Re: Problems with revoked certificate
Thank you very much. I have enabled crl verification in the openvpn and now It works Patrick Patterson-3 wrote: > > On July 16, 2008 09:32:41 am albertlb wrote: >> Hello >> >> I am using a debian pc with openssl and openvpn. The problem is I have >> revoked a user certificate but the user still has access to the vpn. In >> the >> crl.pem file appears the reference to this user. What could It happen? >> >> Thank you http://www.nabble.com/file/p18487517/openssl.cnf openssl.cnf > > If I am not mistaken, OpenVPN does not automatically fetch the new CRL, > and > must be told specifically to do CRL verification. > > So, if your CA is not on the OpenVPN machine (which would be a VERY good > thing :), you have to make sure that the CRL gets replicated from the CA > out > to the machine, and put in the location specified by the crl-verify > option. > > As a note: This is an OpenVPN configuration question, not an OpenSSL > question - you probably will get better support asking on the OpenVPN > mailing > list. > > Have fun. > > -- > Patrick Patterson > President and Chief PKI Architect, > Carillon Information Security Inc. > http://www.carillon.ca > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > > -- View this message in context: http://www.nabble.com/Problems-with-revoked-certificate-tp18487517p18504076.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Problems with revoked certificate
albertlb wrote: I am using a debian pc with openssl and openvpn. The problem is I have revoked a user certificate but the user still has access to the vpn. In the crl.pem file appears the reference to this user. What could It happen? Thank you http://www.nabble.com/file/p18487517/openssl.cnf openssl.cnf Someone has already answered the CRL question, but I feel the need to point out that certificate validity isn't adequate for access authorization. That is, conflating authentication and authorization is usually a mistake. - M __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Problems with revoked certificate
On July 16, 2008 09:32:41 am albertlb wrote: > Hello > > I am using a debian pc with openssl and openvpn. The problem is I have > revoked a user certificate but the user still has access to the vpn. In the > crl.pem file appears the reference to this user. What could It happen? > > Thank you http://www.nabble.com/file/p18487517/openssl.cnf openssl.cnf If I am not mistaken, OpenVPN does not automatically fetch the new CRL, and must be told specifically to do CRL verification. So, if your CA is not on the OpenVPN machine (which would be a VERY good thing :), you have to make sure that the CRL gets replicated from the CA out to the machine, and put in the location specified by the crl-verify option. As a note: This is an OpenVPN configuration question, not an OpenSSL question - you probably will get better support asking on the OpenVPN mailing list. Have fun. -- Patrick Patterson President and Chief PKI Architect, Carillon Information Security Inc. http://www.carillon.ca __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Problems with revoked certificate
Hello I am using a debian pc with openssl and openvpn. The problem is I have revoked a user certificate but the user still has access to the vpn. In the crl.pem file appears the reference to this user. What could It happen? Thank you http://www.nabble.com/file/p18487517/openssl.cnf openssl.cnf -- View this message in context: http://www.nabble.com/Problems-with-revoked-certificate-tp18487517p18487517.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]