Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
17.1 Legacy Series
»
[SOLVED] Upgrade to 17.1 breaks OpenVPN Peer CRL check
« previous
next »
Print
Pages: [
1
]
Author
Topic: [SOLVED] Upgrade to 17.1 breaks OpenVPN Peer CRL check (Read 5498 times)
matthias.appel
Newbie
Posts: 3
Karma: 1
[SOLVED] Upgrade to 17.1 breaks OpenVPN Peer CRL check
«
on:
February 01, 2017, 09:43:06 am »
Hey guys,
first of all a big Thank you for the great work making the upgrade to 17.1 so smooth! Everything except for one little detail worked out at our end.
We use OpenVPN for remote dial in with TLS authentication along with user authentication against our AD.
To issue the client certificates, we use a built-in CA and do also maintain the certificate revocation list with this built-in tools.
After the upgrade to 17.1 the Peer CRL check performed by the OpenVPN server upon connection of a client fails, since it cannot find the CRL file at the specified location in the file system. This leads to rejection of all client certificates (also the valid ones). My current work around is to disable the Peer CRL check ind order to make VPN work again. But this is only a temporary solution. Could you please have a look into this?
Best Regards,
Matthias
«
Last Edit: February 09, 2017, 07:55:17 pm by franco
»
Logged
franco
Administrator
Hero Member
Posts: 17660
Karma: 1611
Re: Upgrade to 17.1 breaks OpenVPN Peer CRL check
«
Reply #1 on:
February 06, 2017, 08:42:17 am »
Hi Matthias,
I'm going to look into it this week. I suspect the custom PHP CRL patches that never got picked up by upstream do not work correctly on 7.0.
Last time I checked, there is no authority for these patches, so we need to debug this ourselves. :/
Cheers,
Franco
Logged
franco
Administrator
Hero Member
Posts: 17660
Karma: 1611
Re: Upgrade to 17.1 breaks OpenVPN Peer CRL check
«
Reply #2 on:
February 06, 2017, 05:56:16 pm »
I found it...
https://github.com/opnsense/ports/commit/0eb5e274673
I'm trading test packages for Crypto/architecture combos (OpenSSL/amd64) -- need both to build the proper package for your installation.
Cheers,
Franci
Logged
matthias.appel
Newbie
Posts: 3
Karma: 1
Re: Upgrade to 17.1 breaks OpenVPN Peer CRL check
«
Reply #3 on:
February 09, 2017, 06:24:32 pm »
Hi Franco,
Thank you very much for your support!
I just updated to 17.1.1 and the OpenVPN Peer CRL check works again.
Please keep up this excellent work
Cheers,
Matthias
Logged
franco
Administrator
Hero Member
Posts: 17660
Karma: 1611
Re: [SOLVED] Upgrade to 17.1 breaks OpenVPN Peer CRL check
«
Reply #4 on:
February 09, 2017, 07:55:44 pm »
Hi Matthias,
Thanks for the feedback!
Cheers,
Franco
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
17.1 Legacy Series
»
[SOLVED] Upgrade to 17.1 breaks OpenVPN Peer CRL check