Page 1 of 1
When does OpenVPN reload CRLs with -capath?
Posted: Mon Oct 15, 2018 11:28 pm
by seb101
Hi all,
Does anyone know the logic for when OpenVPN will reload CRL files whilst using the -capath option?
I have scripted my CA server to drop the updated CRL files into the -capath directory on the VPN server whenever a new cert is revoked, but I want to be certain when OVPN will re-load these files from disk.
There is an old bug ticket related to this:
https://community.openvpn.net/openvpn/ticket/623 but it hasn't been touched in a couple of years.
Thanks!
Re: When does OpenVPN reload CRLs with -capath?
Posted: Tue Oct 16, 2018 12:37 am
by TinCanTech
This relates to version 2.3.8 .. which version are you using ?
Re: When does OpenVPN reload CRLs with -capath?
Posted: Tue Oct 16, 2018 4:00 pm
by seb101
I'm using Version 2.4
Re: When does OpenVPN reload CRLs with -capath?
Posted: Tue Oct 16, 2018 7:48 pm
by TinCanTech
The trac ticket you listed refers to a workaround, if you would like to try that ..
The problem itself stems directly from OpenSSL .. So they have chosen this behaviour ..
Personally, I would not use --capath
Re: When does OpenVPN reload CRLs with -capath?
Posted: Wed Oct 17, 2018 8:27 am
by seb101
Unfortunately if you are using a multi-layer PKI capath is the only option really (unless you write a custom script).
The 'crl_verify' option only supports a single CRL.
Also - the reason I ask is that it *appears* to be 'fixed' in 2.4 but I can't find any documentation to explain the current behavior. Whether it's reloaded on every connection or after a time limit, or some other factor.
Re: When does OpenVPN reload CRLs with -capath?
Posted: Wed Oct 17, 2018 12:44 pm
by TinCanTech
TinCanTech wrote: ↑Tue Oct 16, 2018 12:37 am
This relates to version 2.3.8 .. which version are you using ?
seb101 wrote: ↑Tue Oct 16, 2018 4:00 pm
I'm using Version 2.4
seb101 wrote: ↑Wed Oct 17, 2018 8:27 am
it *appears* to be 'fixed' in 2.4
According to the devs .. it is not fixed.
TinCanTech wrote: ↑Tue Oct 16, 2018 7:48 pm
The problem itself stems directly from OpenSSL .. So they have chosen this behaviour
TinCanTech wrote: ↑Tue Oct 16, 2018 7:48 pm
The trac ticket you listed refers to a workaround, if you would like to try that
seb101 wrote: ↑Wed Oct 17, 2018 8:27 am
I can't find any documentation to explain the current behavior. Whether it's reloaded on every connection or after a time limit, or some other factor.
When using --ca & --crl-verify the CRL is reloaded on every client connection.
When using --ca-path getting a straight answer is considerably more challenging, please raise a ticket.
Re: When does OpenVPN reload CRLs with -capath?
Posted: Tue Dec 05, 2023 3:41 pm
by psztoch
Any progress?
Lack of support for multiple CAs is sometimes quite a problem...