But >>> the accesses 0755/0644 for directories and files, respectively, >>> should take care of that issue, shouldn’t it ? >> Did you try *without* dropping root orivileges ? > Nonsense. If files and directories have 0655/0744, even the 'nobody' > user should be able to read these files. Also consider that > *connecting* to the server DO work. > > >> Perhaps the crl (in PEM format) is also effected by --persist-key >> ... > This is just pure guesswork, debbie10t. The CRL file is *NOT* > affected by --persist-key. > > > Rui: How have you configured --crl? Did you add the 'dir' flag when > pointing to the directory? Or did you point directly to a CRL file? > > > - -- > > Due to a lack of config files and logs I was mearly offering suggestions. > Also, I now know that --persist-key does not effect the crl PEM file.. > The manual is not clear: > > --persist-key > Don't re-read key files across SIGUSR1 or --ping-restart > > Could be construed as: > "fileS which are keyS" or "fileS which are key to operation." Hi Debbie,
As I stated before, I do appreciate your input. Although I think David is correct, you also have a point in me not providing the config file and or logs. Here is the config file. I've removed the route and push options,as well all sensible information: auth SHA256 capath /etc/openvpn/cadir/ cert cert.crt.pem cipher AES-256-CBC client-config-dir ccd client-to-client comp-lzo dev tun1 dh dh2048.pem group nobody ifconfig-pool-persist ipp.txt keepalive 10 120 key cert.key.pem # This file should be kept secret log /var/log/openvpn.log passtos persist-key persist-tun port <port> proto udp server network mask status openvpn-status.log tls-auth openvpn.ta.key 0 # This file is secret tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA tls-server user nobody verb 4 About the log file, there is not special output at all, except from what I have already mentioned on my first email. Regards, Rui > > Thankyou > > > ------------------------------------------------------------------------------ > _______________________________________________ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users ------------------------------------------------------------------------------ _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
