show warning box when certificate is revoked

[r0otsharp]

hello

i have a problem with Certificates that have been revoked. i revoked certificate with revoke-full and when client can connect to server continual try to connect to server. i want change config file so that show warning box that your certificated is revoked and you can not access. Thank you for your help.

Best Regards
Ehsan Farahani

[mwandelaar]

As far as i know, this is not possible.
The server knows why the certificate is not allowed and writes this down in the logs. But when the client connect's, the client just shows a failure upon connect, not the reason why.

What you could do is add a crl-distribution-point extension to your certificates and let the CA publish it's crl there.
This way the client can parse the certificate and manually validate the certificate against the CRL.

[r0otsharp]

As far as i know, this is not possible.
The server knows why the certificate is not allowed and writes this down in the logs. But when the client connect's, the client just shows a failure upon connect, not the reason why.

What you could do is add a crl-distribution-point extension to your certificates and let the CA publish it's crl there.
This way the client can parse the certificate and manually validate the certificate against the CRL.

thanks very much for your response.
the main my reason is client continual try to connect to the server. i want that when certificated that have been revoked connect session terminated.

Best Regards

[mwandelaar]

the main my reason is client continual try to connect to the server.

That's true. Viewing the log on the client will show you that the ssl-connection has failed, without the reason. To be honest, i don't know how to change this behaviour. In TCP mode there's the option

Code: Select all

connect-retry-max

for this which appearently will not work for UDP.

[r0otsharp]

thanks very much for your response.

i revoked certificate in server with revoke-full and generate crl file. after this action copy this file to windows and right click on crl file and select install crl install. but still certificate not revoked and verify successfully. can you tell me where did i go wrong???

Best Regards
Ehsan Farahani

[mwandelaar]

Does your server-config has a line:

Code: Select all

crl-verify /path/to/crl.crl

and did you copy the crl over to the server?
As long as the server does not know this specific is revoked, it's still accepted and granted access.

[r0otsharp]

Does your server-config has a line:

Code: Select all

crl-verify /path/to/crl.crl

and did you copy the crl over to the server?
As long as the server does not know this specific is revoked, it's still accepted and granted access.

thanks.
Server config:
crl-verify /etc/openvpn/crl.pem

yes. i copy above parameter. and put crl file in server. but server can't rejected connection that is used revoked certificate. the main my problem is in windows, when install crl file windows still successfully verifying revoked certificate. please help me.

[mwandelaar]

Can you post the logging from the server (using verb 4 or higher) when the client connects? Openvpn should be complaining so we can try to figure-out what's the problem.

[r0otsharp]

hello my friend

i'm change the main target for check validation certificate is valid or revoked with OCSP checking with bellow server settings:

server.conf content:

Code: Select all

tls-verify /etc/openvpn/ifconf/OCSP_check.sh

OCSP_server.sh content:

Code: Select all

#!/bin/sh
DIR="/etc/openvpn/easy-rsa/keys"
openssl ocsp -index $DIR/index.txt -port 4444 -CA $DIR/ca.crt -rsigner $DIR/ca.crt -rkey $DIR/ca.key -resp_text -out "`pwd`/ocsp_log.txt"

OCSP_check.sh content:

Code: Select all

#!/bin/sh
DIR="/etc/openvpn/easy-rsa/keys"
# Sample script to perform OCSP queries with OpenSSL
# given a certificate serial number.

# If you run your own CA, you can set up a very simple
# OCSP server using the -port option to "openssl ocsp".

# Full documentation and examples:
# http://www.openssl.org/docs/apps/ocsp.html


# Edit the following values to suit your needs

# OCSP responder URL (mandatory)
# YOU MUST UNCOMMENT ONE OF THESE AND SET IT TO A VALID SERVER
ocsp_url="http://localhost:4444"

# Path to issuer certificate (mandatory)
# YOU MUST SET THIS TO THE PATH TO THE CA CERTIFICATE
issuer="$DIR/ca.crt"

# use a nonce in the query, set to "-no_nonce" to not use it
nonce="-nonce"

# Verify the response
# YOU MUST SET THIS TO THE PATH TO THE RESPONSE VERIFICATION CERT
verify="$DIR/ca.crt"

# Depth in the certificate chain where the cert to verify is.
# Set to -1 to run the verification at every level (NOTE that
# in that case you need a more complex script as the various
# parameters for the query will likely be different at each level)
# "0" is the usual value here, where the client certificate is
check_depth=0

cur_depth=$1     # this is the *CURRENT* depth
common_name=$2   # CN in case you need it

# minimal sanity checks

err=0
if [ -z "$issuer" ] || [ ! -e "$issuer" ]; then
  echo "Error: issuer certificate undefined or not found!" >&2
  err=1
fi

if [ -z "$verify" ] || [ ! -e "$verify" ]; then
  echo "Error: verification certificate undefined or not found!" >&2
  err=1
fi

if [ -z "$ocsp_url" ]; then
  echo "Error: OCSP server URL not defined!" >&2
  err=1
fi

if [ $err -eq 1 ]; then
  echo "Did you forget to customize the variables in the script?" >&2
  exit 1
fi

# begin
if [ $check_depth -eq -1 ] || [ $cur_depth -eq $check_depth ]; then

  eval serial="\$tls_serial_${cur_depth}"

  # To successfully complete, the following must happen:
  #
  # - The serial number must not be empty
  # - The exit status of "openssl ocsp" must be zero
  # - The output of the above command must contain the line
  #   "0x${serial}: good"
  #
  # Everything else fails with exit status 1.

  if [ -n "$serial" ]; then

    # This is only an example; you are encouraged to run this command (without
    # redirections) manually against your or your CA's OCSP server to see how
    # it responds, and adapt accordingly.
    # Sample output that is assumed here:
    #
    # Response verify OK
    # 0x428740A5: good
    #      This Update: Apr 24 19:38:49 2010 GMT
    #      Next Update: May  2 14:23:42 2010 GMT
    #
    # NOTE: It is needed to check the exit code of OpenSSL explicitly.  OpenSSL
    #       can in some circumstances give a "good" result if it could not
    #       reach the the OSCP server.  In this case, the exit code will indicate
    #       if OpenSSL itself failed or not.  If OpenSSL's exit code is not 0,
    #       don't trust the OpenSSL status.

    status=$(openssl ocsp -issuer "$issuer" \
                    "$nonce" \
                    -CAfile "$verify" \
                    -url "$ocsp_url" \
                    -serial "0x${serial}" 2>/dev/null)

    if [ $? -eq 0 ]; then
      # check that it's good
      if echo "$status" | grep -Fq "0x${serial}: good"; then
        exit 0
      fi
    fi
  fi
  # if we get here, something was wrong
  exit 1
fi

but still this method not working. please solve the my problem.

thanks very much.

[mwandelaar]

I'm sorry to say, but you are changing the setup during testing, which is not handy at all.
First off all i want to be sure OpenVPN can check the crl and see if a cert is valid/revoked. So, please keep the crl-checking in place and:

Can you post the logging from the server (using verb 4 or higher) when the client connects? Openvpn should be complaining so we can try to figure-out what's the problem.