OpenVPN + wrong CRL shown - revoking Certs doesn't work in all cases
-
Not sure why it wouldn't connect - it would help to know if you have any certificates revoked in that CRL, and either way it would help to know if /var/etc/openvpn/server<x>.crl-verify contained anything (where <x>is whatever this instance is).
As for that extra CRL entry, it may still be a side effect from hand editing your config, or something else that needs cleaned up.</x></x>
-
Hi,
like I said in my previous post:
I created a new CRL and a new Certificate. Then I revoked this certificate and then canceld the evoke - just to see, if the CRL is empty but with an edit button.
Now the CRL is empty - no revoked certificates in it.The server2.crl-verify file is empty.
–edit--
This are the only both blocks with <crl>in my config.xml:
<crl><refid>4d401a4cb674f</refid> <caref>4d4018ea7d5dd</caref> <serial>10000</serial> <lifetime>9999</lifetime> <text>xxXXxxXXxx</text></crl> <crl><refid>4dc7030fca8f5</refid> <caref>4d445bf7f2a0c</caref> <serial>9999</serial> <lifetime>9999</lifetime></crl> ```</crl> -
That top one is probably from a CA you deleted before (note the caref doesn't match)
OpenVPN may not like a zero-byte crl. I'll have to poke at it some more.
-
I will try to do a complete fresh install of my pfsense to be sure to have no old code fragments in my config.
-
I made more improvements to CRL handling today, hopefully OpenVPN will be happy now, there will never be a 0-byte CRL file anymore.
-
Thanks jimp,
I hope I will find some time on weekend to test this.
-
I made more improvements to CRL handling today, hopefully OpenVPN will be happy now, there will never be a 0-byte CRL file anymore.
Good news jimp !
Does that mean we can update our pfsense ? -
It should be in snapshots by now.
-
Great I'll try it tomorow or next week and I'll tell you !
-
Hi,
I did a test today with the CRL but with no success. With the snapshot from today there isn't an empty server2.crl-verify anymore, but there is still the problem that I could not connect to an OpenVPN server when I added there a CRL.
I didn't findeany time to do a complete reinstallation of my pfsense so this could be perhaps the problem.
-
Hi jimp,
bad news :(
I did a complete fresh installation of pfsense and I am on 2.0-RC3 (amd64) built on Sun Jul 3 04:02:48 EDT 2011
I created a new CA, created 2 certs (server + client) and configured a new OpenVPN server. I just can connect if I do not select any CRL in the OpenVPN Server configuration.
I opened an other thread on friday because I didn't remember this thread. Perhaps this will help you a little bit to resolve this error.
http://forum.pfsense.org/index.php/topic,38466.0.htmlThanks for your help!
-
So if you revoke a certificate on the CRL, does it work? Does it still just not like an empty CRL? (Well, it's a valid CRL, just doesn't have any certificates revoked in it)
-
I know what you mean - and - you are right.
I created a new certificate and revoked it - so the CRL isn't empty anymore.
An now I can connect with an other certificate which isn't revoked. -
What if you then remove that certificate from the CRL so it's "empty" again?
-
What if you then remove that certificate from the CRL so it's "empty" again?
Sorry for my late reply.
I created a new OpenVPN server, server cert, two user certs. One for use and one for putting into the crl.
First try with the default empty CRL: FAILED
second try with a revoked cert in the CRL: WORKED
third try with cancelling the revocation and an empty CRL again: WORKED -
I have also tested with an empty CRL today, and the OpenVPN entity stopped. I have not tested with entries in CRL.
Jul 13 16:27:15 openvpn[7903]: 192.168.123.68:1194 /usr/local/sbin/ovpn-linkdown ovpns1 1500 1558 192.168.102.1 192.168.102.2 init
Jul 13 16:27:15 openvpn[7903]: 192.168.123.68:1194 Exiting
Jul 13 16:27:15 openvpn[7903]: 192.168.123.68:1194 CRL: cannot read CRL from file /var/etc/openvpn/server1.crl-verify
Jul 13 16:27:15 openvpn[7903]: 192.168.123.68:1194 LZO compression initialized
Jul 13 16:27:15 openvpn[7903]: 192.168.123.68:1194 Re-using SSL/TLS context2.0-RC3 (i386)
built on Tue Jul 12 21:45:04 EDT 2011 -
Is the CRL file it mentions empty (zero bytes) when it fails, or does it have something in it?
-
Yes, it seems to be 0 byte:
-rw–----- 1 root wheel 0 Jul 13 16:27 server1.crl-verify
-rw------- 1 root wheel 0 Jul 13 09:04 server2.crl-verifyBR,
//Eskild -
That would be the problem then.
I thought I had committed a fix for that before, I'll have to look into it again. Might be a couple days though.
-
Try it with these changes:
https://github.com/bsdperimeter/pfsense/commit/2ce206b048e8496e84f732556219e18290c5481c
(Or wait for a snapshot that includes those changes)
