Menu
▾
▴
Re: [Openvpn-users] --crl-verify and transitioning from an expiring CA cert
|
From: Mathieu G. <mat...@fr...> - 2009-05-04 10:19:22
|
Hello, Karl O. Pinc a écrit : > I've done more research and found: > > http://openvpn.net/archive/openvpn-devel/2005-05/msg00048.html > > It seems that --capath requires that openvpn be restarted > to pick up any CRL changes. :-( This is not true if > --ca is used with --crl-verify. > > It seems unlikely that this will change. The only solution > that I see is to have OpenVPN re-implement a OpenSSL > X509 store-like functionality and have a way to control > the caching of CRLs separately from CAs -- or have OpenSSL > implement such a change. Otherwise a OpenVPN process that > has dropped it's privileges and is no longer able to > read the CAs will have problems re-reading the CRLs. > > With --capath out of the running it seems that the > way to transition to a new CA when the old one > expires is to run a separate OpenVPN instance on > another port. :-( At least that seems the way to > do it when you're using CRLs. > > Anyone have a better idea? > A simple way is to add an external CRL check (or OCSP check) with an additional feature like that : http://sourceforge.net/mailarchive/message.php?msg_name=496B7A61.6090602%40free.fr > On 04/07/2009 09:01:37 AM, Jan Just Keijser wrote: > >> Try something like >> >> hash=`openssl x509 -hash -noout -in <ca1-file>` >> cp <ca1-file> capath/$hash.0 >> cp <crl1-file> capath/$hash.r0 >> >> hash=`openssl x509 -hash -noout -in <ca2-file>` >> cp <ca2-file> capath/$hash.0 >> cp <crl2-file> capath/$hash.r0 >> >> and then use >> --capath .../capath >> in your openvpn config . >> >> HTH, >> >> JJK >> >> >> Karl O. Pinc wrote: >> >>> On 04/06/2009 09:13:02 PM, Josh Cepek wrote: >>> >>> >>>> Hopefully this will save someone else the hassle of running strace >>>> to >>>> see what files are being referenced or digging deep in the OpenSSL >>>> docs >>>> for answers. >>>> >>> I have not found a good searchable archive for this list. >>> Are there any recommendations? >>> >>> >>> Karl <ko...@me...> >>> Free Software: "You don't pay back, you pay forward." >>> -- Robert A. Heinlein >>> >> > > Karl <ko...@me...> > Free Software: "You don't pay back, you pay forward." > -- Robert A. Heinlein > > ------------------------------------------------------------------------------ > Register Now & Save for Velocity, the Web Performance & Operations > Conference from O'Reilly Media. Velocity features a full day of > expert-led, hands-on workshops and two days of sessions from industry > leaders in dedicated Performance & Operations tracks. Use code vel09scf > and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf > _______________________________________________ > Openvpn-users mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openvpn-users > > > |
