OpenVPN + wrong CRL shown - revoking Certs doesn't work in all cases
-
Hi jimp,
bad news :(
I did a complete fresh installation of pfsense and I am on 2.0-RC3 (amd64) built on Sun Jul 3 04:02:48 EDT 2011
I created a new CA, created 2 certs (server + client) and configured a new OpenVPN server. I just can connect if I do not select any CRL in the OpenVPN Server configuration.
I opened an other thread on friday because I didn't remember this thread. Perhaps this will help you a little bit to resolve this error.
http://forum.pfsense.org/index.php/topic,38466.0.htmlThanks for your help!
-
So if you revoke a certificate on the CRL, does it work? Does it still just not like an empty CRL? (Well, it's a valid CRL, just doesn't have any certificates revoked in it)
-
I know what you mean - and - you are right.
I created a new certificate and revoked it - so the CRL isn't empty anymore.
An now I can connect with an other certificate which isn't revoked. -
What if you then remove that certificate from the CRL so it's "empty" again?
-
What if you then remove that certificate from the CRL so it's "empty" again?
Sorry for my late reply.
I created a new OpenVPN server, server cert, two user certs. One for use and one for putting into the crl.
First try with the default empty CRL: FAILED
second try with a revoked cert in the CRL: WORKED
third try with cancelling the revocation and an empty CRL again: WORKED -
I have also tested with an empty CRL today, and the OpenVPN entity stopped. I have not tested with entries in CRL.
Jul 13 16:27:15 openvpn[7903]: 192.168.123.68:1194 /usr/local/sbin/ovpn-linkdown ovpns1 1500 1558 192.168.102.1 192.168.102.2 init
Jul 13 16:27:15 openvpn[7903]: 192.168.123.68:1194 Exiting
Jul 13 16:27:15 openvpn[7903]: 192.168.123.68:1194 CRL: cannot read CRL from file /var/etc/openvpn/server1.crl-verify
Jul 13 16:27:15 openvpn[7903]: 192.168.123.68:1194 LZO compression initialized
Jul 13 16:27:15 openvpn[7903]: 192.168.123.68:1194 Re-using SSL/TLS context2.0-RC3 (i386)
built on Tue Jul 12 21:45:04 EDT 2011 -
Is the CRL file it mentions empty (zero bytes) when it fails, or does it have something in it?
-
Yes, it seems to be 0 byte:
-rw–----- 1 root wheel 0 Jul 13 16:27 server1.crl-verify
-rw------- 1 root wheel 0 Jul 13 09:04 server2.crl-verifyBR,
//Eskild -
That would be the problem then.
I thought I had committed a fix for that before, I'll have to look into it again. Might be a couple days though.
-
Try it with these changes:
https://github.com/bsdperimeter/pfsense/commit/2ce206b048e8496e84f732556219e18290c5481c
(Or wait for a snapshot that includes those changes)
-
Thanks jimp,
the CRL is no longer empty, and works as expected. -
Thanks jimp,
the CRL is no longer empty, and works as expected.Did you try this with a new created CRL which has no certificates revoked in it ? (You remember, creating CRL, revoke a cert, cancel the revocation and then testing?)
I am at home for some days now and it wouldn't be fine, if I crash my OpenVPN and could not access the machine anymore untill I am back at work ;-)
-
Did you try this with a new created CRL which has no certificates revoked in it ? (You remember, creating CRL, revoke a cert, cancel the revocation and then testing?)
I am at home for some days now and it wouldn't be fine, if I crash my OpenVPN and could not access the machine anymore untill I am back at work ;-)
I did, and the CRL is no longer empty even when it has no certificates in it.
-
Hi,
I am using amd64 snapshot from 15 july.
I know there were some fixes before this snapshot. I created a cert some days before this snapshot called "test". I revoked it with the according CRL and it worked. No I wanted to cancel the revocation and wanted to delete the Cert "test" from the according CRL. It couldn't be deleted. It still exists there if I am deleteing it from "certificates".
If I create a new cert with same CA and same CN called "test" it appears again and as revoked. Then I am still not able to delete this cert from the CRL.
-
So you click the "x" on the CRL view, and what happens? Nothing? An error? Something else?
-
There comes a question if I would like to delete the cert from the CRL. I click OK. Then the cert disappears from the list. If I click again on the "Certificate revocation" tab, then the cert is again in the crl.
No visible error message.
-
Should be OK now, I just pushed a fix.
-
Hi,
I did some tests with 2.0-RC3 (amd64) built on Thu Jul 28 05:40:09 EDT 2011.
Deleting revoked certs of a CRL is working now as expected.
Allow and deny access is working as it should. I tested it several times with revoking a cert and then deleting the revocation.Thanks jimp!
