I want to limit the user by specifying a directory, and now the situation is that openvpn is successful, but limiting the user is not working.
The official documents are as follows:
Check peer certificate against the file crl in PEM format.
A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact.
Suppose you had a PKI consisting of a CA, root certificate, and a number of client certificates. Suppose a laptop computer containing a client key and certificate was stolen. By adding the stolen certificate to the CRL file, you could reject any connection which attempts to use it, while preserving the overall integrity of the PKI.
The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised.
If the optional dir flag is specified, enable a different mode where crl is a directory containing files named as revoked serial numbers (the files may be empty, the contents are never read). If a client requests a connection, where the client certificate serial number (decimal string) is the name of a file present in the directory, it will be rejected.
Note: As the crl file (or directory) is read every time a peer connects, if you are dropping root privileges with --user, make sure that this user has sufficient privileges to read the file.
Security considerations
--crl-verify does not check whether the CRL is correctly signed by the CA. It merely checks that the CRL issuers matches the CA CN. Therefore, users should ensure that the supplied CRL is correct.
OpenVPN 2.4 and newer resolve this issue.
crl-verify crl ['dir']
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: crl-verify crl ['dir']
I use this feature all the time and it works perfectly .. So what is the problem ?
-
- OpenVpn Newbie
- Posts: 4
- Joined: Mon Nov 27, 2017 3:25 am
Re: crl-verify crl ['dir']
The problem is that the way I use the specified directory does not limit the user connectionTinCanTech wrote: ↑Mon Nov 27, 2017 1:34 pmI use this feature all the time and it works perfectly .. So what is the problem ?
Here is how to use my configuration file. Can you please see what's wrong with it
crl-verify ../easyrsa3/pki/verify dir
-
- OpenVpn Newbie
- Posts: 4
- Joined: Mon Nov 27, 2017 3:25 am
Re: crl-verify crl ['dir']
I want to use this method to limit user login without having to restart the openvpn service, which can also enable restricted user login by deleting files in the directory.wangdadaxin wrote: ↑Tue Nov 28, 2017 12:42 amThe problem is that the way I use the specified directory does not limit the user connectionTinCanTech wrote: ↑Mon Nov 27, 2017 1:34 pmI use this feature all the time and it works perfectly .. So what is the problem ?
Here is how to use my configuration file. Can you please see what's wrong with it
crl-verify ../easyrsa3/pki/verify dir
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: crl-verify crl ['dir']
Please see:
HOWTO: Request Help !
HOWTO: Request Help !
-
- OpenVpn Newbie
- Posts: 4
- Joined: Mon Nov 27, 2017 3:25 am
Re: crl-verify crl ['dir']
This document does not help me,I want give openvpn crl-verify use a custom directory.