When does OpenVPN reload CRLs with -capath?

[seb101]

Hi all,

Does anyone know the logic for when OpenVPN will reload CRL files whilst using the -capath option?

I have scripted my CA server to drop the updated CRL files into the -capath directory on the VPN server whenever a new cert is revoked, but I want to be certain when OVPN will re-load these files from disk.

There is an old bug ticket related to this: https://community.openvpn.net/openvpn/ticket/623 but it hasn't been touched in a couple of years.

Thanks!

[TinCanTech]

This relates to version 2.3.8 .. which version are you using ?

[seb101]

I'm using Version 2.4

[TinCanTech]

The trac ticket you listed refers to a workaround, if you would like to try that ..

The problem itself stems directly from OpenSSL .. So they have chosen this behaviour ..

Personally, I would not use --capath

[seb101]

Unfortunately if you are using a multi-layer PKI capath is the only option really (unless you write a custom script).

The 'crl_verify' option only supports a single CRL.

Also - the reason I ask is that it *appears* to be 'fixed' in 2.4 but I can't find any documentation to explain the current behavior. Whether it's reloaded on every connection or after a time limit, or some other factor.

[TinCanTech]

This relates to version 2.3.8 .. which version are you using ?

I'm using Version 2.4

it *appears* to be 'fixed' in 2.4

According to the devs .. it is not fixed.

The problem itself stems directly from OpenSSL .. So they have chosen this behaviour

The trac ticket you listed refers to a workaround, if you would like to try that

I can't find any documentation to explain the current behavior. Whether it's reloaded on every connection or after a time limit, or some other factor.

When using --ca & --crl-verify the CRL is reloaded on every client connection.

When using --ca-path getting a straight answer is considerably more challenging, please raise a ticket.

[psztoch]

Any progress?
Lack of support for multiple CAs is sometimes quite a problem...