OpenVPN + wrong CRL shown - revoking Certs doesn't work in all cases
-
I will try to do a complete fresh install of my pfsense to be sure to have no old code fragments in my config.
-
I made more improvements to CRL handling today, hopefully OpenVPN will be happy now, there will never be a 0-byte CRL file anymore.
-
Thanks jimp,
I hope I will find some time on weekend to test this.
-
I made more improvements to CRL handling today, hopefully OpenVPN will be happy now, there will never be a 0-byte CRL file anymore.
Good news jimp !
Does that mean we can update our pfsense ? -
It should be in snapshots by now.
-
Great I'll try it tomorow or next week and I'll tell you !
-
Hi,
I did a test today with the CRL but with no success. With the snapshot from today there isn't an empty server2.crl-verify anymore, but there is still the problem that I could not connect to an OpenVPN server when I added there a CRL.
I didn't findeany time to do a complete reinstallation of my pfsense so this could be perhaps the problem.
-
Hi jimp,
bad news :(
I did a complete fresh installation of pfsense and I am on 2.0-RC3 (amd64) built on Sun Jul 3 04:02:48 EDT 2011
I created a new CA, created 2 certs (server + client) and configured a new OpenVPN server. I just can connect if I do not select any CRL in the OpenVPN Server configuration.
I opened an other thread on friday because I didn't remember this thread. Perhaps this will help you a little bit to resolve this error.
http://forum.pfsense.org/index.php/topic,38466.0.htmlThanks for your help!
-
So if you revoke a certificate on the CRL, does it work? Does it still just not like an empty CRL? (Well, it's a valid CRL, just doesn't have any certificates revoked in it)
-
I know what you mean - and - you are right.
I created a new certificate and revoked it - so the CRL isn't empty anymore.
An now I can connect with an other certificate which isn't revoked. -
What if you then remove that certificate from the CRL so it's "empty" again?
-
What if you then remove that certificate from the CRL so it's "empty" again?
Sorry for my late reply.
I created a new OpenVPN server, server cert, two user certs. One for use and one for putting into the crl.
First try with the default empty CRL: FAILED
second try with a revoked cert in the CRL: WORKED
third try with cancelling the revocation and an empty CRL again: WORKED -
I have also tested with an empty CRL today, and the OpenVPN entity stopped. I have not tested with entries in CRL.
Jul 13 16:27:15 openvpn[7903]: 192.168.123.68:1194 /usr/local/sbin/ovpn-linkdown ovpns1 1500 1558 192.168.102.1 192.168.102.2 init
Jul 13 16:27:15 openvpn[7903]: 192.168.123.68:1194 Exiting
Jul 13 16:27:15 openvpn[7903]: 192.168.123.68:1194 CRL: cannot read CRL from file /var/etc/openvpn/server1.crl-verify
Jul 13 16:27:15 openvpn[7903]: 192.168.123.68:1194 LZO compression initialized
Jul 13 16:27:15 openvpn[7903]: 192.168.123.68:1194 Re-using SSL/TLS context2.0-RC3 (i386)
built on Tue Jul 12 21:45:04 EDT 2011 -
Is the CRL file it mentions empty (zero bytes) when it fails, or does it have something in it?
-
Yes, it seems to be 0 byte:
-rw–----- 1 root wheel 0 Jul 13 16:27 server1.crl-verify
-rw------- 1 root wheel 0 Jul 13 09:04 server2.crl-verifyBR,
//Eskild -
That would be the problem then.
I thought I had committed a fix for that before, I'll have to look into it again. Might be a couple days though.
-
Try it with these changes:
https://github.com/bsdperimeter/pfsense/commit/2ce206b048e8496e84f732556219e18290c5481c
(Or wait for a snapshot that includes those changes)
-
Thanks jimp,
the CRL is no longer empty, and works as expected. -
Thanks jimp,
the CRL is no longer empty, and works as expected.Did you try this with a new created CRL which has no certificates revoked in it ? (You remember, creating CRL, revoke a cert, cancel the revocation and then testing?)
I am at home for some days now and it wouldn't be fine, if I crash my OpenVPN and could not access the machine anymore untill I am back at work ;-)
-
Did you try this with a new created CRL which has no certificates revoked in it ? (You remember, creating CRL, revoke a cert, cancel the revocation and then testing?)
I am at home for some days now and it wouldn't be fine, if I crash my OpenVPN and could not access the machine anymore untill I am back at work ;-)
I did, and the CRL is no longer empty even when it has no certificates in it.
