Hi Erich,
(copying in the openvpn-devel list as this might be considered a minor bug)
Erich Titl wrote:
Hi JJK
at 11.01.2011 15:45, Jan Just Keijser wrote:
Hi,
...
the "CRL crl.pem is from a different issuer" warning is actually an
error: when OpenVPN goes through a stacked CRL list it prints out this
message. This should be raised as a (minor) bug.
The message is harmless however, as clients with revoked certs are
denied access (as I have tested myself).
the only way to get rid of this warning is to switch to
capath <directory>
mode, where the capath directory contains your CA certs and CRL certs as
.0 and .r0 files.
You can generate the .0 and .r0 files using
cp ca.crt cadir/`openssl x509 -hash -noout -in ca.crt`.0
cp crl.pem cadir/`openssl x509 -hash -noout -in ca.crt`.r0
Now this raises a number of questions
1) is the file name suffix responsible for the warning to go away
2) is the hash based filename responsible ....
3) is the fact that both files reside in the cadir directory responsible
If all 3 then what should be achieved with this condition stacking
actually, it's all 3. OpenSSL has two ways of using certificates and
CRLs; the first method, which is used most often, is to supply a single
certificate file and single CRL file. The cert file and CRL file may be
"stacked" , that is , more than one CA can be specified, related or not,
and also more than one CRL file, related or not. The OpenVPN code
processes the CA and CRL file and prints out the warning mentioned when
it finds a CRL that does not belong to a particular cert. This warning
is to prevent people from loading the wrong CRL alongside a particular
ca.crt file. When the wrong file is loaded it is simply ignored by
OpenSSL. It would be nicer to match each CRL against *a* certificate in
the stacked ca.crt file, but this makes the verification algorithm a bit
more complex.
With two certs and CRLs are stacked the warning is printed twice:
- first when CRL_1 is matched against CA_CERT_2
- second when CRL_2 is matched against CA_CERT_1
The second method for using certs and CRLs is to use a 'capath' method
where all certs and CRLs are put in a single directory using a special
naming scheme (the 'openssl x509 -hash' thingie). When validating a
client certificate OpenSSL (and thus, OpenVPN) will go through each of
the .0 files in the 'capath' directory to find a matching CA cert. It
then looks at the corresponding .r0 file (the CRL) to check whether the
certificate has been revoked. Due to the way OpenVPN is coded the CRL
warning is NOT printed in this case.
cheers,
JJK
