I'm currently auditing an oldish installation of OpenVPN for our company network. There are a few certificates around that need to be revoked (because those employees don't work for my company no more). But the revocation mechanism wasn't in place until I touched it.
We're running ubuntu server (I'm innocent) and basically the OpenVPN installation seems to be quite default: configuration in /etc/openvpn, easy-rsa (2.0) scripts in /etc/openvpn/easy-rsa, keys in /etc/openvpn/easy-rsa/keys. I checked some howtos and what seemed to be necessary was to add the following line to server.conf:
Code: Select all
crl-verify /etc/openvpn/easy-rsa/keys/crl.pem
Another problem was that an accessible but empty pem.crl also caused the server to exit on the first connection attempt.
So my questions basically are:
1. Why isn't the revocation mechanism enabled by default (that means at the same place in the docs where the easy-rsa mechanism is described with a default location for the crl.pem file) ? To me it seems to be a central concept that should just work ?
2. Why does the server exit on first connection attempt if there is some misconfiguration with the crl.pem file ? I think there should be a check for this just after dropping privileges - as it's really strange to have the server coming up just nicely (yaay, everything works - not) and then just exiting later because of a configuration issue.
3. Is it sensible to have the keys directory readable by everyone or does that pose a security risk of some kind ?
Basically my thoughts behind this are: I'm configuring the server now so that later other admins without deep knowledge of the OpenVPN configuration may revoke keys, update OpenVPN and do similar tasks. That's why I chose not the move the crl.pem file from the keys directory (as suggested in the openvpn docs) but rather set the directories permissions so the file is accessible. This way anyone can just use the revoke-full script and it should just work - no extra step of copying the file somewhere else is necessary, as forgetting this makes the revocation ineffective.
I want the configuration to be as robust as possible against quick-and-dirty usage. So is there a recommended way to do this or am I on my own ?
Thanks and regards,
koma