Revoke Doesn't Disconnect

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
LauraMartin
OpenVpn Newbie
Posts: 3
Joined: Tue Jun 18, 2019 12:47 pm

Revoke Doesn't Disconnect

Post by LauraMartin » Tue Sep 10, 2019 1:33 pm

I'm running a linux server with:
OpenVPN 2.4.7 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.03

My client is on Windows10 with OpenVPN GUI v11.12.0.0

My server config is:
ServerConfig

port 1194
proto udp
dev tun0
ca /etc/openvpn/certs/ca.crt # the self signed certificate for the CA
cert /etc/openvpn/certs/server.crt # a certificate for the server
key /etc/openvpn/certs/server.key # This file should be kept secret
#crl-verify /etc/openvpn/certs/CRL dir
crl-verify /etc/openvpn/certs/crl.pem
dh /etc/openvpn/certs/dh2048.pem
ifconfig-pool-persist ipp.txt
keepalive 10 120
cipher AES-256-CBC
user nobody
group iao_r
persist-key
persist-tun
status openvpn-status.log
log-append /var/log/openvpn
verb 3
explicit-exit-notify 1
reneg-sec 120

server 10.8.0.0 255.255.255.0

I connect without any problem. When I revoke the certificate, every 120 seconds my logs show that the certificate has been revoked.
ServerLog

Tue Sep 10 09:15:46 2019 xxxx/10.10.10.120:57923 TLS: Initial packet from [AF_NET]10.10.10.120:57923, sid=74ce1c0a ffe1dae9
Tue Sep 10 09:15:46 2019 xxxx/10.10.10.120:57923 VERIFY ERROR: depth=0, error=ertificate revoked: L=08-00-27-0E-11-5E, CN=xxxx
Tue Sep 10 09:15:46 2019 xxxx/10.10.10.120:57923 OpenSSL: error:140890B2:SSL rutines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Tue Sep 10 09:15:46 2019 xxxx/10.10.10.120:57923 TLS_ERROR: BIO read tls_read_laintext error
Tue Sep 10 09:15:46 2019 xxxx/10.10.10.120:57923 TLS Error: TLS object -> incoing plaintext read error
Tue Sep 10 09:15:46 2019 xxxx/10.10.10.120:57923 TLS Error: TLS handshake faild


The Client Log (I have no good way of pasting it) shows:
In Red: stuff about the handshake failed.
Then, in black: stuff including VERIFY EKU OK and VERIFY OK.

But:
* The OpenVPN GUI is still showing green and the status window is showing "Current State: Connected"
* The an application that is running through the VPN is still connected and continues to pass data.
If I manually shut my application down on either the client or server end, it won't reconnect. If I manually cause OpenVPN GUI to reconnect, it will fail and my connection will be broken.

What do I need to do in the server configuration to cause the connection to be broken when the certificate is revoked?

Thanks,

Laura
Top
Post Reply

Return to “Configuration”