Adriaan de Jong wrote:
-----Original Message-----
From: David Sommerseth [mailto:openvpn.l...@topphemmelig.net]
Sent: zondag 3 februari 2013 15:52
To: Jan Just Keijser
Cc: openvpn-devel@lists.sourceforge.net
Subject: Re: [Openvpn-devel] option --crl-verify PATH dir
On 03/02/13 12:02, Jan Just Keijser wrote:
hi,
what is the second option to '--crl-verify' supposed to do? in
options.c it sets a flag SSLF_CRL_VERIFY_DIR which then triggers the
function 'verify_check_crl_dir'. However, this function does not seem
to do anything....
Quickly looked at the code ... with the 'dir' flag (which sets
SSLF_CRL_VERIFY_DIR), it's no longer a typical CRL file validation. If
you create (touch) a file in the defined directory with the file name
matching a particular client's serial number; the connection will be
denied.
Confirmed, with the footnote that this is a weird way of going about things.
I would like to suggest deprecating this option from 2.4 (or 2.3.1?) onwards,
and forcing people to either:
- Create an actual CRL file. This is not difficult. In general, people using
OpenVPN should be managing their own CA in the OpenVPN world.
- Failing that, create a custom script to do this.
I'm always open for discussion, but imho this should not be core functionality
in OpenVPN.
I agree that CA cert and CRL management should not be part of the "core"
functionality of OpenVPN.
In one of my setups I've got a --ca-path containing 108 different CA
certs, with 108 CRLs for each of them - concatenating those 108 CRLs
into one big CRL.pem file every day would be a major nuisance...
OpenSSL has very nice support (--ca-path) for a directory containing a
set of CA certs and their corresponding CRLs; AFAIK PolarSSL does not
have this option - so perhaps there is some usefulness to this option
after all?
share and enjoy,
JJK
