The manual page states that:
"When using the --capath option, you are required to supply valid CRLs for
the CAs too."
This is not strictly true (and might be turning people away from even using
this option) - probably better wording would be "expected to supply". If
relevant CRLs are not found, OpenVPN will log the usual warning about not
being able to find matching CRL (e.g. "VERIFY WARNING: depth=0, unable to get
certificate CRL:"), but the connection will be allowed.
This warning is no different from e.g. having intermediate + root ca config,
and supplying crl via --crl-verify option, which only interprets one crl - so
OpenVPN will issue warnings about either not finding CRL for depth 0 (if we
supply root's crl) or depth 1+2 (if we supply intermediate's crl).
I could supply simple patch to man page to expand the description of this
option.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
