Home / Browse / OpenVPN / Mail / Archive

Donate

OpenVPN

Email Archive: openvpn-users (read-only)

2002:	_Jan	_Feb	_Mar (12)	_Apr (45)	_May (34)	_Jun (50)	_Jul (39)	_Aug (39)	_Sep (29)	_Oct (28)	_Nov (30)	_Dec (28)
2003:	_Jan (18)	_Feb (20)	_Mar (10)	_Apr (19)	_May (72)	_Jun (42)	_Jul (31)	_Aug (153)	_Sep (156)	_Oct (233)	_Nov (213)	_Dec (137)
2004:	_Jan (255)	_Feb (292)	_Mar (449)	_Apr (241)	_May (412)	_Jun (541)	_Jul (532)	_Aug (611)	_Sep (689)	_Oct (804)	_Nov (676)	_Dec (715)
2005:	_Jan (639)	_Feb (695)	_Mar (756)	_Apr (562)	_May (497)	_Jun (424)	_Jul (394)	_Aug (427)	_Sep (390)	_Oct (418)	_Nov (387)	_Dec (494)
2006:	_Jan (503)	_Feb (436)	_Mar (563)	_Apr (448)	_May (400)	_Jun (420)	_Jul (240)	_Aug (362)	_Sep (292)	_Oct (408)	_Nov (318)	_Dec (245)
2007:	_Jan (330)	_Feb (241)	_Mar (259)	_Apr (216)	_May (305)	_Jun (277)	_Jul (288)	_Aug (269)	_Sep (273)	_Oct (248)	_Nov (267)	_Dec (265)
2008:	_Jan (312)	_Feb (454)	_Mar (358)	_Apr (195)	_May (352)	_Jun (305)	_Jul (233)	_Aug (385)	_Sep (441)	_Oct (325)	_Nov (301)	_Dec (329)
2009:	_Jan (344)	_Feb (263)	_Mar (350)	_Apr (262)	_May (255)	_Jun (161)	_Jul (330)	_Aug (281)	_Sep (285)	_Oct (230)	_Nov (304)	_Dec (284)
2010:	_Jan (353)	_Feb (260)	_Mar (357)	_Apr (403)	_May (335)	_Jun (236)	_Jul (199)	_Aug (247)	_Sep (212)	_Oct (160)	_Nov (118)	_Dec (110)
2011:	_Jan (172)	_Feb (105)	_Mar (113)	_Apr (120)	_May (124)	_Jun (88)	_Jul (94)	_Aug (63)	_Sep (78)	_Oct (42)	_Nov (137)	_Dec (90)
2012:	_Jan (75)	_Feb (113)	_Mar (90)	_Apr (77)	_May (68)	_Jun (58)	_Jul (67)	_Aug (119)	_Sep (56)	_Oct (60)	_Nov (72)	_Dec (48)
2013:	_Jan (78)	_Feb (93)	_Mar (114)	_Apr (79)	_May (39)	_Jun	_Jul	_Aug	_Sep	_Oct	_Nov	_Dec

[Openvpn-users] CRLs from multiple CAs

From: John A. Sullivan III <jsullivan@op...> - 2006-01-19 03:52

I finally got OpenVPN working with multiple CAs by concatenating the CA
certs into one file and using that with the ca parameter.  Thanks to all
on the list who helped me understand that.

However, does one handle the CRLs the same way? In other words, I will
need CRLs from each of those CAs but there is only one file as an
argument to crl-verify so does one simply concatenate the CRLs from the
different CAs together? Of course, that then implies a manual process
for CRL distribution.  Is there an automated way to retrieve CRLs built
in to OpenVPN or must one do it with third party scripts? Thanks - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@...

If you would like to participate in the development of an open source
enterprise class network security management system, please visit
http://iscs.sourceforge.net

Re: [Openvpn-users] CRLs from multiple CAs

From: Alon Bar-Lev <alon.barlev@gm...> - 2006-01-19 18:09

John A. Sullivan III wrote:
> I finally got OpenVPN working with multiple CAs by concatenating the CA
> certs into one file and using that with the ca parameter.  Thanks to all
> on the list who helped me understand that.
> 
> However, does one handle the CRLs the same way? In other words, I will
> need CRLs from each of those CAs but there is only one file as an
> argument to crl-verify so does one simply concatenate the CRLs from the
> different CAs together? Of course, that then implies a manual process
> for CRL distribution.  Is there an automated way to retrieve CRLs built
> in to OpenVPN or must one do it with third party scripts? Thanks - John

Hello,

Have you tried --capath option?
It does what you require.
But there is a problem, you cannot modify the CRL files 
while the OpenVPN process is up.

I've looked at this issue a while ago, but could not find 
time to complete.

Best Regards,
Alon Bar-Lev.

Re: [Openvpn-users] CRLs from multiple CAs

From: John A. Sullivan III <jsullivan@op...> - 2006-01-19 18:31

On Thu, 2006-01-19 at 20:08 +0200, Alon Bar-Lev wrote:
> John A. Sullivan III wrote:
> > I finally got OpenVPN working with multiple CAs by concatenating the CA
> > certs into one file and using that with the ca parameter.  Thanks to all
> > on the list who helped me understand that.
> > 
> > However, does one handle the CRLs the same way? In other words, I will
> > need CRLs from each of those CAs but there is only one file as an
> > argument to crl-verify so does one simply concatenate the CRLs from the
> > different CAs together? Of course, that then implies a manual process
> > for CRL distribution.  Is there an automated way to retrieve CRLs built
> > in to OpenVPN or must one do it with third party scripts? Thanks - John
> 
> Hello,
> 
> Have you tried --capath option?
> It does what you require.
> But there is a problem, you cannot modify the CRL files 
> while the OpenVPN process is up.
> 
> I've looked at this issue a while ago, but could not find 
> time to complete.
> 
> Best Regards,
> Alon Bar-Lev.
Thanks but I don't see that option in the man pages - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@...

Financially sustainable open source development
http://www.opensourcedevel.com

Re: [Openvpn-users] CRLs from multiple CAs

From: Alon Bar-Lev <alon.barlev@gm...> - 2006-01-19 20:31

John A. Sullivan III wrote:
>> Hello,
>>
>> Have you tried --capath option?
>> It does what you require.
>> But there is a problem, you cannot modify the CRL files 
>> while the OpenVPN process is up.
>>
>> I've looked at this issue a while ago, but could not find 
>> time to complete.
>>
>> Best Regards,
>> Alon Bar-Lev.
> Thanks but I don't see that option in the man pages - John

True, but it exists in the 2.1 series... It expects openssl 
hashed certificate+crl directory.

Best Regards,
Alon Bar-Lev.

Re: [Openvpn-users] CRLs from multiple CAs

From: John A. Sullivan III <jsullivan@op...> - 2006-01-19 20:47

On Thu, 2006-01-19 at 22:24 +0200, Alon Bar-Lev wrote:
> John A. Sullivan III wrote:
> >> Hello,
> >>
> >> Have you tried --capath option?
> >> It does what you require.
> >> But there is a problem, you cannot modify the CRL files 
> >> while the OpenVPN process is up.
> >>
> >> I've looked at this issue a while ago, but could not find 
> >> time to complete.
> >>
> >> Best Regards,
> >> Alon Bar-Lev.
> > Thanks but I don't see that option in the man pages - John
> 
> True, but it exists in the 2.1 series... It expects openssl 
> hashed certificate+crl directory.
> 
<snip>
Strange . . . I'm using 2.1 betas 7 and 8.  I even searched the online
2.1 man page.  Perhaps I'm just brain-cramping.  It has been a long
couple of days! - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@...

If you would like to participate in the development of an open source
enterprise class network security management system, please visit
http://iscs.sourceforge.net

Re: [Openvpn-users] CRLs from multiple CAs

From: Alon Bar-Lev <alon.barlev@gm...> - 2006-01-19 20:55

John A. Sullivan III wrote:
> <snip>
> Strange . . . I'm using 2.1 betas 7 and 8.  I even searched the online
> 2.1 man page.  Perhaps I'm just brain-cramping.  It has been a long
> couple of days! - John

You are right, it is not documented well... try:
# openvpn --help | grep capath
--capath dir    : A directory of trusted certificates (CAs 
and CRLs).

Alon.

Re: [Openvpn-users] CRLs from multiple CAs

From: John A. Sullivan III <jsullivan@op...> - 2006-01-20 22:06

On Thu, 2006-01-19 at 22:54 +0200, Alon Bar-Lev wrote:
> John A. Sullivan III wrote:
> > <snip>
> > Strange . . . I'm using 2.1 betas 7 and 8.  I even searched the online
> > 2.1 man page.  Perhaps I'm just brain-cramping.  It has been a long
> > couple of days! - John
> 
> You are right, it is not documented well... try:
> # openvpn --help | grep capath
> --capath dir    : A directory of trusted certificates (CAs 
> and CRLs).
<snip>
Ah, Ok, now I see it.  Why does this create a problem with reading the
most current CRL, i.e., changing CRLs without restarting OpenVPN?

The how-to on crl-verify states:
When the crl-verify option is used in OpenVPN, the CRL file will be
re-read any time a new client connects or an existing client
renegotiates the SSL/TLS connection (by default once per hour). This
means that you can update the CRL file while the OpenVPN server daemon
is running, and have the new CRL take effect immediately for newly
connecting clients. 

Is this different when using capath? Thanks - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@...

Financially sustainable open source development
http://www.opensourcedevel.com

Re: [Openvpn-users] CRLs from multiple CAs

From: Alon Bar-Lev <alon.barlev@gm...> - 2006-01-21 20:25

John A. Sullivan III wrote:
> Ah, Ok, now I see it.  Why does this create a problem with reading the
> most current CRL, i.e., changing CRLs without restarting OpenVPN?
> 
> The how-to on crl-verify states:
> When the crl-verify option is used in OpenVPN, the CRL file will be
> re-read any time a new client connects or an existing client
> renegotiates the SSL/TLS connection (by default once per hour). This
> means that you can update the CRL file while the OpenVPN server daemon
> is running, and have the new CRL take effect immediately for newly
> connecting clients. 
> 
> Is this different when using capath? Thanks - John

The capath replaces the crl-verify and ca options into 
default OpenSSL search directory. OpenSSL does not reload 
the CRL each time it accesses it. This is what yet need to 
be completed.

Best Regards,
Alon Bar-Lev.

4 messages have been excluded from this view by a project administrator.