Re: [Openvpn-users] CRL and --CApath usage

[Rui Santos]

On 20-08-2015 22:14, Jan Just Keijser wrote:
> Hi Rui,
Hi Jan,
>
> On 20/08/15 21:19, David Sommerseth wrote:
>> On 20/08/15 21:16, debbie...@gmail.com wrote:
>>> ----- Original Message ----- From: "David Sommerseth"
>>> <openvpn.l...@topphemmelig.net>
>>> To: <debbie...@gmail.com>; "Rui Santos" <rsan...@grupopie.com>
>>> Cc: <openvpn-users@lists.sourceforge.net>
>>> Sent: Thursday, August 20, 2015 6:40 PM
>>> Subject: Re: [Openvpn-users] CRL and --CApath usage
>>>
>>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> On 20/08/15 19:11, debbie...@gmail.com wrote:
>>>> ----- Original Message ----- From: "Rui Santos"
>>>> <rsan...@grupopie.com> To: <openvpn-users@lists.sourceforge.net>
>>>> Sent: Thursday, August 20, 2015 3:10 PM Subject: Re:
>>>> [Openvpn-users] CRL and --CApath usage
>>>>
>>>>
>>>>> On 20-08-2015 15:01, debbie...@gmail.com wrote:
>>>>>> ----- Original Message ----- From: "Rui Santos"
>>>>>> <rsan...@grupopie.com> To:
>>>>>> <openvpn-users@lists.sourceforge.net> Sent: Thursday, August
>>>>>> 20, 2015 12:33 PM Subject: [Openvpn-users] CRL and --CApath
>>>>>> usage
>>>>>>
>>>>>>
>>>>>>> I'm using --CApath option for CA and CRL approving/checking
>>>>>>>
>>>>>>> I just revoked a certificate, copied the new CRL to CApath,
>>>>>>> overwriting the old one, and the OpenVPN allowed > the
>>>>>>> connection with that certificate.
>>>>>>>
>>>>>>> The openssl command for this: ~# openssl verify -crl_check
>>>>>>> -CApath <cadir>Â  cert.crt error 23 at 0 depth
>>>>>>> lookup:certificate revoked
>>>>>>>
>>>>>>> I tried to connect several times, with success, which I
>>>>>>> shouldn't be able to.
>>>>>>>
>>>>>>> However, if I restart the OpenVPN service, it works as
>>>>>>> expected, with the error: <IP>:42410 VERIFY ERROR: depth=0,
>>>>>>> error=certificate revoked: C=........ Directories leading to
>>>>>>> CApath and files are accessible to all user: 0755/0644
>>>>>>>
>>>>>>> I wonder if there is any kind of bug on this. Is this an
>>>>>>> expected behavior ? One should not need to restart the
>>>>>>> OpenVPN instance, just to reread the CRL.
>>>>>>>
>>>>>>> Am I missing something ?
> I know this worked in a previous release of OpenVPN - my setup relied 
> on it. I will check next week when I am back home to see if it still 
> works for v2.3+

Just enjoy the remaining of your vacations.
I will wait. Thanks for your help.
>
> stay tuned,
>
> JJK
>
>
>
>

-- 
Melhores Cumprimentos / Best Regards,
Rui


------------------------------------------------------------------------------
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users