Hi all,
Does anyone know the logic for when OpenVPN will reload CRL files whilst using the -capath option?
I have scripted my CA server to drop the updated CRL files into the -capath directory on the VPN server whenever a new cert is revoked, but I want to be certain when OVPN will re-load these files from disk.
There is an old bug ticket related to this: https://community.openvpn.net/openvpn/ticket/623 but it hasn't been touched in a couple of years.
Thanks!
When does OpenVPN reload CRLs with -capath?
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
- OpenVpn Newbie
- Posts: 8
- Joined: Mon Sep 10, 2018 7:06 pm
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: When does OpenVPN reload CRLs with -capath?
This relates to version 2.3.8 .. which version are you using ?
-
- OpenVpn Newbie
- Posts: 8
- Joined: Mon Sep 10, 2018 7:06 pm
Re: When does OpenVPN reload CRLs with -capath?
I'm using Version 2.4
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: When does OpenVPN reload CRLs with -capath?
The trac ticket you listed refers to a workaround, if you would like to try that ..
The problem itself stems directly from OpenSSL .. So they have chosen this behaviour ..
Personally, I would not use --capath
The problem itself stems directly from OpenSSL .. So they have chosen this behaviour ..
Personally, I would not use --capath
-
- OpenVpn Newbie
- Posts: 8
- Joined: Mon Sep 10, 2018 7:06 pm
Re: When does OpenVPN reload CRLs with -capath?
Unfortunately if you are using a multi-layer PKI capath is the only option really (unless you write a custom script).
The 'crl_verify' option only supports a single CRL.
Also - the reason I ask is that it *appears* to be 'fixed' in 2.4 but I can't find any documentation to explain the current behavior. Whether it's reloaded on every connection or after a time limit, or some other factor.
The 'crl_verify' option only supports a single CRL.
Also - the reason I ask is that it *appears* to be 'fixed' in 2.4 but I can't find any documentation to explain the current behavior. Whether it's reloaded on every connection or after a time limit, or some other factor.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: When does OpenVPN reload CRLs with -capath?
TinCanTech wrote: ↑Tue Oct 16, 2018 12:37 amThis relates to version 2.3.8 .. which version are you using ?
According to the devs .. it is not fixed.
TinCanTech wrote: ↑Tue Oct 16, 2018 7:48 pmThe problem itself stems directly from OpenSSL .. So they have chosen this behaviour
TinCanTech wrote: ↑Tue Oct 16, 2018 7:48 pmThe trac ticket you listed refers to a workaround, if you would like to try that
When using --ca & --crl-verify the CRL is reloaded on every client connection.
When using --ca-path getting a straight answer is considerably more challenging, please raise a ticket.
-
- OpenVpn Newbie
- Posts: 1
- Joined: Tue Dec 05, 2023 3:39 pm
Re: When does OpenVPN reload CRLs with -capath?
Any progress?
Lack of support for multiple CAs is sometimes quite a problem...
Lack of support for multiple CAs is sometimes quite a problem...