OPNsense Forum
Archive => 17.1 Legacy Series => Topic started by: matthias.appel on February 01, 2017, 09:43:06 am
-
Hey guys,
first of all a big Thank you for the great work making the upgrade to 17.1 so smooth! Everything except for one little detail worked out at our end.
We use OpenVPN for remote dial in with TLS authentication along with user authentication against our AD.
To issue the client certificates, we use a built-in CA and do also maintain the certificate revocation list with this built-in tools.
After the upgrade to 17.1 the Peer CRL check performed by the OpenVPN server upon connection of a client fails, since it cannot find the CRL file at the specified location in the file system. This leads to rejection of all client certificates (also the valid ones). My current work around is to disable the Peer CRL check ind order to make VPN work again. But this is only a temporary solution. Could you please have a look into this?
Best Regards,
Matthias
-
Hi Matthias,
I'm going to look into it this week. I suspect the custom PHP CRL patches that never got picked up by upstream do not work correctly on 7.0.
Last time I checked, there is no authority for these patches, so we need to debug this ourselves. :/
Cheers,
Franco
-
I found it... https://github.com/opnsense/ports/commit/0eb5e274673
I'm trading test packages for Crypto/architecture combos (OpenSSL/amd64) -- need both to build the proper package for your installation.
Cheers,
Franci
-
Hi Franco,
Thank you very much for your support!
I just updated to 17.1.1 and the OpenVPN Peer CRL check works again.
Please keep up this excellent work :)
Cheers,
Matthias
-
Hi Matthias,
Thanks for the feedback! :)
Cheers,
Franco