CRL analog of --client-connect
Posted: Mon Sep 26, 2022 7:19 pm
Hello,
I'm using OpenVPN in a distributed server with a read-only filesystem. Each time a computing node spawns a process, it imports all my OpenVPN settings from a distributed RQLite database.
The RQLite database is itself distributed among multiple computing nodes, so ideally the system has no single point of failure (I mean outages, not bugs or security breaches.)
Converting database entries to command line options and temporary RAM-backed files is not a problem if done once at OpenVPN start time - after all OpenVPN only reads these files once before dropping privileges.
But Certificate Revocation Lists (CRLs) are posing a problem, I need to keep updating the CRL file from the database and this is fraught with dangers and difficulties. The filesystem is complicated to get right, especially in a security sensitive environment. Files can be half-written when OpenVPN reads them. A "fake" filesystem like FUSE or WinFSP is better, but still a security liability. I would prefer that OpenVPN calls a script that returns the current CRL through STDOUT, named pipe, temporary file, or similar. At least I can flush the file before returning from the script to make sure it's not torn in the middle. I think this could be a useful feature for anyone running OpenVPN in a read-only filesystem environment.
I am willing to make the changes myself (I'm looking at tls_ctx_reload_crl() in ssl.c) but I'd want to know if this patch will get incorporated into OpenVPN, before I invest the effort.
I'm using OpenVPN in a distributed server with a read-only filesystem. Each time a computing node spawns a process, it imports all my OpenVPN settings from a distributed RQLite database.
The RQLite database is itself distributed among multiple computing nodes, so ideally the system has no single point of failure (I mean outages, not bugs or security breaches.)
Converting database entries to command line options and temporary RAM-backed files is not a problem if done once at OpenVPN start time - after all OpenVPN only reads these files once before dropping privileges.
But Certificate Revocation Lists (CRLs) are posing a problem, I need to keep updating the CRL file from the database and this is fraught with dangers and difficulties. The filesystem is complicated to get right, especially in a security sensitive environment. Files can be half-written when OpenVPN reads them. A "fake" filesystem like FUSE or WinFSP is better, but still a security liability. I would prefer that OpenVPN calls a script that returns the current CRL through STDOUT, named pipe, temporary file, or similar. At least I can flush the file before returning from the script to make sure it's not torn in the middle. I think this could be a useful feature for anyone running OpenVPN in a read-only filesystem environment.
I am willing to make the changes myself (I'm looking at tls_ctx_reload_crl() in ssl.c) but I'd want to know if this patch will get incorporated into OpenVPN, before I invest the effort.