On 20-08-2015 22:14, Jan Just Keijser wrote: > Hi Rui, Hi Jan, > > On 20/08/15 21:19, David Sommerseth wrote: >> On 20/08/15 21:16, debbie...@gmail.com wrote: >>> ----- Original Message ----- From: "David Sommerseth" >>> <openvpn.l...@topphemmelig.net> >>> To: <debbie...@gmail.com>; "Rui Santos" <rsan...@grupopie.com> >>> Cc: <openvpn-users@lists.sourceforge.net> >>> Sent: Thursday, August 20, 2015 6:40 PM >>> Subject: Re: [Openvpn-users] CRL and --CApath usage >>> >>> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> On 20/08/15 19:11, debbie...@gmail.com wrote: >>>> ----- Original Message ----- From: "Rui Santos" >>>> <rsan...@grupopie.com> To: <openvpn-users@lists.sourceforge.net> >>>> Sent: Thursday, August 20, 2015 3:10 PM Subject: Re: >>>> [Openvpn-users] CRL and --CApath usage >>>> >>>> >>>>> On 20-08-2015 15:01, debbie...@gmail.com wrote: >>>>>> ----- Original Message ----- From: "Rui Santos" >>>>>> <rsan...@grupopie.com> To: >>>>>> <openvpn-users@lists.sourceforge.net> Sent: Thursday, August >>>>>> 20, 2015 12:33 PM Subject: [Openvpn-users] CRL and --CApath >>>>>> usage >>>>>> >>>>>> >>>>>>> I'm using --CApath option for CA and CRL approving/checking >>>>>>> >>>>>>> I just revoked a certificate, copied the new CRL to CApath, >>>>>>> overwriting the old one, and the OpenVPN allowed > the >>>>>>> connection with that certificate. >>>>>>> >>>>>>> The openssl command for this: ~# openssl verify -crl_check >>>>>>> -CApath <cadir>Â cert.crt error 23 at 0 depth >>>>>>> lookup:certificate revoked >>>>>>> >>>>>>> I tried to connect several times, with success, which I >>>>>>> shouldn't be able to. >>>>>>> >>>>>>> However, if I restart the OpenVPN service, it works as >>>>>>> expected, with the error: <IP>:42410 VERIFY ERROR: depth=0, >>>>>>> error=certificate revoked: C=........ Directories leading to >>>>>>> CApath and files are accessible to all user: 0755/0644 >>>>>>> >>>>>>> I wonder if there is any kind of bug on this. Is this an >>>>>>> expected behavior ? One should not need to restart the >>>>>>> OpenVPN instance, just to reread the CRL. >>>>>>> >>>>>>> Am I missing something ? > I know this worked in a previous release of OpenVPN - my setup relied > on it. I will check next week when I am back home to see if it still > works for v2.3+
Just enjoy the remaining of your vacations. I will wait. Thanks for your help. > > stay tuned, > > JJK > > > > -- Melhores Cumprimentos / Best Regards, Rui ------------------------------------------------------------------------------ _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
