This patch fixes the bug I wrote about earlier[0] where the mbedtls version of OpenVPN might not properly reload a CRL when running in a chroot. I've submitted a somewhat hacky patch for it[1].
While looking into it further, I also noticed another unrelated problem: The mbedtls documentation states that the config struct for a mbedtls_ssl_context is not supposed to be modified after calling mbedtls_ssl_setup(). However, the config contains a pointer to the CRL, and we're currently modifying the CRL in place when we reload it. I figured that by reworking the way CRLs are handled, I could fix the CRL reloading bug in a less hacky manner and also make sure that we don't modify the configs of active mbedtls_ssl_contexts. [0] https://sourceforge.net/p/openvpn/mailman/message/37254045/ [1] https://sourceforge.net/p/openvpn/mailman/message/37254048/ Max Fillinger (1): Rework mbedtls CRL handling src/openvpn/ssl.c | 8 +++ src/openvpn/ssl_mbedtls.c | 103 ++++++++++++++++++++++++++++++++++----- src/openvpn/ssl_mbedtls.h | 25 +++++++++- src/openvpn/ssl_verify_mbedtls.c | 2 +- 4 files changed, 125 insertions(+), 13 deletions(-) -- 2.11.0 _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel