When does OpenVPN reload CRLs with -capath?

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
seb101
OpenVpn Newbie
Posts: 8
Joined: Mon Sep 10, 2018 7:06 pm

When does OpenVPN reload CRLs with -capath?

Post by seb101 » Mon Oct 15, 2018 11:28 pm

Hi all,

Does anyone know the logic for when OpenVPN will reload CRL files whilst using the -capath option?

I have scripted my CA server to drop the updated CRL files into the -capath directory on the VPN server whenever a new cert is revoked, but I want to be certain when OVPN will re-load these files from disk.

There is an old bug ticket related to this: https://community.openvpn.net/openvpn/ticket/623 but it hasn't been touched in a couple of years.

Thanks!

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5015
Joined: Fri Jun 03, 2016 1:17 pm

Re: When does OpenVPN reload CRLs with -capath?

Post by TinCanTech » Tue Oct 16, 2018 12:37 am

This relates to version 2.3.8 .. which version are you using ?

seb101
OpenVpn Newbie
Posts: 8
Joined: Mon Sep 10, 2018 7:06 pm

Re: When does OpenVPN reload CRLs with -capath?

Post by seb101 » Tue Oct 16, 2018 4:00 pm

I'm using Version 2.4

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5015
Joined: Fri Jun 03, 2016 1:17 pm

Re: When does OpenVPN reload CRLs with -capath?

Post by TinCanTech » Tue Oct 16, 2018 7:48 pm

The trac ticket you listed refers to a workaround, if you would like to try that ..

The problem itself stems directly from OpenSSL .. So they have chosen this behaviour ..

Personally, I would not use --capath

seb101
OpenVpn Newbie
Posts: 8
Joined: Mon Sep 10, 2018 7:06 pm

Re: When does OpenVPN reload CRLs with -capath?

Post by seb101 » Wed Oct 17, 2018 8:27 am

Unfortunately if you are using a multi-layer PKI capath is the only option really (unless you write a custom script).

The 'crl_verify' option only supports a single CRL.

Also - the reason I ask is that it *appears* to be 'fixed' in 2.4 but I can't find any documentation to explain the current behavior. Whether it's reloaded on every connection or after a time limit, or some other factor.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5015
Joined: Fri Jun 03, 2016 1:17 pm

Re: When does OpenVPN reload CRLs with -capath?

Post by TinCanTech » Wed Oct 17, 2018 12:44 pm

TinCanTech wrote:
Tue Oct 16, 2018 12:37 am
This relates to version 2.3.8 .. which version are you using ?
seb101 wrote:
Tue Oct 16, 2018 4:00 pm
I'm using Version 2.4
seb101 wrote:
Wed Oct 17, 2018 8:27 am
it *appears* to be 'fixed' in 2.4
According to the devs .. it is not fixed.
TinCanTech wrote:
Tue Oct 16, 2018 7:48 pm
The problem itself stems directly from OpenSSL .. So they have chosen this behaviour
TinCanTech wrote:
Tue Oct 16, 2018 7:48 pm
The trac ticket you listed refers to a workaround, if you would like to try that
seb101 wrote:
Wed Oct 17, 2018 8:27 am
I can't find any documentation to explain the current behavior. Whether it's reloaded on every connection or after a time limit, or some other factor.
When using --ca & --crl-verify the CRL is reloaded on every client connection.

When using --ca-path getting a straight answer is considerably more challenging, please raise a ticket.

Post Reply