• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Solved: OpenVPN and Certificate Revocation Lists

Scheduled Pinned Locked Moved OpenVPN
2 Posts 1 Posters 316 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • A
    AlexMercer
    last edited by AlexMercer Sep 12, 2024, 10:39 AM Sep 12, 2024, 9:42 AM

    Quick intro to the setup: Pfsense 2.4.5-RELEASE-p1, running OpenVPN - 2 servers sharing a local database of users. I don't want to introduce more complexity with an outside identity/authentication provider.

    Goal: I want to be able to use the same database of users, but also to be able to stop user access to OpenVPN Server1 or OpenVPN Server2 . My idea is to enable the Peer Certificate Revocation list and just create different lists.

    The problem:
    ce092b5c-3507-436e-ba71-a87bd8fe321c-image.png
    This is the current situation with the OpenVPN Server1, when I enable the Peer Certificate Revocation list and try to connect to the VPN, the connection fails for ALL users, not just the one user that has it's certificate in the Revocation list.

    This is the log of what happens :

    Sep 12 11:07:27openvpn25920TCP connection established with [AF_INET]91.119.56.114:62514
Sep 12 11:07:28openvpn2592091.119.xxx.xxx:62514 VERIFY ERROR: depth=0, error=CRL has expired: C=AT, ST=Vienna, L=Vienna, O=Some Cool Organisation, CN=XXX
Sep 12 11:07:28openvpn2592091.119.xxx.xxx:62514 OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
Sep 12 11:07:28openvpn2592091.119.xxx.xxx:62514 TLS_ERROR: BIO read tls_read_plaintext error
Sep 12 11:07:28openvpn2592091.119.xxx.xxx:62514 TLS Error: TLS object -> incoming plaintext read error
Sep 12 11:07:28openvpn2592091.119.xxx.xxx:62514 TLS Error: TLS handshake failed
Sep 12 11:07:28openvpn2592091.119.xxx.xxx:62514 Fatal TLS error (check_tls_errors_co), restarting

    If I go to the server settings and disable the Revocation list, all the users connect normally again.
    It seems that I am clearly missing something, some setup or option.
    Any Ideas what might be causing the issue?
    Thank you!

    1 Reply Last reply Reply Quote 0
    • A
      AlexMercer
      last edited by AlexMercer Sep 12, 2024, 10:42 AM Sep 12, 2024, 10:41 AM

      Replying to my own topic - I've missed something like I've thought :

      I was re-using an old List of revoked certificates. IT appears that the CRL ( Certificate Revocation List ) has an expiry date. Which is in no way visible in the GUI to be honest. When I've created a new list and applied it to the VPN, everything works as expected. The thing is that this becomes clear only when you go to create another CRL, to be honest GPT4 Solved it for me.
      7e545c7e-0e44-40ee-af81-4ca4cf9d714a-image.png

      Please close the topic.

      1 Reply Last reply Reply Quote 1
      2 out of 2
      • First post
        2/2
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
        This community forum collects and processes your personal information.
        consent.not_received