Connections silently fail when -capath and -crl_verify both used

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
seb101
OpenVpn Newbie
Posts: 8
Joined: Mon Sep 10, 2018 7:06 pm

Connections silently fail when -capath and -crl_verify both used

Post by seb101 » Sun Oct 14, 2018 2:45 pm

Hi,

There is a minor documentation/logging bug relating to -capath and -crl_verify options. Recently I switched to using -capath with my server so I could more easily update the CRLs for the Root and Intermediate certs. When I switched over to the -capath config I removed the -ca option from my config however through oversight didn't remove the -crl_verify option (which still pointed to a seperate but valid copy of the CRL file for the Intermediate CA).

When clients attempted to connect after this change they would time-out on the client side with no error. On the server side the only error was:

Code: Select all

Sun Oct 14 15:34:41 2018 daemon.notice openvpn(vpnserver)[23383]: xxx.xxx.145.165:12324 TLS: Initial packet from [AF_INET]xxx.xxx.145.165:12324, sid=1a7ae052 9ee22fbd
Sun Oct 14 15:34:42 2018 daemon.notice openvpn(vpnserver)[23383]: xxx.xxx.145.165:12324 VERIFY OK: depth=2, C=GB, ST=England, O=XXXX, OU=XXXX Certificate Authority, CN=XXXX.net Root CA
Sun Oct 14 15:34:42 2018 daemon.notice openvpn(vpnserver)[23383]: xxx.xxx.145.165:12324 VERIFY OK: depth=1, C=GB, ST=England, O=XXXX, OU=XXXX VPN Certificate Authority, CN=XXXX.net VPN Intermediate CA
Sun Oct 14 15:34:42 2018 daemon.notice openvpn(vpnserver)[23383]: xxx.xxx.145.165:12324 VERIFY OK: depth=0, C=GB, ST=England, O=XXXX, OU=XXXX VPN, CN=vpn-client-15524
Sun Oct 14 15:34:42 2018 daemon.err openvpn(vpnserver)[23383]: xxx.xxx.145.165:12324 OpenSSL: error:0B07D065:lib(11):func(125):reason(101)
Sun Oct 14 15:34:42 2018 daemon.err openvpn(vpnserver)[23383]: xxx.xxx.145.165:12324 TLS_ERROR: BIO read tls_read_plaintext error
Sun Oct 14 15:34:42 2018 daemon.err openvpn(vpnserver)[23383]: xxx.xxx.145.165:12324 TLS Error: TLS object -> incoming plaintext read error
Sun Oct 14 15:34:42 2018 daemon.err openvpn(vpnserver)[23383]: xxx.xxx.145.165:12324 TLS Error: TLS handshake failed
Sun Oct 14 15:34:42 2018 daemon.notice openvpn(vpnserver)[23383]: xxx.xxx.145.165:12324 SIGUSR1[soft,tls-error] received, client-instance restarting
As the error OpenVPN displayed was regarding TLS negotiation I assumed this was a problem with the certs in my capath dir and wasted a lot of cycles verifying and redeploying these to no avail. Only through chance did I think to disable the -crl_verify option and everything started to work again.

I recommend that a note is added to the documentation for -crl_verify and -capath that they should not be used together. Also consider a log-message to explain the failure when -capath and -crl_verify are used together.

Further testing showed, oddly, that if -crl_verify is used at the same time as -capath WITHOUT pointing to a valid CRL file then connections still work, but with a warning:

Sun Oct 14 15:31:51 2018 daemon.warn openvpn(vpnserver)[22905]: WARNING: Failed to stat CRL file, not (re)loading CRL.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5021
Joined: Fri Jun 03, 2016 1:17 pm

Re: Connections silently fail when -capath and -crl_verify both used

Post by TinCanTech » Sun Oct 14, 2018 3:32 pm

This does sound like it could be improved, even if not technically a bug.

Can you please raise a ticket on the bug tracker.
https://community.openvpn.net/openvpn/report

seb101
OpenVpn Newbie
Posts: 8
Joined: Mon Sep 10, 2018 7:06 pm

Re: Connections silently fail when -capath and -crl_verify both used

Post by seb101 » Sun Oct 14, 2018 6:32 pm

TinCanTech wrote:
Sun Oct 14, 2018 3:32 pm
This does sound like it could be improved, even if not technically a bug.

Can you please raise a ticket on the bug tracker.
https://community.openvpn.net/openvpn/report
Will do - however I don't seem to have the option to open a new ticket on that page. Are there additional permissions I need?

dazo
OpenVPN Inc.
Posts: 136
Joined: Mon Jan 11, 2010 10:14 am
Location: dazo :: #openvpn-devel @ irc.freenode.net

Re: Connections silently fail when -capath and -crl_verify both used

Post by dazo » Wed Oct 17, 2018 11:42 am

Did you log in? Use the same credentials as here in the forum.

Post Reply