Hi,
why not simply using a CRL file and revoke the unneeded certificate?
To debug the issue, I think we'll need some logs with 'verb 4' - at least
from the server side.
Cheers,
Tom
-----Original Message-----
From: richard lucassen [mailto:[email protected]]
Sent: Thursday, April 16, 2020 12:02 PM
To: [email protected]
Subject: [Openvpn-users] crl-verify
Hello list,
Debian Buster, OpenVPN 2.4.0-6
In the man page there is an flag 'dir' to the option 'crl-verify':
<quote>
If the optional dir flag is specified, enable a different mode where crl is
a directory containing files named as revoked serial numbers (the files may
be empty, the contents are never read). If a client requests a connection,
where the client certificate serial number (decimal string) is the name of
a file present in the directory, it will be rejected.
</quote>
Ok, here we go:
# grep crl-verify /etc/openvpn/server.conf crl-verify /etc/openvpn/crl dir
I'd like to block cert with serial number 0B:
# openssl x509 -noout -serial -in test.crt | \
sed 's/.*=//g;s/../&:/g;s/:$//'
0B
AFAIU the manpage I only have to touch the file:
# touch /etc/openvpn/crl/0B
to prevent the cert with serial number 0B from connecting, but no way, I am
still able to connect using this cert with serial 0B.
Have I missed something crucial somwhere?
R.
--
richard lucassen
http://contact.xaq.nl/
_______________________________________________
Openvpn-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-users
_______________________________________________
Openvpn-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-users
