OpenVPN 2.4.7 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.03
My client is on Windows10 with OpenVPN GUI v220.127.116.11
My server config is:
ca /etc/openvpn/certs/ca.crt # the self signed certificate for the CA
cert /etc/openvpn/certs/server.crt # a certificate for the server
key /etc/openvpn/certs/server.key # This file should be kept secret
#crl-verify /etc/openvpn/certs/CRL dir
keepalive 10 120
server 10.8.0.0 255.255.255.0
I connect without any problem. When I revoke the certificate, every 120 seconds my logs show that the certificate has been revoked.
Tue Sep 10 09:15:46 2019 xxxx/10.10.10.120:57923 TLS: Initial packet from [AF_NET]10.10.10.120:57923, sid=74ce1c0a ffe1dae9
Tue Sep 10 09:15:46 2019 xxxx/10.10.10.120:57923 VERIFY ERROR: depth=0, error=ertificate revoked: L=08-00-27-0E-11-5E, CN=xxxx
Tue Sep 10 09:15:46 2019 xxxx/10.10.10.120:57923 OpenSSL: error:140890B2:SSL rutines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Tue Sep 10 09:15:46 2019 xxxx/10.10.10.120:57923 TLS_ERROR: BIO read tls_read_laintext error
Tue Sep 10 09:15:46 2019 xxxx/10.10.10.120:57923 TLS Error: TLS object -> incoing plaintext read error
Tue Sep 10 09:15:46 2019 xxxx/10.10.10.120:57923 TLS Error: TLS handshake faild
The Client Log (I have no good way of pasting it) shows:
In Red: stuff about the handshake failed.
Then, in black: stuff including VERIFY EKU OK and VERIFY OK.
* The OpenVPN GUI is still showing green and the status window is showing "Current State: Connected"
* The an application that is running through the VPN is still connected and continues to pass data.
If I manually shut my application down on either the client or server end, it won't reconnect. If I manually cause OpenVPN GUI to reconnect, it will fail and my connection will be broken.
What do I need to do in the server configuration to cause the connection to be broken when the certificate is revoked?