Re: [Openvpn-users] --crl-verify and transitioning from an expiring CA cert

[Karl O. P. <ko...@me...>]

On 05/04/2009 04:58:31 AM, Mathieu GIANNECCHINI wrote:
> Hello,
> 
> Karl O. Pinc a écrit :
>> I've done more research and found:
>> 
>> http://openvpn.net/archive/openvpn-devel/2005-05/msg00048.html
>> 
>> It seems that --capath requires that openvpn be restarted
>> to pick up any CRL changes.  :-(  This is not true if
>> --ca is used with --crl-verify.
>> 
>> It seems unlikely that this will change.  The only solution
>> that I see is to have OpenVPN re-implement a OpenSSL
>> X509 store-like functionality and have a way to control
>> the caching of CRLs separately from CAs -- or have OpenSSL
>> implement such a change.  Otherwise a OpenVPN process that
>> has dropped it's privileges and is no longer able to
>> read the CAs will have problems re-reading the CRLs.
>> 
>> With --capath out of the running it seems that the
>> way to transition to a new CA when the old one
>> expires is to run a separate OpenVPN instance on
>> another port.  :-(  At least that seems the way to
>> do it when you're using CRLs.
>> 
>> Anyone have a better idea?
>> 
> 
> A simple way is to add an external CRL check (or OCSP check) with an  
> additional feature like that :
> 
> http://sourceforge.net/mailarchive/message.php?msg_name=496B7A61.6090602%40free.fr

That would be nice.  Too bad it's not part of OpenVPN (yet).

FWIW, I prefer your patch.  Having to run a full-blown OCSP server
just because your CA expires seems a bit of overkill.

Karl <ko...@me...>
Free Software:  "You don't pay back, you pay forward."
                  -- Robert A. Heinlein