On 17.06.23 11:40, Gert Doering wrote: > This is from the working connection - so it's "just log noise", it seems, > not causing an actual session abort.
I agree, but the Monk in me would have a really hard time if this happened on my system. :-) > My gut feeling is that there is some garbage at the *end* of the CRL file, > so OpenSSL is able to read "loaded 1 CRLs" from the file, and then there is > something more, which confuses OpenSSL - but not enough to reject the > session. It looks exactly like this. I can produce a similar problem if I add some garbage that looks lika a CRL at the end of the file. $ cat crl.pem -----BEGIN X509 CRL----- MIIDBjCB7wIBATANBgkqhkiG9w0BAQsFADCBizELMAkGA1UEBhMCREUxCzAJBgNV ... 8uDcjj1k9E/QrQ== -----END X509 CRL----- -----BEGIN X509 CRL----- Z2FyYmFnZQo= -----END X509 CRL----- The "openssl crt ..." command did not complain about it, but OpenVPN logs this: Jun 17 13:23:39 tenebris openvpn[3045757]: OpenSSL: error:0680009B:asn1 encoding routines::too long Jun 17 13:23:39 tenebris openvpn[3045757]: OpenSSL: error:06800066:asn1 encoding routines::bad object header Jun 17 13:23:39 tenebris openvpn[3045757]: OpenSSL: error:0688010A:asn1 encoding routines::nested asn1 error Jun 17 13:23:39 tenebris openvpn[3045757]: OpenSSL: error:0488000D:PEM routines::ASN1 lib Jun 17 13:23:39 tenebris openvpn[3045757]: CRL: cannot read CRL from file /etc/openvpn/server/crl.pem Jun 17 13:23:39 tenebris openvpn[3045757]: CRL: loaded 1 CRLs from file /etc/openvpn/server/crl.pem I was not able to reproduce your error... > OpenSSL: error:0909006C:PEM routines:get_name:no start line But a closer look in your crl.pem might reveal something strange. ;-) hth, Jonny _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
