crl-verify crl ['dir']

wangdadaxin · Post by **wangdadaxin** » Mon Nov 27, 2017 3:49 am

I want to limit the user by specifying a directory, and now the situation is that openvpn is successful, but limiting the user is not working.
The official documents are as follows:

Check peer certificate against the file crl in PEM format.
A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact.

Suppose you had a PKI consisting of a CA, root certificate, and a number of client certificates. Suppose a laptop computer containing a client key and certificate was stolen. By adding the stolen certificate to the CRL file, you could reject any connection which attempts to use it, while preserving the overall integrity of the PKI.

The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised.

If the optional dir flag is specified, enable a different mode where crl is a directory containing files named as revoked serial numbers (the files may be empty, the contents are never read). If a client requests a connection, where the client certificate serial number (decimal string) is the name of a file present in the directory, it will be rejected.

Note: As the crl file (or directory) is read every time a peer connects, if you are dropping root privileges with --user, make sure that this user has sufficient privileges to read the file.

Security considerations

--crl-verify does not check whether the CRL is correctly signed by the CA. It merely checks that the CRL issuers matches the CA CN. Therefore, users should ensure that the supplied CRL is correct.

OpenVPN 2.4 and newer resolve this issue.

TinCanTech · Post by **TinCanTech** » Mon Nov 27, 2017 1:34 pm

I use this feature all the time and it works perfectly .. So what is the problem ?

wangdadaxin · Post by **wangdadaxin** » Tue Nov 28, 2017 12:42 am

TinCanTech wrote: ↑
Mon Nov 27, 2017 1:34 pm
I use this feature all the time and it works perfectly .. So what is the problem ?

The problem is that the way I use the specified directory does not limit the user connection
Here is how to use my configuration file. Can you please see what's wrong with it

crl-verify ../easyrsa3/pki/verify dir

wangdadaxin · Post by **wangdadaxin** » Tue Nov 28, 2017 12:47 am

wangdadaxin wrote: ↑
Tue Nov 28, 2017 12:42 am

TinCanTech wrote: ↑
Mon Nov 27, 2017 1:34 pm
I use this feature all the time and it works perfectly .. So what is the problem ?
The problem is that the way I use the specified directory does not limit the user connection
Here is how to use my configuration file. Can you please see what's wrong with it

crl-verify ../easyrsa3/pki/verify dir

I want to use this method to limit user login without having to restart the openvpn service, which can also enable restricted user login by deleting files in the directory.

TinCanTech · Post by **TinCanTech** » Tue Nov 28, 2017 1:39 am

Please see:
HOWTO: Request Help !

wangdadaxin · Post by **wangdadaxin** » Wed Nov 29, 2017 1:41 am

TinCanTech wrote: ↑
Tue Nov 28, 2017 1:39 am
Please see:
HOWTO: Request Help !

This document does not help me,I want give openvpn crl-verify use a custom directory.

OpenVPN Support Forum

crl-verify crl ['dir']

crl-verify crl ['dir']

Re: crl-verify crl ['dir']

Re: crl-verify crl ['dir']

Re: crl-verify crl ['dir']

Re: crl-verify crl ['dir']

Re: crl-verify crl ['dir']