Solved: OpenVPN and Certificate Revocation Lists
-
Quick intro to the setup: Pfsense 2.4.5-RELEASE-p1, running OpenVPN - 2 servers sharing a local database of users. I don't want to introduce more complexity with an outside identity/authentication provider.
Goal: I want to be able to use the same database of users, but also to be able to stop user access to OpenVPN Server1 or OpenVPN Server2 . My idea is to enable the Peer Certificate Revocation list and just create different lists.
The problem:
This is the current situation with the OpenVPN Server1, when I enable the Peer Certificate Revocation list and try to connect to the VPN, the connection fails for ALL users, not just the one user that has it's certificate in the Revocation list.This is the log of what happens :
Sep 12 11:07:27openvpn25920TCP connection established with [AF_INET]91.119.56.114:62514 Sep 12 11:07:28openvpn2592091.119.xxx.xxx:62514 VERIFY ERROR: depth=0, error=CRL has expired: C=AT, ST=Vienna, L=Vienna, O=Some Cool Organisation, CN=XXX Sep 12 11:07:28openvpn2592091.119.xxx.xxx:62514 OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed Sep 12 11:07:28openvpn2592091.119.xxx.xxx:62514 TLS_ERROR: BIO read tls_read_plaintext error Sep 12 11:07:28openvpn2592091.119.xxx.xxx:62514 TLS Error: TLS object -> incoming plaintext read error Sep 12 11:07:28openvpn2592091.119.xxx.xxx:62514 TLS Error: TLS handshake failed Sep 12 11:07:28openvpn2592091.119.xxx.xxx:62514 Fatal TLS error (check_tls_errors_co), restarting
If I go to the server settings and disable the Revocation list, all the users connect normally again.
It seems that I am clearly missing something, some setup or option.
Any Ideas what might be causing the issue?
Thank you! -
Replying to my own topic - I've missed something like I've thought :
I was re-using an old List of revoked certificates. IT appears that the CRL ( Certificate Revocation List ) has an expiry date. Which is in no way visible in the GUI to be honest. When I've created a new list and applied it to the VPN, everything works as expected. The thing is that this becomes clear only when you go to create another CRL, to be honest GPT4 Solved it for me.
Please close the topic.