Re: [Openvpn-users] OpenVPN with intermediate CA

[Jan Just Keijser]

Hi Sarah,

Sarah Belghiti wrote:
> Ok thx a lot ! I wanted to be sure because i'm in internship and I 
> didn't want to disturb the admin system for nothing !!
>
> One last question : The option crl-verify is not necessary in this case ??
>
nope, you cannot even use it in this case


JJK

>
>
> 2013/7/2 Jan Just Keijser mailto:janj...@nikhef.nl>>
>
> Hi,
>
>
> Sarah Belghiti wrote:
>
> Hi,
> Thanks for your help.
> I do need multiple CAs and multiple CRLs.
> Using the --capath option means replace "ca ca.crt" by "capath
> /path/to/a/directory" in the server conf file ??
>
> yes you'd use
>  capath /full/path/to/dir
>
> and in that directory you'll need to create hashed versions of the
> certificate and CRL's used; the .crt files should be renamed to
> .0 and the .crl files to .r0
> where  is the output of
>  openssl x509 -hash -noout -in ca.crt
>
> HTH,
>
> JJK
>
>
>
> 2013/7/1 Jan Just Keijser    >>
>
>
> Hi Sarah,
>
>
> Sarah Belghiti wrote:
>
> Hi,
>
> I'm trying to test OpenVPN with several CRLs.
> There are two Intermediate CA and a root CA.
> The two intermediates CA have revoked two certificates.
> So I have two CRLs.
> I've tried stacking the two CRLs in one (cat CRL-1.list
> CRL-2.list > CRL.pem ) and add the --crl-verify
> crl.pem but it
> does not work and only one of the two revoked
> certifcates is
> unable to connect to the VPN.
>
> Then I saw this message :
>
> 
> http://readlist.com/lists/lists.sourceforge.net/openvpn-users/3/17643.html
> wich seems to be the solution of my problem.
>
> Before testing it I wonder if adding --crl-verify is
> necessary ?
>
> stacking CRLs currently does not work with OpenVPN. A
> minor code
> change would be needed for the Openssl backend.
> you would need CRLs only if you are actively revoking user
> certificates - otherwise not.
> If you really need mulitple CAs and multiple CRLs then use the
> --capath option.
>
>
>
>


--
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] OpenVPN with intermediate CA

[Jan Just Keijser]

Gert Doering wrote:
> Hi,
>
> On Mon, Jul 01, 2013 at 05:39:26PM -0700, Jan Just Keijser wrote:
>   
>> and in that directory you'll need to create hashed versions of the 
>> certificate and CRL's used; the .crt files should be renamed to .0 
>> and the .crl files to .r0
>> where  is the output of
>>   openssl x509 -hash -noout -in ca.crt
>> 
>
> Out of curiousity, as I've seen this mentioned a few times but never read
> a reason for the hash-thing - how does openvpn (or apache, etc.) know the 
> hash for the CRL file to look for, when it hasn't seen the CRL yet?
>   

it's the hash of the CA certificate, not the CRL itself; so if your CA 
certificate has a hash of 16da7552, then the CA cert in the --capath 
should be named 16da7552.0 and the corresponding CRL 16da7552.r0 ; if 
the .r0 file is not present openssl (and I presume PolarSSL) simply 
assume that no CRL is present.

JJK


--
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] OpenVPN with intermediate CA

[Jason Haar]

On 02/07/13 20:07, Gert Doering wrote:
> Out of curiousity, as I've seen this mentioned a few times but never
> read a reason for the hash-thing - how does openvpn (or apache, etc.)
> know the hash for the CRL file to look for, when it hasn't seen the
> CRL yet? gert

All CRL support requires your servers to download the CRL via some
schedule. Most parse the CA or server cert (which should contain either
LDAP or HTTP urls to the CRL files) and download the CRL file at some
interval < the lifetime of the CRL. *Then* you'd hash it, etc.

We have openvpn and client-cert protected web servers all over the
place, all downloading CRL files every hour from the CA. The CA itself
re-makes the CRL every hour, but with a 24 hour lifespan, which means we
can take several hours of outages on any CRL component before our
servers start rejecting valid connections... (you gotta think that part
through - otherwise you will get burnt)

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1




signature.asc
Description: OpenPGP digital signature
--
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] OpenVPN with intermediate CA

[Gert Doering]

Hi,

On Mon, Jul 01, 2013 at 05:39:26PM -0700, Jan Just Keijser wrote:
> and in that directory you'll need to create hashed versions of the 
> certificate and CRL's used; the .crt files should be renamed to .0 
> and the .crl files to .r0
> where  is the output of
>   openssl x509 -hash -noout -in ca.crt

Out of curiousity, as I've seen this mentioned a few times but never read
a reason for the hash-thing - how does openvpn (or apache, etc.) know the 
hash for the CRL file to look for, when it hasn't seen the CRL yet?

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


pgp1BY3QpPfcD.pgp
Description: PGP signature
--
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users